Custom authorizations in Web.API

c# asp.net-mvc asp.net-web-api authorization
tom picture tom · Mar 1, 2013 · Viewed 28.2k times · Source

My understanding of ASP.NET MVC is that for authorizations I should use something like - 

public class IPAuthorize : AuthorizeAttribute {

protected override bool AuthorizeCore(HttpContextBase httpContext) {
    //figure out if the ip is authorized 
    //and return true or false
}

But in Web API, there is no AuthorizeCore(..).

There is OnAuthorization(..) and the general advice for MVC is not to use OnAuthorization(..).

What should I use for custom authorizations in Web API?

Answer

leastprivilege picture leastprivilege · Mar 1, 2013

Authorization is done in an authorization filter - that mean you derive from System.Web.Http.AuthorizeAttribute and implement the IsAuthorized method.

You don't implement authorization in a normal action filter because they run later in the pipeline than authorization filters.

You also don't implement authentication in a filter (like parsing a JWT) - this is done even earlier in an extensibility point called MessageHandler.

Related questions

How to return a file (FileContentResult) in ASP.NET WebAPI

In a regular MVC controller, we can output pdf with a FileContentResult. public FileContentResult Test(TestViewModel vm) { var stream = new MemoryStream(); //... add content to the stream. return File(stream.GetBuffer(), "application/pdf", "test.pdf"); } But how can we change it …

Read More
How to secure an ASP.NET Web API

I want to build a RESTful web service using ASP.NET Web API that third-party developers will use to access my application's data. I've read quite a lot about OAuth and it seems to be the standard, but finding a …

Read More
How to add and get Header values in WebApi

I need to create a POST method in WebApi so I can send data from application to WebApi method. I'm not able to get header value. Here I have added header values in the application: using (var client = new WebClient()) { // …

Read More