Custom Authorization filter in ASP.NET MVC 5?

后端 未结 4 752
盖世英雄少女心
盖世英雄少女心 2020-12-06 07:49

In ASP.NET MVC 5 we can use [Authorize] attribute to check authorization and limit access to some actions\\pages. I wonder how can I modify this attribu

相关标签:
4条回答
  • 2020-12-06 08:18

    Something like this? Create your own attribute and override the default with your own code.

    public class CustomAuthAttribute : AuthorizeAttribute
    {
        public override void OnAuthorization(AuthorizationContext filterContext)
        {
            base.OnAuthorization(filterContext);
    
            //your code here
        }
    }
    

    Then decorate your controllers/actions with [CustomAuthAttribute]

    0 讨论(0)
  • 2020-12-06 08:30

    You may implement a custom authorization for allowing anonymous browsing during a limited amount of time like this:

    public class AuthorizeAttributeWithAnonTimeoutAttribute : AuthorizeAttribute
    {
        public int? AnonymousMinutesTimeout { get; set; }
    
        public override void OnAuthorization(AuthorizationContext filterContext)
        {
            // Let default handling occurs
            base.OnAuthorization(filterContext);
    
            // If result is set, authorization has already been denied,
            // nothing more to do.
            if (filterContext.Result as HttpUnauthorizedResult != null)
                return;
    
            var isAnonAllowed = filterContext.ActionDescriptor.IsDefined(
                    typeof(AllowAnonymousAttribute), true) || 
                filterContext.ActionDescriptor.ControllerDescriptor.IsDefined(
                    typeof(AllowAnonymousAttribute), true);
            if (isAnonAllowed && AnonymousMinutesTimeout.HasValue &&
                // Not authorized
                !AuthorizeCore(filterContext.HttpContext))
            {
                const string visitStartCookieName = "visitStartCookie";
                const string visitStartDateFormat = "yyyyMMddhhmmss";
                var visitStartCookie = filterContext.HttpContext.Request
                    .Cookies[visitStartCookieName];
                var now = DateTime.UtcNow;
                DateTime visitStartDate;
                var visitStartCookieValid = visitStartCookie != null &&
                    DateTime.TryParseExact(visitStartCookie.Value,
                        visitStartDateFormat, null, DateTimeStyles.AssumeUniversal,
                        out visitStartDate);
                if (!visitStartCookieValid)
                {
                    visitStartDate = now;
                    filterContext.HttpContext.Response.Cookies.Add(
                        // Session cookie. (Need to set an expiry date if
                        // a "permanent" cookie is wished instead.)
                        new HttpCookie
                        {
                            Name = "visitStartCookie",
                            Value = now.ToString(visitStartDateFormat)
                        });
                }
                if (visitStartDate.AddMinutes(AnonymousMinutesTimeout.Value) < now)
                {
                    // Anonymous visit timed out
                    HandleUnauthorizedRequest(filterContext);
                    return;
                }
            }
        }
    }
    

    Then, use it as a global filter if it suits you, like this:

    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {
        filters.Add(
            new AuthorizeAttributeWithAnonTimeoutAttribute
            {
                // By example, 10 minutes
                AnonymousMinutesTimeout = 10
            });
        // Your other filters
        ...
    }
    

    And do not forget to decorate your controllers or actions with AllowAnonymousAttribute:

    [AllowAnonymous]
    public class YourController
    {
    }
    

    Or

    public class YourController
    {
        [AllowAnonymous]
        public ActionResult YourAction()
        {
        }
    }
    

    You may also put your custom authorize attribute directly on controllers or actions if defining it globally does not suit you:

    // By example, 10 minutes anonymous browsing allowed.
    [AuthorizeAttributeWithAnonTimeout(AnonymousMinutesTimeout = 10)]
    public class YourController
    {
    }
    

    Please note this implementation does not secure the anonymous timeout. A hacker may overcome it and browse anonymously as long as he wishes. Browser tools allow for cookie deletion, so it is easy to start with a fresh timeout.
    My example also just set a session cookie, which will be gone by closing/re-opening the browser. Of course using another browser or device will allow for another 10 minutes of usage.

    Securing an anonymous timeout is quite hard, since your user is anonymous. You may try to identify your anonymous users from their technical characteristics and then track their timeouts server side.
    But you will probably run into many issues: corporate users browsing with the same IP address, or switching between different IP because they do not have a single Internet connection, ...

    0 讨论(0)
  • 2020-12-06 08:30

    Below I have listed some examples that where and why to use AuthorizeAttribute

    1.Check authorization and limit access to actions.

    Example :
    
         // Restrict unauthorized access:       
         [Authorize]  
         public ActionResult YourActionView()  
         {  
           return View();  
         }  
    
    
        // Restrict by user:       
        [Authorize(Users = "prashant,lua")]  
            public ActionResult YourActionView()  
            {  
               return View();  
            }  
    
        // Restrict by role:
        [Authorize(Roles="Administrators")]
         public ActionResult YourActionView()  
            {  
               return View();  
            }  
    

    2.Check authorization and limit access to controller.

        // Restrict unauthorized access:       
        [Authorize]  
        public class ValuesController : ApiController
        {
        }
    
        // Restrict by user:
        [Authorize(Users="Prashant,Lua")]
        public class ValuesController : ApiController
        {
        }
    
       // Restrict by role:
       [Authorize(Roles="Administrators")]
       public class ValuesController : ApiController
       {
       }
    
    0 讨论(0)
  • 2020-12-06 08:36

    I think that the Authorize attribute is designed to facilitate the authorizing process. If you want to allow an anonymous user to view your site and block access after a while, consider some client side scripting.

    0 讨论(0)
提交回复
热议问题