asp.net-authorization

I am working on an ASP.NET Core 2 web application. I am handling Access Denied page for [Authorize (roles OR policies)] pages. By default, Instead of showing the original URL and returning 403 status, ASP.NET Core 2.0 redirects the request to an AccessDenied page with status is 302 -> This is not what I want. Instead of redirecting AccessDenied page. I want ASP.NET Core throws my custom ForbiddenException exception so I can handle unauthorized accesses like I do for Unhandled exceptions. Here is my authentication configuration: services.AddAuthentication(options => { options

Is this an acceptable implementation of a custom bearer token authorization mechanism? Authorization Attribute public class AuthorizeAttribute : TypeFilterAttribute { public AuthorizeAttribute(): base(typeof(AuthorizeActionFilter)){} } public class AuthorizeActionFilter : IAsyncActionFilter { private readonly IValidateBearerToken _authToken; public AuthorizeActionFilter(IValidateBearerToken authToken) { _authToken = authToken; } public async Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next) { const string AUTHKEY = "authorization"; var headers = context

I'm having hard time in deciding an approach while implementing Authentication/Authorization scenario for my Web API (Service) - MVC (client) architecture project. Even though i have implemented Custom token based authentication in Web API project, I'm finding it hard where exactly i should implement the authorization (In Client or in API itself). Architecture Overview : Projects Solution - | | __ ASP.NET Web API based REST service (Independently hosted on IIS at M/C 1) | | __ ASP.NET MVC based Client (independently hosted on IIS at M/C 2 Consuming REST service) | | __ Smart phone client

I want to secure specific folders and resources in my application that are outside of the routes for my mvc application. I want these resources to only be available to authenticated users ( which role is not of concequence as long as they are authenticated ). Initially it seemed that the UrlAuthorizationModule would be the answer. I followed this article, Understanding IIS 7.0 URL Authorization , and I can get the module to work in the sense that it responds to the configuration elements in the web.config . My current problem is that I think it is enacting the rules based on the anonymous user

I'm new in asp and I created a login page for my web project but and I set authentication but I can not set authorization for my project! I saw many links like this Authentication and Authorization in ASP.NET Web API but couldn't implementation those on my own project, I don't know where I must to start?! thank you for your help! this is my controller: public class AuthenticationController : Controller { private modelLayOut mLO = new modelLayOut(); public bool existBool = false; // GET: Authentication public ActionResult Index() { return View(); } public ActionResult applicantAuthentication()

I have created a customized role base authorization attribute.My idea is that when a user with role name "employee" Log In should not be allowed to access the "admin" page through URL. But when I implement the [MyRoleAuthorization] in Employee controller and Log In the error says "This webpage has a redirect loop". This is code for [MyRoleAuthorization] public class MyRoleAuthorization : AuthorizeAttribute { string isAuthorized; private string AuthorizeUser(AuthorizationContext filterContext) { if (filterContext.RequestContext.HttpContext != null) { var context = filterContext.RequestContext

How does one specify root location in web.config to allow unauthenticated users access it? The root location is served by default.aspx, but users normally don't see default.aspx, they just see http://mysite.com/ . So I've added <location path="~/default.aspx"> <system.web> <authorization> <allow users="*"/> </authorization> </system.web> </location> Which works if user hits mysite.com/default.aspx , but if user hits mysite.com/ - he is still redirected to login page. I've tried <location path="~"> (does not help) and also <location path="~/"> , <location path=""> (site fails completely) and