authorize-attribute

I have a very simple scenario. I want to decorate my controllers/actions with a custom authorization attribute. Authorization should be granted if any of the attributes is valid. For example, [MyAuth(1)] [MyAuth(2)] public class MyController : Controller { ... } I cannot combine the parameters into a single authorization attribute. The above example is a simplified example, only. If either attribute authorizes the user, I want the user to be authorized. I assumed that ActionFilterAttribute or AuthorizeAttribute would have the means to see what other filters have been executed and are waiting

I am using ASP.NET MVC 4 Web application as a front-end for some WCF services. All the user log in/log out and session control is done on the back-end. MVC app should only store a single cookie with session ID. My client does not allow to use Forms Authentication, everything must be customized. I have set up the following in my web.config: <system.web> ... <authentication mode="None" /> </system.web> <system.webServer> <modules> ... <remove name="FormsAuthentication" /> ... </modules> </system.webServer> I have also a global filter: public class FilterConfig { public static void

Checking out the sample code from http://lukesampson.com/post/471548689/entering-and-exiting-https-with-asp-net-mvc written for ASP.NET MVC2, I noticed they can check if a custom attribute is applied to the current action or controller by accessing filterContext.ActionDescriptor and filterContext.ActionDescriptor.ControllerDescriptor respectively: public class ExitHttpsIfNotRequiredAttribute : FilterAttribute, IAuthorizationFilter { public void OnAuthorization(AuthorizationContext filterContext) { // snip // abort if a [RequireHttps] attribute is applied to controller or action if

My site is open to all but i have a controller with some method that only the manager with the user and password can enter. I'm saving the bool IsManager in a session . I would like to use the authorize attribute to block whom ever IsManager == false . First define an ActionFilter : public class TheFilter: ActionFilterAttribute { public override void OnActionExecuting(ActionExecutingContext filterContext) { var session = filterContext.HttpContext.Session; if ((bool?)session["IsManager"] == true) return; //Redirect him to somewhere. var redirectTarget = new RouteValueDictionary {{"action", "

So I've found bits and pieces that have enlightened me some on the [Authorize] tag, but nothing that solves my problem. My scenario is that I have Web Api methods that I want to hit with integration tests using RestSharp. However RestSharp is getting my login page, instead of the results of the call. [Authorize] public Item GetItem([FromBody] int id) { return service.GetItem(id); } The product uses a custom login system, and what I would REALLY like would be a way to disable the [Authorize] badge only for integration tests. However I read that you can allow anonymous users and it would

I have created two classes that implement AuthorizeAttribute . One is used globally, and I set it on the Global.asax.cs: filters.Add(new FirstAuthorizeAttribute() { Order = 0 }); The other is called SecondAuthorizeAttribute and it is used only in some action methods, and I use it as attribute in the methods I want. [HttpGet] [SecondAuthorize] public ActionResult LogOut() { FormsAuthentication.SignOut(); Session.Clear(); Session.Abandon(); return Redirect(Url.Content("~/")); } The problem is that SecondAuthorizeAttribute always execute before FirstAuthorizeAttribute , and I need this one to

In my WebAPI project, I have number of apis which are decorated with [Authorize] attribute. [Authorize] public HttpResponseMessage GetCustomers() { //my api } In case user doesn't have the right token, an access denied exception is returned to the user. But what I need is that in any such case, I need to return the custom response message as. { "StatusCode" : 403, "message": "You donot have sufficient permission" } How do I return this custom message in case authorization fails. Please note: I am using Owin - Token based authentication. I am not storing the access token in my database or