1

I have an MVC applicaton with webapi controller in it.

When user is authenicated he has access to all mvc [Authorize] controller actions in the application. But for some reason when I set attribute [Authorize] on WebApi controller that is located on my application authenicated users cant access to this WebApi actions, server return user 401 Unauthorized 

 [Authorize]
 public class FilesController : ApiController

By researching i found out that [Authorize] attribute for WebApi is actually System.Web.Http.AuthorizeAttributeand for mvc controller it is System.Web.Mvc.AuthorizeAttribute.

Is there any way to setup application the way if user is authorized in the mvc > controller level so he will be authorized for webapi too?

I tried to change the WebApi attribute to [System.Web.Mvc.Authorize] but it is not seams to be working.

Looks like I have to do something similar to this using this library Do u have any ideas?

Community
  • 1
  • 1
Sergino
  • 10,128
  • 30
  • 98
  • 159

1 Answers1

0

I do not see a good way to put filters for authentication/authorization in MVC and Web API into a single filter because they have very different behaviors. For an MVC request when the user fails authorization you want to redirect them to another page to either logon as another user or just let them know they do not have access to that page. For a Web API request when the user fails authorization you want to send an HTTP status code that indicates authorization failed and let the client handle it.

Abbas Galiyakotwala
  • 2,949
  • 4
  • 19
  • 34