0

I'm working on an ASP.NET Core MVC application and I want to be able to better handle what happens when an unauthenticated user runs an action through AJAX.

I found this solution that essentially extends the Authorize attribute's logic and sets an AJAX request's status code to 401 when user is no longer authenticated. The status code is returned to a global AJAX error handler and the appropriate action can be performed.

I'm trying to create the attribute in Core 3.1 but I cannot find a way to first run the base logic of the filter. base.OnAuthorization method is not there. I specifically don't want to rewrite the Authorize attribute's functionality - only to extend it.

How can I extend the Authorize attribute's logic in Core 3.1?

The authorize attribute I'm writing:

public class AuthorizeUserAttribute : AuthorizeAttribute, IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationFilterContext context)
    {
        base.OnAuthorization(context); //method does not exist
        OnAjaxAuthorization(context);
    }

    internal void OnAjaxAuthorization(AuthorizationFilterContext context)
    {
        if (context.HttpContext.User.Identity.IsAuthenticated == false)
        {
            if (context.HttpContext.Request.IsAjaxRequest())
            {
                context.HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
            }
        }
    }
}

Just as a side note, I was thinking of writing a ActionFilterAttribute to run the additional code instead, but I can't do that because the Authorize attribute always runs first.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Lukas
  • 1,699
  • 1
  • 16
  • 49
  • The OnAuthorization is not defined, try to remove it. And why not use the method of accepted solutions? – Zhi Lv Oct 28 '21 at 08:55
  • I understand it's not defined but I'm wondering is there any other way to run the base logic of the `Authorize` attribute so I can extend it? As for the accepted answer, I guess it's the same issue. I'm not sure how to get it working with Core 3.1. I try to add the attribute but it just gets skipped. – Lukas Oct 28 '21 at 16:46
  • The link you provided applies to traditional Asp.net MVC application, instead of Asp.net core 3.1. And in asp.net core there doesn't have the ISAjaxRequest() method, to check whether the request is call through the Ajax method, you can add a custom property in the request header or requese body, and set it as “IsAjaxRequired”. In the custom authorization attribute, you can get this property and check whether the request is a Ajax request or not, then do something. – Zhi Lv Nov 04 '21 at 08:45
  • In asp.net core 3.1 application to create custom Authorization attributes, you can check the following links: [Link 1](https://learn.microsoft.com/en-us/aspnet/core/security/authorization/iauthorizationpolicyprovider?view=aspnetcore-5.0#custom-authorization-attributes), [Link 2](https://stackoverflow.com/questions/31464359/how-do-you-create-a-custom-authorizeattribute-in-asp-net-core) and [link 3](https://www.c-sharpcorner.com/article/how-to-override-customauthorization-class-in-net-core/) – Zhi Lv Nov 04 '21 at 08:45

0 Answers0