0

Are there any possible security issues or pitfalls to, within a custom AuthorizeAttibute (registered globally), apply authorization based on the controller type and action being called?

e.g. (not real code)

string controllerFullName=_filterContext.ActionDescriptor.ControllerDescriptor.ControllerType.FullName;

string minRequiredRole = GetControllerMinRequiredRole(controllerFullName);

if(User.MeetsRoleRequirement(minRequiredRole))
{
     //give access
}
else
{
    //no you're not allowed
}
enamrik
  • 2,292
  • 2
  • 27
  • 42

1 Answers1

1

The main issue is with Authorization caching - so there are a few things to know. Check out the links I've posted here:

Creating a AuthorizeAttribute - what do I need to know?

Look at the code to the existing attribute and how it handles caching to ensure you arent causing the same issue the base attribute prevents.

Community
  • 1
  • 1
Adam Tuliper
  • 29,982
  • 4
  • 53
  • 71
  • 1
    so what if I inherit from AuthorizeAttrbute and call base.OnAuthorized? Would I still need to worry about the caching problem? (right now I'm only overriding OnAuthorized to get a hold of the AuthorizationContext. I don't know how to get AuthorizationContext in AuthorizeCore since it's passed an HttpContextBase) – enamrik Feb 10 '12 at 04:57
  • heres an interesting snippet (See the cache portion): http://www.diaryofaninja.com/blog/2011/07/24/writing-your-own-custom-aspnet-mvc-authorize-attributes are you using your own OnAuthorization? If so, then note what they do here – Adam Tuliper Feb 10 '12 at 06:10
  • I'm not writing my own but inheriting from the default AuthorizeAttrbute attribute. So it seems by calling base.OnAuthorized, I get the caching hack (it looks like the hack is part of the core AuthorizeAttrbute class). It looks like I'm safe. Unless you have anything else to add, thanks for the answer – enamrik Feb 10 '12 at 12:08