0

I have a code written by an external programmer. The project is a WebApi. I don't know how the authorization happens. An attribute above my controller method makes this happen I think. But I don't understand how the authorization actually happens. Example of a controller method:

    [HttpGet]
    [Route("organizationunits/{entity}/{type}")]
    [MDLAuthorize(Actions.Read)]
    public async Task<IHttpActionResult> GetEntities(string entity, string type)
    {//some code}

The MDLAuthorize attribute specifies a method. And I think somehow the IsAuthorized method is called.

public class MDLAuthorize : AuthorizeAttribute
{
    private string _action;

    public MDLAuthorize(string action)
        : base()
    {
        _action = action;
    }

    protected override bool IsAuthorized(System.Web.Http.Controllers.HttpActionContext actionContext)
    {
        try
        {
            if (String.IsNullOrEmpty(_action))
                return false;

            var baseAuthorized = base.IsAuthorized(actionContext);

            string activity = actionContext.ActionDescriptor.ControllerDescriptor.ControllerName;
            if (actionContext.RequestContext.Principal == null ||
                actionContext.RequestContext.Principal.Identity == null)
            {
                //no principal, no fun.
                return false;
            }
            else
            {
                string username = actionContext.RequestContext.Principal.Identity.Name;
                bool isAuthorized = Security.HasPermission(username, activity, _action);
                return isAuthorized;
            }
        }
        catch (Exception ex)
        {
            MDLApiLog.Error(ex);
            return false;
        }
    }
}

I don't know if needed for my question, but this is the AuthorizeAttribute class

    //
// Summary:
//     Specifies the authorization filter that verifies the request's System.Security.Principal.IPrincipal.
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
public class AuthorizeAttribute : AuthorizationFilterAttribute
{
    //
    // Summary:
    //     Initializes a new instance of the System.Web.Http.AuthorizeAttribute class.
    public AuthorizeAttribute();

    //
    // Summary:
    //     Gets or sets the authorized roles.
    //
    // Returns:
    //     The roles string.
    public string Roles { get; set; }
    //
    // Summary:
    //     Gets a unique identifier for this attribute.
    //
    // Returns:
    //     A unique identifier for this attribute.
    public override object TypeId { get; }
    //
    // Summary:
    //     Gets or sets the authorized users.
    //
    // Returns:
    //     The users string.
    public string Users { get; set; }

    //
    // Summary:
    //     Calls when an action is being authorized.
    //
    // Parameters:
    //   actionContext:
    //     The context.
    //
    // Exceptions:
    //   T:System.ArgumentNullException:
    //     The context parameter is null.
    public override void OnAuthorization(HttpActionContext actionContext);
    //
    // Summary:
    //     Processes requests that fail authorization.
    //
    // Parameters:
    //   actionContext:
    //     The context.
    protected virtual void HandleUnauthorizedRequest(HttpActionContext actionContext);
    //
    // Summary:
    //     Indicates whether the specified control is authorized.
    //
    // Parameters:
    //   actionContext:
    //     The context.
    //
    // Returns:
    //     true if the control is authorized; otherwise, false.
    protected virtual bool IsAuthorized(HttpActionContext actionContext);
}
Improve this question
1
  • 1
    yes, the Authorize attribute causes the method to be called. If the user is authorized only then the call to the webapi's method would be executed otherwise the HTTP unauthorized code would be returned to the client Commented Apr 27, 2016 at 10:08

1 Answer 1

Reset to default
1

Any attribute that inherits AuthorizeAttribute will have its IsAuthorized() method invoked at the time of the request. The body of that method in your derived attribute is using the Security.HasPermission() method to check if the user is able to perform that operation.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for your answer. How come the 'IsAuthorized()' method is automatically invoked. And do you mean it's invoked when the Authorize attribute is called?
AuthorizeAttribute itself derives from AuthorizationFilter. These filters are invoked at request time in MVC - it is simply inherent to the framework.
alright, I think I will look into MVC ;). Thanks for your answers!

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.