14

I'am starting with Asp.Net Web API and here's my problem :

I implement a custom authorization filter to inspect my message header looking for an API Key. Based on this API Key, I retrieve my user and then I would like to see if he can have access to some resources. The resources ID I want to check is on the parameters of the HTTP request. But when I'am on the AuthorizationFilter method, the actions parameters list is empty.

How can I do that ?

If I used an ActionFilter in replacement of an authorization filter, how can I be sure that this will be the first filter executed ? And globally, how can I specify the executing order of filters ?

Last question, is it possible to add some data "on the pipe" that I could retrieve on any filter ? Something like a session store but limited to the request ?

Thanks for any response

Ben
  • 247
  • 1
  • 3
  • 15

2 Answers2

24

The authorization attributes run before parameter binding has run therefore you cannot (as you have seen) use the ActionArguments collection. Instead you will need to use the request uri for query parameters and route data for uri parameters as demonstrated below.

//request at http://localhost/api/foo/id?MyValue=1
public class MyAuthorizationAttribute : AuthorizeAttribute
{
    protected override bool IsAuthorized(HttpActionContext actionContext)
    {
        //will not work as parameter binding has not yet run
        object value;
        actionContext.ActionArguments.TryGetValue("id", out value);

        //Will get you the resource id assuming a default route like /api/foo/{id} 
        var routeData = actionContext.Request.GetRouteData();
        var myId = routeData.Values["id"] as string;

        //uri is still accessible so use this to get query params
        var queryString = HttpUtility.ParseQueryString(actionContext.Request.RequestUri.Query);
        var myQueryParam = queryString["MyValue"];

        //and so on
    }
}

About the execution order:

There are 3 different ways of specifying the execution order of filters using the FilterScope Enumeration... scope being Global, Controller and Action. The AuthoriseAttribute is "Global" and therefore it

Specifies an action before Controller.

If you needed to specify the execution order within these 3 scopes then you should read this blog article here where you will need to implement a FilterProvider

To add some data to the pipe:

Use the properties collection on the request this collection is available for the duration of the request.

    protected override bool IsAuthorized(HttpActionContext actionContext)
    {
        actionContext.Request.Properties.Add("__MYKEY__","MyValue");

        //access this later in the controller or other action filters using
        var value = actionContext.Request.Properties["__MYKEY__"];

    }
Mark Jones
  • 12,156
  • 2
  • 50
  • 62
  • You can also get path parameter information from the RouteData. If memory serves me, it would something like Request.GetRouteData().Values; – Darrel Miller Apr 17 '13 at 11:29
  • @DarrelMiller, I just followed up on that idea and my harness doesn't seem to work that way. var routeData = actionContext.Request.GetRouteData(); var value = routeData.Values["MyValue"] as string; My routeData only contains the controller value. Let me know if you disagree and I will investigate further. – Mark Jones Apr 17 '13 at 11:37
  • Using first an authorization filter setting a value into request properties and then an action filter is working. Other information were useful too. Thanks for your help. – Ben Apr 17 '13 at 12:57
  • @MarkJones I just tried it with the default `/api/values/{id}` route and I was able to read `Id` from RouteData in the OnAuthorization event of an AuthorizeAttribute. – Darrel Miller Apr 17 '13 at 15:01
  • @DarrelMiller I thought the question was referring to query string params. Agree the Id would be available as you suggest though. – Mark Jones Apr 17 '13 at 16:17
  • @DarrelMiller that was me misreading the question. Sorry. I will update to clarify things. – Mark Jones Apr 17 '13 at 16:29
1

Another alternative to get to the parameters is to Execute the binding for the parameters.

try
{
    var binding = actionContext.ActionDescriptor.ActionBinding;
    var parameters = binding.ParameterBindings.OfType<ModelBinderParameterBinding>();
    var newBinding = new HttpActionBinding(actionContext.ActionDescriptor, parameters.ToArray());
    newBinding.ExecuteBindingAsync(actionContext, new CancellationToken());
    var id = actionContext.ActionArguments["id"] as string;
}
catch
{
    base.HandleUnauthorizedRequest(actionContext);
}

Note: You need to make sure you only filter on the parameters that will come from the Request URI, as I have noticed that executing the binding for any parameters that are expected to come from the Request body will no longer be passed on to the actual action. i.e. those parameters will be null.

This is just to note that you can do this, I'd recommend using GetRouteData()/RouteData as it is not likely to disrupt the further flow of ASP.NET MVC modelbinding.

var routeData = actionContext.ControllerContext.RouteData;
var id = routeData.Values["id"] as string;
Rudi
  • 3,124
  • 26
  • 35