1

I have a WebAPI controller that requires users to be authenticated and I'm using MS Identity 2.0 for authentication. The controller looks somewhat like this:

[Route("MyRoute")]
[Authorize]
[HttpPost]
public HttpResponseMessage Post([FromBody] string value)
{
  if (User.Identity.IsAuthenticated == true)
  {
     .... 
  }
  else
  {
      return new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden);
  }

If I remove one of these options at a time, in both cases, when an unauthorized user calls the controller, it returns a Forbidden response. What's difference between these two options and there one that's better than the other?

halfer
  • 19,824
  • 17
  • 99
  • 186
frenchie
  • 51,731
  • 109
  • 304
  • 510
  • I do not understand what you are asking. – Agent Shark May 18 '14 at 13:33
  • If I remove the [Authorize] attribute and leave the if (User.Identity.IsAuthenticated == true) condition, it returns Forbidden for unauthorized users. If I remove the if (User.Identity.IsAuthenticated == true) condition and leave the [Authorize] attribute it also returns Forbidden for unauthorized users. What's the difference between these two options? – frenchie May 18 '14 at 13:48

2 Answers2

2

With an [Authorize] attribute, the authorization logic can be overridden with filters and will be located at a central location in code.

The 

if (User.Identity.IsAuthenticated == true)
{
   .... 
}
else
{
    return new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden);
}

basically is the same as the default [Authorize] functionality, but you'll be repeating yourself over and over.

A technical detail though, the authorization filters [Authorize] are higher up in the pipeline, so a Forbidden there will be more efficient for your server.

see: http://www.dotnet-tricks.com/Tutorial/mvc/LYHK270114-Detailed-ASP.NET-MVC-Pipeline.html

Stefan
  • 17,448
  • 11
  • 60
  • 79
1

By "Authorize" attribute you can centrally create your request filter for all your request. its easy to manage. like if want to use different authentication provider like WebSecurity then you just need to change in one class instead of all your web apis like following :

[AttributeUsageAttribute(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = true)]
    public class AuthorizeAttribute : AuthorizationFilterAttribute
    {       
        public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
        {
            base.OnAuthorization(actionContext);            

            ////check authentication and return if not authorized
            if (actionContext != null)
            {
                if (!WebSecurity.IsAuthenticated)
                {
                    actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized) { RequestMessage = actionContext.ControllerContext.Request };
                     return;
                }             

            }
        }
    }
Chandrika Prajapati
  • 867
  • 1
  • 6
  • 11