1

I have a ASP.NET MVC website.

I don't really manage users, but I do a login to an external API and then I store a "ASPXFORMSAUTH" cookie.

It's a WCF service. In my controller, I call :

MyWcfServiceClient.Login()

In the AfterReceiveReply, I store the response of the service in a variable :

cookie = httpResponse.Headers[HttpResponseHeader.SetCookie];

Then In the controller, I get this cookie and store it using :

Response.Cookies.Add(cookie);

I'm a beginner with ASP.NET MVC, but can I use the [Authorize] attribute to allow the access to the controllers methods only if the request contains this cookie ? And [AllowAnonymous] on the methods before the API login.

EDIT :

So it should work just adding the [Authorize] attribute ?

I'm calling the controller method using ajax, and the value of Request.Headers["Cookie"] is .ASPXAUTH=1D415AF723......

But I get the ajax error callback...

Am I missing something ?

user3544117
  • 587
  • 4
  • 9
  • 25
  • 2
    That's exactly how the `AuthorizeAttribute` works. – James Aug 13 '14 at 08:17
  • What exact error are you getting? – Rob Aug 13 '14 at 08:35
  • 1
    Are you manually handling the authentication protocol here? Just re-reading your question you mention *"I do a login to an external API then I store a `ASPXFORMSAUTH` cookie"*. – James Aug 13 '14 at 08:37
  • 1
    Assuming you are using Forms Authentication here, unfortunately this doesn't cater for Ajax requests out the box. The main problem being what you want is a `403` response from the server if you haven't authenticated yet but instead what you would get down is most likely a `302` and the login page. To get around this problem the general solution is to implement your own custom `AuthorizeAttribute`which handles ajax requests specifically - see this [example](http://stackoverflow.com/questions/5258721/authorize-attribute-and-jquery-ajax-in-asp-net-mvc#11085769) – James Aug 13 '14 at 08:48
  • Thanks. I'll try if it works without ajax and then implement the custom attribute. – user3544117 Aug 13 '14 at 08:53
  • In fact, if I'm not allowed to access the controller method, I want to have an ajax error. I don't need to redirect to a login page. But here, even if did the login to the my wcf service, I get the ajax error... There is something else wrong I think... – user3544117 Aug 13 '14 at 09:10
  • @James Do you have a blog or something? I also want to check how Authorize Attribute internally works. – Shad Jun 26 '23 at 15:45
  • 1
    @Shad I don't unfortunately, however luckily for you the .NET framework is [completely open source now](https://github.com/dotnet/aspnetcore/tree/main/src/Security/Authorization) so understanding how it works is a lot easier these days :) – James Jul 02 '23 at 15:49

2 Answers2

2

[Authorize] will allow access to authorized users only.

You can either put it at the top of the controller so it applies to all functions on the controller or in front of individual functions. its more powerful than that though as you can allow only specific users or roles. documentation here

The allow [AllowAnonymous] is used when you have added some sort of Authorize to the whole controller but want to allow access for all to a function on the controller. its not required if the controller doesn't have an authorize attribute on it. example here I think the default MVC account in visual studio uses this on the account controller for password rest and login.

ShufflerShark
  • 377
  • 1
  • 4
  • 20
1

I'm not fully sure since I haven't tried it before. But if you set the correct cookies (the default aspx auth cookie) the AuthorizeAttribute should prevent you from reaching the controller if you aren't authorized. Have you tried using the authorize attribute on a controller and logging in using your external API? Because it might just work out of the box.

Another option is to extend the default attribute by making your own. See the following articles for more information about this.

Community
  • 1
  • 1
Rob
  • 6,731
  • 12
  • 52
  • 90