1

I have a custom Authorization attribute not getting called in my asp.net class and I can't tell what I'm missing.

My Attribute looks like this:

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class MyAuthorize : System.Web.Http.AuthorizeAttribute
{
    public override void OnAuthorization(HttpActionContext actionContext)
    {
      // ...
    }

    protected bool AuthorizeCore(HttpContextBase httpContext)
    {
        // Logic here.
        return false;
    }
}

And I'm calling it from inside a WebService like so:

[WebService(Namespace = "http://something/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
public class AccessPoint : System.Web.Services.WebService
{
    [WebMethod]
    [MyAuthorize]
    public bool SomeWebMethod(int a)
    {
        //Do stuff
        return false;
    }
}

Each time I run it, it will fall right through and never trigger the attribute. FYI; I used System.Web.Http.AuthorizeAttribute because System.Web.Mvc.AuthorizeAttribute was telling me that AuthorizeAttribute did not exist.

punkysmurf
  • 21
  • 1
  • 4
  • 3
    System.Web.Http.AuthorizeAttribute is only used in WebApi controllers. It will be ignored in MVC and other services. What you have here is an XML Web Service, which is neither MVC or WebApi. See http://stackoverflow.com/a/36214224/61164 for information on securing legacy web services. – Erik Funkenbusch Apr 25 '17 at 19:35
  • Awesome, that's what I needed to know, thank you for setting me straight. – punkysmurf Apr 26 '17 at 15:35

1 Answers1

3

You seem to be making a terrible confusion here between ASP.NET Web API and legacy classic ASMX WebServices. You have written an ASP.NET Web API authorization attribute (designed to be used in an ASP.NET API REST service) and applied it on a legacy ASMX WebService. Those two technologies are completely different and should not be mixed together.

It's like trying to put a Lamborghini engine on a horse driven cart.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928