0

I am trying to build my custom authorization middle ware in ASP.Net Core. Which checks if the called action (method in controller class) is tagged by [Authorize] attribute. I still do not have good ideas how can I implement that.

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    app.Use((context, next) =>
    {
        // if (THE CALLED ACTION HAS [Authorize] attribute)
        //     DO SOMETHING...
        return next();
    });

    app.UseMvcWithDefaultRoute();     
}

Could some one give me any hint to implement the commented condition?

Mohammed Noureldin
  • 14,913
  • 17
  • 70
  • 99
  • That early in pipeline the action has not been determined as yet so there is not even an action to check for attributes. – Nkosi Nov 07 '17 at 02:06
  • @Nkosi, ok so is it some how possible to get that working by implementing my own middle ware? – Mohammed Noureldin Nov 07 '17 at 02:07
  • 1
    I would suggest reading up here https://learn.microsoft.com/en-us/aspnet/core/fundamentals/middleware?tabs=aspnetcore2x – Nkosi Nov 07 '17 at 02:09
  • @Nkosi, actually I have just finished reading it before asking, but I still have not got it yet, sorry. Could you give any related hint? So how does MVC with its build in identity knows that something is tagged with `[Authorize]` attribute, when it is called before using MVC? I appreciate any hint which helps me to implement that. – Mohammed Noureldin Nov 07 '17 at 02:16
  • You should avoid trying to reinvent existing features. https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity?tabs=visual-studio%2Caspnetcore2x – Nkosi Nov 07 '17 at 02:21
  • @Nkosi I am trying to avoid using Identity because it abstracts a lot of details (and adds some over head some where else). Understanding how I can implement it will be a good practice for me as well. – Mohammed Noureldin Nov 07 '17 at 02:24
  • Understood. The problem is going through all of that is way too broad to answer on this site. – Nkosi Nov 07 '17 at 02:27
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/158363/discussion-between-mohammed-noureldin-and-nkosi). – Mohammed Noureldin Nov 07 '17 at 02:30
  • OK during reading `ASP.Net Core MVC` source code on `Github`, I find a hint which looks a good place to start, the `filters` (an option of MVC middleware). I will read it and I will post my answer if I get anything useful. – Mohammed Noureldin Nov 07 '17 at 03:17
  • 1
    filters are the way to go – Nkosi Nov 07 '17 at 03:24
  • For Authorization you don't need Identity. See https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?tabs=aspnetcore2x – Christian Gollhardt Nov 07 '17 at 04:22

1 Answers1

1

In general, if you need to check whether the action has an attribute, you need to use the action filter, not middleware.

Why? Cause action methods are part of MVC middleware and so action filters are. While standard middlewares don't know about MVC concept.

Set
  • 47,577
  • 22
  • 132
  • 150