[转]How to override HandleUnauthorizedRequest in ASP.NET Core

本文转自：http://quabr.com/40446028/how-to-override-handleunauthorizedrequest-in-asp-net-core

I'm migrating my project to asp.net core and I'm stuck in migrating my CustomAuthorization attribute for my controllers. Here is my code.

public class CustomAuthorization : AuthorizeAttribute
{
public string Url { get; set; }

protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
{
filterContext.Result = new RedirectResult(Url + "?returnUrl=" + filterContext.HttpContext.Request.Url.PathAndQuery);
}
else if (!Roles.Split(',').Any(filterContext.HttpContext.User.IsInRole))
{
filterContext.Result = new ViewResult
{
ViewName = "AcessDenied"
};
}
else
{
base.HandleUnauthorizedRequest(filterContext);
}
}
}

then i used it to my controllers

[CustomAuthorization(Url = "/Admin/Account/Login", Roles = "Admin")]
public abstract class AdminController : Controller { }

so, basically i can use it to redirect to different login page when roles is not met. I have few areas and each of them have different login page. I tried using the CookieAuthenticationOptions like this

services.Configure<CookieAuthenticationOptions>(options =>
{
options.AuthenticationScheme = "Admin";
options.LoginPath = "/Admin/Account/Login";
});

then on my admin controller

[Area("Admin")]
[Authorize(ActiveAuthenticationSchemes = "Admin", Roles = "Admin")]

but after i login, it still cant get in.

1 answer

answered 2016-11-06 13:17 Darkonekt
I am doing something similar in one of my projects. This answer is NOT using AuthorizeAttribute; but it might help some one landing here from a google search. In my case I am using it to authorize based on custom logic.

First my custom attribute class:

public class CustomAuthorizationAttribute : ActionFilterAttribute
{
private readonly IMyDepedency _dp;
public CustomAuthorizationAttribute(IMyDepedency dp)
{
_dp = dp;
}
public override void OnActionExecuting(ActionExecutingContext context)
{
var isValid = false;
//write my validation and authorization logic here
if(!isValid)
{
var unauthResult = new UnauthorizedResult();

context.Result = unauthResult;
}

base.OnActionExecuting(context);
}
}

I decorate my controllers like this:

[ServiceFilter(typeof (CustomAuthorizationAttribute))]

Then in my Startup class

public void ConfigureServices(IServiceCollection services)
{
// Add framework services.
services.AddMvc();

// my other stuff that is not relevant in this post

// Security
services.AddTransient<CustomAuthorizationAttribute>();
}