Search code examples
c#asp.net-mvc-5authorize-attribute

Does anyone have a good explanation on how the [Authorize] Attribute handles routes in a standard ASP.NET MVC 5 application?

As you can see from my previous post, I've been having a lot of difficulty with MVC 5's [Authorize] attribute. The dev team in the shop next door can't figure out why the attribute keeps failing in every new project I create in Frameworks 4.5.2, 4.5.3, or 4.6 (By fail, I mean that decorating an action method with the attribute will automatically redirect all users, authorized or no, to a 401 page). My new standard practice is to create a custom attribute inheriting from AuthorizeAttribute in every membership system I build, but this is obviously not ideal.

MSDN doesn't have any code-based explanation of how the attribute actually reroutes unauthorized users to the login page (the expected behavior), which is the critical insight that's needed in order to determine whether the true bug lies in my codebase, or is instead a quirk in the IIS host settings. Anyone out there able to white-box this attribute once and for all?

Solution

  • Remember that authentication and authorization are separate concerns in your application.

    Basically you're going to need to implement an IAuthenticationFilter

    Have a look at the MVC5 pipeline http://www.dotnet-tricks.com/Tutorial/mvc/LYHK270114-Detailed-ASP.NET-MVC-Pipeline.html - there have been a number of changes since MVC4 Pipeline
    (source: dotnet-tricks.com)

    Most importantly is the introduction of the Authentication filter. Previously they combined the Authentication and the Authorization handling into the [Authorize] filter, now they have separated these concerns out properly.

    There is a nice article by James Chambers that should give you a good overview of how these filters behave in the lifecycle of a request: http://jameschambers.com/2013/11/working-with-iauthenticationfilter-in-the-mvc-5-framework/

    Throwing an UnAuthorized result should do it:

    public void OnAuthentication(AuthenticationContext filterContext)
{
    if (!filterContext.Principal.Identity.IsAuthenticated)
        filterContext.Result = new HttpUnauthorizedResult();
}

    In an MVC application the default mechanism for authentication is Forms, for which there is a default account controller and corresponding views added to our project. Thus, by simply letting the user “fall through”, they will end up at the login page.

    Hope that helps :)