I googled and stackoverflowed this question a lot and its different variants, but I'm still confused if it's possible at all. I just want to add a custom header to all actions having specific attribute. Sounds simple? But it's not. I have just written following:
[AttributeUsage(AttributeTargets.Method)]
public class HelloWorldAttribute : ActionFilterAttribute
{
/// <inheritdoc />
public override void OnActionExecuted(ActionExecutedContext filterContext)
{
filterContext.HttpContext.Response.Headers["X-HelloWorld"] = string.Empty;
}
}
And it works fine for all requests except when they are forbidden by [Authorize] on Controller level.
I tried use to use this attribute for Controller level and pass names of methods that have to add this header to it, but it doesn't work too. It seems that Authorize has always a higher priority. And you can agree that it's ugly.
How can it be done?
You can write you own authorize attribute, and handle you code if note autorized or you can add Policy.
Oh i'm soo lazy...
here example
First add policy
public class ReplaceHeaderPolicy : IAuthorizationRequirement
{
}
public class ReplaceHeaderHandler : AuthorizationHandler<ReplaceHeaderPolicy>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, ReplaceHeaderPolicy requirement)
{
if (!context.User.Identity.IsAuthenticated)
{
var fc = (FilterContext)context.Resource;
fc.HttpContext.Response.Headers["X-HelloWorld"] = string.Empty;
}
context.Succeed(requirement);
return Task.CompletedTask;
}
}
then register your policy
services.AddAuthorization(options =>
{
options.AddPolicy("ReplaceHeader",
policy => policy.Requirements.Add(new ReplaceHeaderPolicy()));
});
services.AddSingleton<IAuthorizationHandler, ReplaceHeaderHandler>();
and use it on controller
[Authorize]
[Authorize(Policy = "ReplaceHeader")]
public IActionResult Index()
{
return View();
}
Remove second [Authorize] to allow access for Unauthorized access
I hope it's helps