asp.net-coreasp.net-core-webapiauthorize-attribute
Custom Authorization policy with multiple requirements not working when applied to controller action
I have an .NET Core 3 WebAPI where I want to use custom policy-based authorization, where one of the policies has multiple requirements.
I have added the policy in Startup.ConfigureServices() and added MyCustomPolicyHandler to DI:
public virtual void ConfigureServices(IServiceCollection services)
{
services.AddAuthorization(options =>
{
options.AddPolicy("MyCustomPolicy", policy =>
{
policy.Requirements.Add(new RequirementA());
policy.Requirements.Add(new RequirementB());
policy.Requirements.Add(new RequirementC());
policy.Requirements.Add(new RequirementD());
});
services.AddScoped<IAuthorizationHandler, MyCustomPolicyHandler>();
});
}
I have implemented MyCustomPolicyHandler using the example from this documentation:
Policy-based authorization in ASP.NET Core
public class MyCustomPolicyHandler: IAuthorizationHandler
{
public Task HandleAsync(AuthorizationHandlerContext context)
{
var pendingRequirements = context.PendingRequirements.ToList();
Console.WriteLine($"MyCustomPolicyHandler: {pendingRequirements.Count} requirements");
foreach (var requirement in pendingRequirements)
{
if(requirement is RequirementA) {
// do stuff to check the requirements
context.Succeed(requirement);
}
else if(requirement is RequirementB) {
// do stuff to check the requirements
context.Succeed(requirement);
}
else if(requirement is RequirementC) {
// do stuff to check the requirements
context.Succeed(requirement);
}
else if(requirement is RequirementD) {
// do stuff to check the requirements
context.Succeed(requirement);
}
}
return Task.CompletedTask;
}
}
Next, I apply the policy to one of the controller actions:
public class MyController
{
[HttpGet]
[Authorize(Policy="MyCustomPolicy")]
public ActionResult<SomeViewModel> Get(int id) {
// do stuff
return Ok(vm);
}
}
The problem I'm encountering is there are no requirements associated with the policy. The Console.WriteLine() message shows 0 requirements:
MyCustomPolicyHandler: 0 requirements
If I move the policy to the controller, the requirements are present:
[Authorize(Policy="MyCustomPolicy")]
public class MyController
{
[HttpGet]
public ActionResult<SomeViewModel> Get(int id) {
// do stuff
return Ok(vm);
}
}
MyCustomPolicyHandler: 4 requirements
However, I need this policy applied to the action, not the controller. The [Authorize(Policy="MyCustomPolicy")] attribute should work at the action level.
Any idea why this isn't working?
Thanks.
Solution
Because the place where MyCustomPolicyHandler is injected is misplaced. It needs to be placed outside of AddAuthorization.
services.AddAuthorization(options =>
{
options.AddPolicy("MyCustomPolicy", policy =>
{
policy.Requirements.Add(new RequirementA());
//...
});
});
services.AddScoped<IAuthorizationHandler, MyCustomPolicyHandler>();
Result:
- Blazor: The type or namespace name 'ApplicationPartAttributeAttribute' does not exist in the namespace 'Microsoft.AspNetCore.Mvc.ApplicationParts'
- How can I validate multiple action parameters with ValidationAttribute in ASP.NET Core 3.0
- MVC ASP.NET Core Show detailed error for staging environment
- Microsoft.AspNetCore.OpenAPI generates document with schema $refs to previous properties of same type instead of the base schema itself
- EF Core CRUD Scaffold, show primary key in view?
- Cannot resolve scoped service from root provider .Net Core 2
- Azure SignalR - Client connection fails with 401-Unauthorized 'invalid_token. The signature key was not found'
- How to hide the Links column in the Swagger UI Responses section
- Blazor InputText: conditionally rendering an attribute
- The SSL connection could not be established, see inner exception. Docker problem
- Check if a string is half width or full width in C#
- Unable to invoke javascript function from blazor component
- Cannot remove DBContext from DI
- Send HTTP_1_1_REQUIRED from ASP.NET Core controller
- How to disable the component hierarchy in Blazor?
- IdentityServer4 in IIS being recycled due to app_offline.htm when using discovery endpoint sometimes
- Interact with the Virtualize component
- Cannot resolve scoped service 'xx.IEnumerable`1[xx.IDbContextOptionsConfiguration`1[xx.ExampleDbContext]]...' after upgrading from .NET 8 to .NET 9
- How i can add endpoint (or сatch a request and check its path) to BCL?
- How does the "Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" package resolves types which are in "Microsoft.AspNetCore.dll"?
- Customize output Serilog
- Unhandled exception. System.InvalidOperationException
- Is it possible to use ASP.NET Core within an F# fsx script?
- How to send data with the size more than Signalr message size limit in Blazor?
- IDX12723: Unable to decode the payload '[PII of type 'System.String' is hidden
- UpdateRange method of Entity Framework Core does not work
- How to enable CORS in ASP.net Core WebAPI
- Why does my CORS configuration still block datatables from consuming an API?
- .NET return JSON without reformating
- .NET 8 & SQL Server 2016 - Contains() throws error