MVC Authorization Filters

Kailash Chandra Behera | Tuesday, June 09, 2020

Introduction

In this blog we are going to discuss about the Authorization Filter in MVC, we will discuss the purpose and how to create Authorization Filter.

Getting Started

Authorization Filter helps you to perform logic while an MVC action is executing or after an MVC action has executed. it runs first and is used to determine whether the user is authorized for the request means Authorization filters perform authentication and authorizes before executing action method and short-circuit the pipeline if the request is not authorized.

The Authorize keyword can be used as an attribute to implement an inbuilt Authorization filter and it comes under System.Web.Mvc namespace, if no user profile found with the request(in request header) then Authorization filter will throw "The authenticated user does not have access to a resource needed to process the request" exception. See the below code that implements the Authorization filter in the controller and action method.

Code Example:-
 using System.Web.Mvc;  
 namespace mvcfilters.Controllers  
 {  
   [Authorize]  
   public class HomeController : Controller  
   {  
     public ActionResult Index()  
     {  
       return View();  
     }  
   }  
 }  

Implementation of Authorization filter in controller

Code Example:-
 using System.Web.Mvc;  
 namespace mvcfilters.Controllers  
 {  
     
   public class HomeController: Controller  
   {  
     [Authorize]
     public ActionResult Index()  
     {  
       return View();  
     }  
   }  
 }  

Implementation of Authorization filter in action method

Authorize key work only checks the user profile in the request or the specified role if specified, if conditions are not meet it will redirect the user to the exception page with the message mentioned above. To handle exception proper or to implement your own authorize logic, you can create your own custom Authorization filter.

The AuthorizeAttribute class helps to create custom Authorization filter, follow the below steps to create custom Authorization filter.

Steps:

  1. Create MVC Project or open your existing MVC Project in which you want to add attribute action filter.
  2. Create a new folder inside the MVC project and name is as Filters.
  3. Right on the folder add a new class having name “CustomeAuthorizeFilter”.
  4. Inherit the ActionFilterAttribute  class.
  5. Override the AuthorizeCore and HandleUnauthorizedRequest methods or ActionFilterAttribute  class
  6. The first method will invoke when a request comes, hence you can write your own logic to authorize an user and you can return true or fail based on the authorization, the second method will invoke if the first method return false, here you can write redirection logic.
  7. Write authorize logic in the first method and redirect logic in the second method
  8. Now you are done with the creation of attribute Authorization filter and your newly created attribute class should look like below code.
     using System.Web.Mvc;  
     namespace mvcfilters  
     {  
      public class CustomeAuthorizeFilter: AuthorizeAttribute  
      {  
       protected override bool AuthorizeCore(HttpContextBase httpContext)  
       {  
        //Write code to authorize users  
        //return base.AuthorizeCore(httpContext);  
       }  
       protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)  
       {  
        //Write code to redired user   
        //base.HandleUnauthorizedRequest(filterContext);  
       }  
      }  
     }  
    

    Example of Custom Authorization filter

we can decorate the controllers on which we want the action attribute to execute. You can see in the below code I have decorated the HomeController with the CustomeAuthorizeFilter attribute which was created in the previous code.

 namespace mvcfilters.Controllers  
 {  
   public class HomeController : Controller  
   {  
     [CustomeAuthorizeFilter]  
     public ActionResult Index()  
     {  
       return View();  
     }  
   }  
 }  

Related Articles

  1. Various Filters in MVC
  2. MVC Exception Filter
  3. MVC Action Filter

Summary

In this blog we discussed what is Authorization filter, how it is working and how to create own custom Authorization filet, hope you enjoyed.

Thanks