Accessing post or get parameters in custom authorization MVC4 Web Api

by

Due to its nature the AuthoriseAttribute looks like it is called in the pipeline before the model binders and parameter bindings have run. You also run into issues when you access the Request.Content and read from it… this can only be done once and if you are going to try it in your auth attribute you may break the mediaTypeFormater…

in WebAPI, the request body (an HttpContent) may be a read-only, infinite, non-buffered, non-rewindable stream.

Update
There are different ways of specifying the execution context… http://msdn.microsoft.com/en-us/library/system.web.http.filters.filterscope(v=vs.108).aspx. The AuthoriseAttribute is “Global” and therefore it is hit too early to access the action information.

Given you want access to the model and parameters you can change your approach slightly and use an OnActionExecuting filter (“Action” filter scope) instead and throw a 401 or 403 based on your validation.

This filter is called later in the execution process and you therefore have full access to the bound data.

Very simple example below:

public class ApiAuthorizationFilter : ActionFilterAttribute
{
    public override void OnActionExecuting(HttpActionContext actionContext)
    {
        Foo model = (Foo)actionContext.ActionArguments["model"];
        string param1 = (string)actionContext.ActionArguments["param1"];
        int param2 = (int)actionContext.ActionArguments["param2"];

        if (model.Id != "1")
            throw new HttpResponseException(System.Net.HttpStatusCode.Forbidden);

        base.OnActionExecuting(actionContext);
    }
}

Example controller:

public class Foo
{
    public string Id { get; set; }
    public DateTime Time { get; set; }
}

public class FoosController : ApiController
{
    // PUT api/foos/5
    [ApiAuthorizationFilter]
    public Foo Put(int id, Foo model, [FromUri]string param1 = null, int? param2 = null)
    {
        return model;
    }
}

What the other answers were saying…. they are right you can, if you can access all you need on the URL, get at stuff via the request; however, I think the model and the request content should be left alone:

var queryStringCollection = HttpUtility.ParseQueryString(actionContext.Request.RequestUri.Query);

    //example for param1
    string param1 = queryStringCollection["param1"];
    //example for param2
    int param2 = int.Parse(queryStringCollection["param2"]);
    //Example of getting the ID from the URL
    var id = actionContext.Request.RequestUri.Segments.LastOrDefault();

More Related Contents:

  1. WebAPI Multiple Put/Post parameters
  2. Logging request/response messages when using HttpClient
  3. MVC4 HTTP Error 403.14 – Forbidden
  4. Windows update caused MVC3 and MVC4 stop working
  5. Cannot attach the file *.mdf as database
  6. Using a proxy with .NET 4.5 HttpClient
  7. All requests to ASP.NET Web API return 404 error
  8. Why does Math.Round(2.5) return 2 instead of 3?
  9. What are Extension Methods?
  10. ResourceDictionary in a separate assembly
  11. How do I fix the Visual Studio compile error, “mismatch between processor architecture”?
  12. Bind to a method in WPF?
  13. How do you configure WCF known types programmatically?
  14. Marshal “char *” in C#
  15. Replacing the WPF entry point
  16. WPF Handedness with Popups
  17. Microsoft Roslyn vs. CodeDom
  18. Does .Net 4.5 support XML 1.1 yet (for characters invalid in XML 1.0)?
  19. DataTrigger not firing
  20. Return Json, but it includes backward slashes “\”, which I don’t want
  21. Change Assembly Version in a compiled .NET assembly
  22. PowerShell generic collections
  23. How to get the current ProcessID?
  24. ASP.Net MVC Redirect To A Different View
  25. What’s the difference between Control.Select() and Control.Focus()?
  26. Model First with DbContext, Fails to initialize new DataBase
  27. How to implement Balloon message in a WPF application
  28. WCF is using the computer name instead of the IP address and cannot be resolved
  29. Visual Basic Capture output of cmd
  30. IIS Application pool PID

Leave a Comment