asp.net mvc Adding to the AUTHORIZE attribute

by

Derive your class from AuthorizeAttribute. Override the OnAuthorization method. Add and set up a CacheValidationHandler.

public void CacheValidationHandler( HttpContext context,
                                    object data,
                                    ref HttpValidationStatus validationStatus )
{
    validationStatus = OnCacheAuthorization( new HttpContextWrapper( context ) );
}


public override void OnAuthorization( AuthorizationContext filterContext )
{
    if (filterContext == null)
    {
        throw new ArgumentNullException( "filterContext" );
    }

    if (AuthorizeCore( filterContext.HttpContext ))
    {
       ... your custom code ...
       SetCachePolicy( filterContext );
    }
    else if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
    {
        // auth failed, redirect to login page
        filterContext.Result = new HttpUnauthorizedResult();
    }
    else
    {
       ... handle a different case than not authenticated
    }
}


protected void SetCachePolicy( AuthorizationContext filterContext )
 {
     // ** IMPORTANT **
     // Since we're performing authorization at the action level, the authorization code runs
     // after the output caching module. In the worst case this could allow an authorized user
     // to cause the page to be cached, then an unauthorized user would later be served the
     // cached page. We work around this by telling proxies not to cache the sensitive page,
     // then we hook our custom authorization code into the caching mechanism so that we have
     // the final say on whether a page should be served from the cache.
     HttpCachePolicyBase cachePolicy = filterContext.HttpContext.Response.Cache;
     cachePolicy.SetProxyMaxAge( new TimeSpan( 0 ) );
     cachePolicy.AddValidationCallback( CacheValidationHandler, null /* data */);
 }

More Related Contents:

  1. Can an ASP.NET MVC controller return an Image?
  2. Biggest advantage to using ASP.Net MVC vs web forms
  3. SignalR – Sending a message to a specific user using (IUserIdProvider) *NEW 2.0.0*
  4. ASP.NET Identity DbContext confusion
  5. Adding ASP.NET MVC5 Identity Authentication to an existing project
  6. Disable Session state per-request in ASP.Net MVC
  7. Generating reset password token does not work in Azure Website
  8. Is it possible to access MVC Views located in another project?
  9. Global ASAX – get the server name
  10. Store/assign roles of authenticated users
  11. Difference between Html.RenderAction and Html.Action
  12. How to Customize ASP.NET Web API AuthorizeAttribute for Unusual Requirements
  13. Using ASP.Net MVC with Classic ADO.Net
  14. Get DisplayName Attribute without using LabelFor Helper in asp.net MVC
  15. ASP.NET MVC Relative Paths
  16. How to do a ASP.NET MVC Ajax form post with multipart/form-data?
  17. ASP.NET Core change EF connection string when user logs in
  18. Difference between DropDownlist or DropDownListFor Html helper
  19. ASP.net MVC4 WebApi route with file-name in it
  20. Unable to create an object of type ‘[DBContext’s Name]’. For the different patterns supported at design time [closed]
  21. ‘System.Net.Http.HttpContent’ does not contain a definition for ‘ReadAsAsync’ and no extension method
  22. Diagnosing 404 errors on IIS 7 and ASP.NET MVC
  23. ASP.NET MVC3 Role and Permission Management -> With Runtime Permission Assignment
  24. Custom app_offline.htm file during publish
  25. ASP.NET session state and multiple worker processes
  26. ASP.NET MVC and Windows Authentication with custom roles
  27. How to extend the ValidationSummary HTML Helper in ASP.NET MVC?
  28. IValidatableObject Validate method firing when DataAnnotations fails
  29. ASP.Net MVC RedirectToAction with anchor
  30. How does Html.Raw MVC helper work?

Leave a Comment