Authorization In ASP.NET Application

Authorization and authentication are one of the key things that we look for before deploying our web application. We always want to make sure a request should go through a proper piece of code before hitting our business code and we want to ensure only the authenticated user is served. For people who are new to HTTP, many times when you open network tab of dev tools of your web browser you get 401 error, or our web browser says 401 unauthorized, this is because your request was not authorized, the web application's authorization code was not able to extract some required information from your request. ASP.NET equips developers with something called attributes, so whenever a developer wants only a valid request go through some specific functions, he/she will put an attribute on top of the function.

Dot net platform provides us with 5 type of filters (Authorization, Authentication, Action, Result, Exception) which we can use based on our requirements and at the same time, we can design our own custom attributes/filters inheriting any of them. Authorization filters are the ones that run before any other filter.

[Authorize] is an inbuilt function which many of us have definitely used during application development or have created a similar filter as per our business requirements.

Most often, default [Authorize] attribute is not enough to meet our business requirements and we tend to write our own custom authorize attribute class somewhat like this.

public class AuthorizeAttributeForSampleApplication : AuthorizeAttribute.

In our custom authorization attribute, we override four default method provided by the Authorize Attribute class as per our needs. These four methods are discussed below,

OnAuthorization(AuthorizationContext filterContext)

This method is called when a process requests authorization i.e whenever our custom filter is being called/ authorization is required.

It has a return type of void, so it returns nothing.

This method requires one parameter as shown above named as filterContext: which encapsulates information for using System.Web.Mvc.AuthorizeAttribute.

This method might give an exception of type System.ArgumentNullException: whenever the filterContext parameter is null.

AuthorizeCore (HttpContextBase httpContext)

This method provides an entry point for custom authorization checks, in simple terms to check whether the user is authorized or not.

This method requires one parameter as shown the above-named httpContext which is used to encapsulate all HTTP-specific information about an individual HTTP request.

It has a return type of bool, so it returns true if the user is authorized; otherwise, false.

Talking about the exception, this method also might give an exception of type System.ArgumentNullException: whenever the httpContext parameter is null.

HandleUnauthorizedRequest(AuthorizationContext filterContext)

As the name suggests this method comes into picture when an HTTP request fails authorization.

It also takes the same parameter as that of OnAuthorization method (filterContext) and based on this method we have to decide what default page we have to show to unauthorized requests.

The filterContext object contains the controller, HTTP context, request context, action result, and route data. So, we can update logs of our application as well show a relevant message to the user on the basis of details extracted from filterContext.

HttpValidationStatus OnCacheAuthorization(HttpContextBase httpContext);

This method comes in handy when we have implemented caching in our application, and it is called whenever a caching module requests authorization.

We have to provide a parameter httpContext in order to call this method. This httpContext encapsulates all HTTP-specific information about an individual HTTP request.

The return type of this method is HttpValidationStatus and it returns a reference to the validation status.

Talking about exceptions, same as above, this method also might give an exception of type System.ArgumentNullException: whenever the httpContext parameter is null.

We can use our custom filter consisting of these four overridden methods and few other methods over any controller or any method by simply putting it over the controller/method.

Let us have a look at how to use our custom filter.

In the below example, whenever a user clicks to see/modify/update his settings on my application, a request is hitting the corresponding action method to serve the view, but before showing the settings page, I want to check the user is authorized or not, in such cases my custom authorization filter comes handy.

  1. [AuthorizeAttributeForSampleApplication]  
  2. public ActionResult ShowSettingsPage() {  
  3.     // If the user is authorized then only this view will be returned.  
  4.     return View();  
  5. }