Home/ Questions/Q 7536191
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T06:30:31+00:00

I’m trying to do some custom authorization so I created a controller overriding the

  • 0

I’m trying to do some custom authorization so I created a controller overriding the OnAuthorization method. I also applied the Authorize attribute to this controller.
The question is why is the OnAuthorization method called BEFORE the basic forms authentication process?

I would like to authorize the user after he is authenticated.
Am I missing something?

Here is the code:

[Authorize]
    public class AuthorizationController : Controller
    {
        protected override void OnAuthorization(AuthorizationContext filterContext)
        {
            base.OnAuthorization(filterContext);

            if (filterContext == null)
            {
                throw new ArgumentNullException("filterContext");
            }

            List<string> allowedControllers = new List<string>() { "SecurityController" };
            List<string> allowedActions = new List<string>() { "Index" };

            string controllerName = filterContext.Controller.GetType().Name;
            string actionName = filterContext.ActionDescriptor.ActionName;

            if (!allowedControllers.Contains(controllerName)
            || !allowedActions.Contains(actionName))
            {
                filterContext.Result = View("UnauthorizedAccess");
            }
        }
    }

The controller that I tested with is something like:

public class SecurityController : AuthorizationController
{

    public ActionResult Index()
    {
        return View();
    }

    public ActionResult AnotherIndex()
    {
        return View();
    }
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    One of the first things the AuthorizeAttribute does is check to see if the user is authenticated. If they are not then that is when a redirect to the login page will be issued.

    The AuthorizeAttribute basically wraps the authentication check in with the authorization piece:

    protected virtual bool AuthorizeCore(HttpContextBase httpContext) {
        if (httpContext == null) {
            throw new ArgumentNullException("httpContext");
        }

        IPrincipal user = httpContext.User;
        if (!user.Identity.IsAuthenticated) {
            return false;
        }

    When you use the AuthorizeAttribute with no roles/users as you do in your example ([Authorize]), it is basically just checking to make sure the user is authenticated in this case.

    I would probably change your code to override the AuthorizeAttribute instead of doing this code in your controller. You can do the following:

    public class CustomAuthorizeAttribute : AuthorizeAttribute
{
    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        filterContext.Result = CreateResult(filterContext);
    }

    protected ActionResult CreateResult(AuthorizationContext filterContext)
    {
        var controllerContext = new ControllerContext(filterContext.RequestContext, filterContext.Controller);
        var controller = (string)filterContext.RouteData.Values["controller"];
        var action = (string)filterContext.RouteData.Values["action"];
        // any custom model here
        var model = new UnauthorizedModel(); 

        // custom logic to determine proper view here - i'm just hardcoding it
        var viewName = "~/Views/Shared/Unauthorized.cshtml"; 

        return new ViewResult
        {
            ViewName = viewName,
            ViewData = new ViewDataDictionary<UnauthorizedModel>(model)
        };
    }
}
    • 0