Home/ Questions/Q 6761065
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T14:08:31+00:00

In ASP.NET MVC, I would like to somehow do custom authorization using the MvcSiteMapProvider.

  • 0

In ASP.NET MVC, I would like to somehow do custom authorization using the MvcSiteMapProvider.

I am aware I can implement a custom Authorization Attribute that inherits from AuthorizeAttribute. Then, we can perhaps decorate out controllers with [SiteMapAuthorize] for instance.

Is this the best route? If so, what I am looking for is the proper implementation of using a site map provider with authorize.

public class SiteMapAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {

    }
}

Thanks for any help!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’ve got this working

    Here is my solution:

    public class SiteMapAuthorizeAttribute : AuthorizeAttribute
{
    public string Action { get; set; }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (!httpContext.User.Identity.IsAuthenticated)
            return false;

        var node = SiteMap.CurrentNode;

        // If the node is null, then it was not loaded into memory 
        // because this user was not authorized to view this node
        if (node == null)
            return false;

        // Check the node's accessibility regardless in case we got passed the above check
        return node.IsAccessibleToUser(HttpContext.Current);
    }

    public override void OnAuthorization(AuthorizationContext filterContext)
    {
        base.OnAuthorization(filterContext);
    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        // If user is not authenticated allow default handling
        if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            base.HandleUnauthorizedRequest(filterContext);
            return;
        }

        string customErrorPage = GetCustomError("403");
        if (customErrorPage == null)
        {
            base.HandleUnauthorizedRequest(filterContext);
            return;
        }

        // Redirect to 403 (Access Denied) page
        filterContext.Result = new RedirectResult(customErrorPage);
    }

    private string GetCustomError(string statusCode)
    {
        CustomErrorsSection customErrorsSection = ConfigurationManager.GetSection("system.web/customErrors") as CustomErrorsSection;

        if (customErrorsSection != null)
        {
            CustomError customErrorPage = customErrorsSection.Errors[statusCode];

            if (customErrorPage != null)
                return customErrorPage.Redirect;
        }
        return null;
    }
}

    The HandleUnauthorizedRequest works with the customErrors section in the web.config:

    <customErrors mode="On" defaultRedirect="~/Error">
  <error statusCode="404" redirect="~/Error/NotFound"/>
  <error statusCode="403" redirect="~/Error/AccessDenied"/>
</customErrors>

    You will need an Errors Controller for the above customErrors to work:
    How to use CustomErrors in ASP.NET MVC 2

    • 0