Home/ Questions/Q 8128365
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T07:51:12+00:00

In my asp.net mvc3 application, I have a custom Authorization Attribute as seen below.

  • 0

In my asp.net mvc3 application, I have a custom Authorization Attribute as seen below.

public class CustomAuthorize : AuthorizeAttribute
{
    public IAccountRepository AccountRepository { get; set; }

    public CustomAuthorize()
    {
        this.AccountRepository = new UserModel();
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        base.AuthorizeCore(httpContext);
        return AccountRepository.isEnabled(HttpContext.Current.User.Identity.Name);
    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) 
    {
        base.HandleUnauthorizedRequest(filterContext);
    }
}

I have the [CustomAuthorize] tag on my controller actions, and the AuthorizeCore method works fine – it performs the logic I want it to (making sure the account is actually enabled), and then returning as such.

However, the overridden HandleUnauthorizedRequest method, which as I understand it should allow me to control the behaviour of an unauthorized request, is not running at all. I put a breakpoint there, I put code in there, I access my application unauthorized, and the code never runs.

What am I missing?

EDIT: I did some more research and found a few other people who had this problem, but no solution unfortunately.

EDIT2: Sample code

[CustomAuthorize]
public class UserController: Controller
{
    public UserController() 
    {
        //do stuff here
    }
}

EDIT 3: @Fabio

Here’s what I’m trying to do. I have a login page (forms auth) that works fine – it calls my custom login, and then calls my AuthorizeCore override. My application uses a large amount of ajax calls, and my eventual goal is for whenever a user is using the application, and the administrator disables them, making an ajax call after being disabled (though still being logged in) should log them out. However, in order to do this, i want to return a custom response if the user is making an ajax call, and for that, I need to ovverride HandleUnauthorizedRequest. But my Authorize Core (and by extension HandleUnauthorizedRequest) are being ignored if the user is logged in (despite the fact that I have customauthorize tags on all of my controller actions that the ajax is calling).

In short: I want to authorize the user on every request, not just the login request (which seems to be what the membership provider is doing right now)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I ended up changing my approach a fair bit. I implemented individual permissions checking, and then that caused AuthorizeCore to be called every time (and not be cached, which I guess was what was happening before).

    Interestingly enough, putting a breakpoint on the HandleUnauthorizedRequest override still doesn’t break, but putting it inside the method will. Strange, and threw me off for a bit, but I’ve solved it now.

    Code if anyone is interested:

    public class CustomAuthorize : AuthorizeAttribute
{
    public string Permissions { get; set; }

    private IAccountRepository AccountRepository { get; set; }        

    private string[] permArray { get; set; }

    private string reqStatus { get; set; }

    public CustomAuthorize()
    {
        this.AccountRepository = new UserModel();
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        base.AuthorizeCore(httpContext);

        if (Permissions != null) {
            permArray = Permissions.Trim().Split(' ');

            if (AccountRepository.isEnabled(httpContext.User.Identity.Name)) {
                this.reqStatus = "permission";
                return AccountRepository.hasPermissions(permArray);                     
            } else {
                return false;
            }
        } else {
            return AccountRepository.isEnabled(httpContext.User.Identity.Name);
        }
    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) 
    {
        if (this.reqStatus == "permission") {
            filterContext.Result = new RedirectResult(MvcApplication.eM.cause("no_permission", "redirect"));
        } else {
            base.HandleUnauthorizedRequest(filterContext);
        }
    }
}

    And then I decorated the controller with this:

    [CustomAuthorize(Permissions="test_perm")]

    • 0