I’ve seen plenty of guides where implementation of custom authorization filter involves calling base.OnAuthorization(filterContext) as final step. I have my own custom authorization filter and it works perfectly without above mentioned. However, when I add call to base.OnAuthorization(filterContext), my WebAPI service returns 401, even though all checks passed successfully.
1) Why do I have to call base.OnAuthorization?
2) How come it returns 401 on it’s own?
EDIT: I’m thinking it has to do with default Membership and Role providers. Since I’m sort of skipping those, could that be the reason?
As soon as I call base.OnAuthorization, my Response becomes 401.
You don’t have to call that if you handle everything yourself.
But if you do, authorization logic will pull the user (
IPrincipal.Identity) out ofThread.CurrentPrincipaland will deny authorization (401) if one of the following conditions is met:IPrincipalis nullIPrincipal.Identityis not authenticatedIPrincipal.Identityis authenticated but is not in the authorizedgroup of users, or if the user is not in any of the authorized roles
(specified on the attribute)