{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 趁早两清 的问题《WebApi Custom Authorize Attribute not working》','https://www.manongdao.com/q-835362.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I need to protect my web api with one or more specific users from the active directory, in the web.config I have the following code:
<configSections>
<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false" />
<section name="users" type="System.Configuration.NameValueFileSectionHandler,System, Version=1.0.3300.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</configSections>
<users>
<add key="user" value="domain\loginname" />
</users>
<system.web>
<authentication mode="Windows" />
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
</system.web>
Then I have a custom authorize attribute which reads the user from the web.config section shown above.
public class MyAuthorizeAttribute : AuthorizeAttribute
{
public MyAuthorizeAttribute(params string[] userKeys)
{
List<string> users = new List<string>(userKeys.Length);
var allUsers = (NameValueCollection)ConfigurationManager.GetSection("users");
foreach (var userKey in userKeys)
{
users.Add(allUsers[userKey]);
}
this.Users = string.Join(",", users);
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
bool isAuthorized = base.AuthorizeCore(httpContext);
bool isRequestHeaderOk = false;
return isAuthorized && isRequestHeaderOk;
}
}
The problem is that the Authorize Core is never hit in the debugger, the JSON in the browser is always shown even if I put a hardcoded false , the breakpoint is never hit there.
Then I decorate my controllers with the custom authorize attribute
[MyAuthorize("user")]
[ResponseType(typeof(tblCargo))]
public IHttpActionResult GettblCargosByActivo()
{
var query = from c in db.tblCargos
orderby c.strCargo
select c;
//var result = Newtonsoft.Json.JsonConvert.SerializeObject(query);
//return result;
return Ok(query);
}
And in IIS, the only enabled method is Windows Authentication
when I browse to the site from another computer, then I get the authentication window, but the authoze method shown above is never hit.
THis is a nice post that lead me to the right direction (I believe) Custom Authorization in Asp.net WebApi - what a mess?
In my case, while refactoring, my controller class was no longer extending ApiController. This was necessary for my filter to fire.
AuthorizeAttributeinSystem.Web.Httpinstead ofSystem.Web.MvcIsAuthorizedinstead.