Apply [Authorize] attribute implicitly to all Web API controllers

Question

My application is setup where all requests except login must be 'authorized' using the authorization attribute in Web API. E.g.

 [Authorize]
 [HttpGet, Route("api/account/profile")]
 public ApplicationUser Profile()
 {
       return userModel;
 }

and only the login needs to not authorize since thats where you get the token ;)

[AllowAnonymous]
[HttpPost, Route("api/account/login")]
public async Task<IHttpActionResult> Login(LoginViewModel model)
{
   ....
}

instead of having to add the [Authorize] attribute to ALL my routes, is there a way to set it globally?

ssilas777 · Accepted Answer · 2015-10-26T11:58:44.520

62

You have two options

Controller level by decorating your controller with authorize attribute.

[Authorize]
[RoutePrefix("api/account")]
public class AccountController : ApiController
{

You can also set it global level to all routes, in Register method of WebApiConfig.cs file
```
 config.Filters.Add(new AuthorizeAttribute());
```

edited Oct 26 '15 at 11:58

answered Feb 20 '14 at 19:33

ssilas777

9,166
3
41
63

5

I'd also recommend to put this inside a `#if !DEBUG #endif` block, so this could ease debugging without the need for authorization. – ilans Jun 24 '15 at 06:49
I did this, but now I get ALWAYS 401, sure I'm missing something... what else I need to add? – Piero Alberto Nov 30 '19 at 08:05
Side-note: recent version of .net core api, need to add `Policy` for `AuthorizeAttribute` as Matt Frear answered below. – Balagurunathan Marimuthu Feb 26 '21 at 06:19

Lin · Answer 2 · 2014-02-20T19:30:57.887

You can set the AuthorizeAttribute to the WebApiConfig file like below:

public static void Register(HttpConfiguration config)
{
  config.Routes.MapHttpRoute(
    name: "DefaultApi",
    routeTemplate: "api/{controller}/{id}",
    defaults: new { id = RouteParameter.Optional }
  );
  config.Filters.Add(new AuthorizeAttribute());
}

Now all methods from your Web Api controllers will need authorization. If you want to remove this authorization requirement for a method, you need to add the attribute [AllowAnonymous] like in the Login action method.

score 2 · Answer 3 · answered Jun 11 '20 at 04:10

In ASP.NET Core Web API, it's like this:

public void ConfigureServices(IServiceCollection services)
{
    services.AddControllers(o =>
    {
        var policy = new AuthorizationPolicyBuilder()
            .RequireAuthenticatedUser()
            .Build();

        o.Filters.Add(new AuthorizeFilter(policy));
    });
}

Source: https://joonasw.net/view/apply-authz-by-default

score 1 · Answer 4 · answered Feb 06 '17 at 10:28

1

I just wanted to add something to other answers that if you use

 filters.Add(container.Resolve<AuthorizeAttribute>());

then you can also inject all dependencies into your attribute if there is a need

answered Feb 06 '17 at 10:28

samira riazati

503
7
20

Apply [Authorize] attribute implicitly to all Web API controllers

4 Answers4