How to override HandleUnauthorizedRequest in ASP.NET Core

Question

I'm migrating my project to asp.net core and I'm stuck in migrating my CustomAuthorization attribute for my controllers. Here is my code.

public class CustomAuthorization : AuthorizeAttribute
{
    public string Url { get; set; }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
        {
            filterContext.Result = new RedirectResult(Url + "?returnUrl=" + filterContext.HttpContext.Request.Url.PathAndQuery);
        }
        else if (!Roles.Split(',').Any(filterContext.HttpContext.User.IsInRole))
        {
            filterContext.Result = new ViewResult
            {
                ViewName = "AcessDenied"
            };
        }
        else
        {
            base.HandleUnauthorizedRequest(filterContext);
        }
    }
}

then i used it to my controllers

[CustomAuthorization(Url = "/Admin/Account/Login", Roles = "Admin")]
public abstract class AdminController : Controller { }

so, basically i can use it to redirect to different login page when roles is not met. I have few areas and each of them have different login page. I tried using the CookieAuthenticationOptions like this

services.Configure<CookieAuthenticationOptions>(options =>
{
    options.AuthenticationScheme = "Admin";
    options.LoginPath = "/Admin/Account/Login";
});

then on my admin controller

[Area("Admin")]
[Authorize(ActiveAuthenticationSchemes = "Admin", Roles = "Admin")]

but after i login, it still cant get in.

Have you tried stepping through this code? Does it get executed? Where does it fail? — Jonathan Alfaro, Nov 06 '16 at 13:19
Take a look at http://stackoverflow.com/questions/31464359/custom-authorizeattribute-in-asp-net-5-mvc-6 — adem caglin, Nov 07 '16 at 05:54

Jonathan Alfaro · Answer 1 · 2016-11-06T14:03:06.567

I am doing something similar in one of my projects. This answer is NOT using AuthorizeAttribute; but it might help some one landing here from a google search. In my case I am using it to authorize based on custom logic.

First my custom attribute class:

public class CustomAuthorizationAttribute : ActionFilterAttribute
{
    private readonly IMyDepedency _dp;
    public CustomAuthorizationAttribute(IMyDepedency dp)
    {
        _dp = dp;
    }
    public override void OnActionExecuting(ActionExecutingContext context)
    {
        var isValid = false;
       //write my validation and authorization logic here 
        if(!isValid)
        {
            var unauthResult = new UnauthorizedResult();

            context.Result = unauthResult;                
        }

        base.OnActionExecuting(context);
    }
}

I decorate my controllers like this:

[ServiceFilter(typeof (CustomAuthorizationAttribute))]

Then in my Startup class

public void ConfigureServices(IServiceCollection services)
{
     // Add framework services.
     services.AddMvc();

   // my other stuff that is not relevant in this post

     // Security
     services.AddTransient<CustomAuthorizationAttribute>();
 }

How to override HandleUnauthorizedRequest in ASP.NET Core

1 Answers1

Linked