0

Have a windows-authenticated (Intranet) .net core web app.

Since the user has already been authentication, that part is done. I dont care about claims etc. Just want to run a simple check of the users name against a list (from sql). Any valid domain user can access the site, however we want to check the user against a custom list and a few other checks in the Db to see if they can get to this api.

What am I missing or whats left to use this as a api action attribute? The idea would be to use this at the controller level.

public class ApiAuthFilter : IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationFilterContext context)
    {
        var httpContext = context.HttpContext;


        // get user name
        string userName = httpContext.User.Identity.Name;

        // check against list to see if access permitted
        if(!CheckUser(userName) ) {
            context.Result = new ForbidResult();
        }

    }
}
Lukas
  • 549
  • 1
  • 4
  • 16
bitshift
  • 3,946
  • 5
  • 27
  • 70

2 Answers2

1

What am I missing or whats left to use this as a api action attribute? The idea would be to use this at the controller level

If you would like to use the Authorization filter as an attribute,

1.One way is that you could use TypeFilterAttribute

[TypeFilter(typeof(ApiAuthFilter))]
public class HomeController : Controller

2.The other way is that you just need to inherit AuthorizeAttribute for your ApiAuthFilter:

public class ApiAuthFilter : AuthorizeAttribute,IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationFilterContext context)
    {
        var httpContext = context.HttpContext;

        // get user name
        string userName = httpContext.User.Identity.Name;

        // check against list to see if access permitted
        if (!CheckUser(userName))
        {
            context.Result = new ForbidResult();
        }

    }
}

Then you could use it on controller level like:

[ApiAuthFilter]
public class HomeController : Controller

Refer to How do you create a custom AuthorizeAttribute in ASP.NET Core?

Custom Authorization Filter in .NET Core API

Ryan
  • 14,772
  • 4
  • 25
  • 36
0

You can implement your verification/check logic in an authorization filter:

    public sealed class DomainUserVerificationAuthorizeFilter : IAuthorizationFilter
    {
        public void OnAuthorization(AuthorizationFilterContext context)
        {
            var userName = context.HttpContext.User.Identity.Name;

            // your code 
        }
    }

    public class Startup
    {        
        public void ConfigureServices(IServiceCollection services)
        {
            services
                .AddMvc(options =>
                {
                    var windowsAuthenticationPolicy = new AuthorizationPolicyBuilder()
                        .AddAuthenticationSchemes(IISDefaults.AuthenticationScheme)
                        .RequireAuthenticatedUser()
                        .Build();

                    // add a global filter for windows authentication 
                    options.Filters.Add(new AuthorizeFilter(windowsAuthenticationPolicy));

                    // add a filter with your logic for verification
                    options.Filters.Add(new DomainUserVerificationAuthorizeFilter());
                });
        }
    }
Andriy Tolstoy
  • 5,016
  • 2
  • 27
  • 26