1

I am trying to protect my APIs by providing a custom implementation for Authorize attribute.

Authorizing users based on resource and operation, which I specify for each action. In ASP.Net MVC, it was working like this:

    [CustomAuthorize(Resource = "Values", Operation="List")
    public IEnumerable<string> Get()
    {
        return new string[] { "value1", "value2" };
    }

In CustomAuthorize class, I validate if the logged in user is granted the permission to access this resource by checking the permissions in his roles.

public class CustomAuthorize : AuthorizeAttribute
{
    public string Resource { get; set; }
    public string Operation { get; set; }

    //validation here
}

I want to implement that in ASP.NET Core? Is that through Custom Policy-Based Authorization and how to pass the Operation and Resource Parameters?

Improve this question

1 Answer 1

Reset to default
1

I have implemented it using IAuthorizationRequirment and AuthorizationHandler. I am passing the resource/operation as a string. In ResourceRequirementHandler i will split it based on "/" then do my logic against (Resource and Operation):

namespace ResoucreAPIs.Filters
{
    public class ResourceRequirement : IAuthorizationRequirement
    {  
        public ResourceRequirement(string resource)
        {
            _resource = resource;
        }

        protected string  _resource { get; set; }
    }

   public class ResourceRequirementHandler : AuthorizationHandler<ResourceRequirement>
    {
         protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, 
          ResourceRequirement requirement)
        { 
            //check if the user can access this resource by validating //"requirement" against set of permissions in his claim idenity
            return Task.CompletedTask;
        }
    }
}

Then, register the handlers and all associated policies and call it in "ConfigureServices" in Startup class:

   protected void SetResourceAuthorizationRequirements(IServiceCollection services)
    {

        services.AddAuthorization(options =>
        {
            options.AddPolicy("AdSingleRead", policy => policy.Requirements.Add(new Filters.ResourceRequirement("AdSingle/Read")));
            options.AddPolicy("AdListRead", policy => policy.Requirements.Add(new Filters.ResourceRequirement("AdList/Read")));
            options.AddPolicy("AdByCustomerRead", policy => policy.Requirements.Add(new Filters.ResourceRequirement("AdByCustomer/Read")));
            options.AddPolicy("AdModify", policy => policy.Requirements.Add(new Filters.ResourceRequirement("Ad/Modify")));
            options.AddPolicy("AdDelete", policy => policy.Requirements.Add(new Filters.ResourceRequirement("Ad/Delete"))); 
        });

        services.AddSingleton<IAuthorizationHandler, Filters.ResourceRequirementHandler>();

    }

Specify those policies for each action:

    [HttpGet]
    [Authorize(Policy = "AdListRead")]
    public IEnumerable<string> GetAllAds()
    {
        return new string[] { "value1", "value2" };
    }

    [Authorize(Policy = "AdSingleRead")]
    public string Get(int id)
    {
        return "value";
    }

    [HttpPost]
    [Authorize(Policy = "AdModify")]
    public void Post([FromBody]string value)
    {
    }


    [HttpPut("{id}")]
    [Authorize(Policy = "AdModify")]
    public void Put(int id, [FromBody]string value)
    {
    }


    [HttpDelete("{id}")]
    [Authorize(Policy = "AdDelete")]
    public void Delete(int id)
    {
    }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.