ASP.Net Web API 2 Different Content when authorized -



ASP.Net Web API 2 Different Content when authorized -

i have project that's using asp.net web api 2, , providing oauth back upwards via owin oauth 2 provider. working fine, have nail upon problem when trying differentiate between authenticated users , anonymous users.

i can provide [authorize] , [allowanonymous] attributes, neither quite want do. [authorize] allow authorised users, , [allowanonymous] allow anyone, authenticated or not.

the behaviour i'm looking follows:

user requests endpoint no authorization header in request - anonymous version of endpoint's content returned user requests endpoint valid authorization header in request - logged in version of endpoint's content returned user requests endpoint invalid authorisation header in request - server returns status code of 401

i can build custom attribute this, wondering if there way natively without having create custom attribute.

many help can provide.

richard.

update

one alternative i've come create subclass of authorizeattribute this:

public class successfulauthorizationoranonymousattribute : authorizeattribute { protected override bool isauthorized(system.web.http.controllers.httpactioncontext actioncontext) { if(actioncontext.requestcontext.principal.identity.isauthenticated) homecoming base.isauthorized(actioncontext); else { if (actioncontext.request.headers.authorization != null) { // if there's authorization header, there principal.identity.isauthenticated false, authentication must have failed homecoming false; } else { // there's no authorization header - hence user cannot have attempted authenticate. true anonymous request? homecoming true; } } } }

the logic if user comes through attribute authenticated, can allow base of operations class handle whether they're authorised view content.

however, if come through unauthenticated, can check see if there authorisation header in request, , if there think can infer authentication attempted , failed. if that's case can homecoming they're not authorised access resource.

if there's no authorisation header user did not seek authenticate (the api i'm using supports bearer authentication - nil else), , safe treat user anonymous.

from tests, approach seems behave how like, although sense of hack. there reason why shouldn't way can't see?

thanks,

richard.

i not think can in single endpoint accepts anonymous , authenticated users in same time, recommendation create 2 end points , pull business logic private method, below should work you

[allowanonymous] [httppost] [route("actionforanon")] public ihttpactionresult actionforanon() { homecoming doyourlogic(); } [authorize] [httppost] [route("actionforauth")] public ihttpactionresult actionforauth() { homecoming doyourlogic(); } private ihttpactionresult doyourlogic() { var identity = user.identity claimsidentity; if (identity.isauthenticated) { //your response authenticated user } else { //your response anonymous user } homecoming ok(); }

asp.net asp.net-web-api oauth-2.0 owin

Comments

Post a Comment

Popular posts from this blog

Delphi change the assembly code of a running process -

Delphi change the assembly code of a running process - i'm trying alter address 00741fa5 has push test.009e721c . alter push test.009e71c8 . procedure callback; asm force $9e71c8 end; procedure tform2.btn1click(sender: tobject); var ppid :dword; pprocess : cardinal; begin getwindowthreadprocessid(findwindow(nil,pchar('test')), @ppid); pprocess := openprocess(process_all_access, false, ppid); injectasm(pprocess, $741fa5, 10, integer(@callback), 0); end; here injectasm function (with error checking) function injectasm(process: longword; injectaddress, injectsize, codeaddress, codesize : integer): pointer; var csize, rsize : integer; replaced : array of byte; jmp : array [0..4] of byte; jmpaddress : integer; nopv : byte; : integer; nbr: ulong_ptr; begin //injectsize must equal or greater 5, because need space our //(far) jmp wwxxyyzz instruction //if there's no space, inject in place of few instructions if injectsize ...
Read more

json - Hibernate and Jackson (java.lang.IllegalStateException: Cannot call sendError() after the response has been committed) -

json - Hibernate and Jackson (java.lang.IllegalStateException: Cannot call sendError() after the response has been committed) - hello have problem hibernate , jackson. have 2 pojos @entity @table(name = "users") public class user implements serializable { static final long serialversionuid = 4235637833262722256l; @id @generatedvalue private int id; @column(name = "creation_date") private date creationdate; @column(name = "first_name") private string firstname; @column(name = "last_name") private string lastname; @version @column(name = "version") private int version; @column(name = "e_mail") private string email; @column(name = "enabled") private boolean enabled; @column(name = "login") private string login; @column(name = "password") private string password; @jsonmanagedreference("role") @onetomany(mappedby = "user", cascade = cascadetype.all,fetch = fetchtyp...
Read more

C++ 11 "class" keyword -

C++ 11 "class" keyword - i've started using c++ 11 little bit more , have few questions on special uses of class keyword. know it's used declare class, there's 2 instances have seen don't understand: method<class t>(); and class class_name *var; why precede typename keyword class in first example, , keyword pointer in sec example? that known elaborated type specifier , necessary when class name "shadowed" or "hidden" , need explicit. class t { }; // love of god don't t t; t t2; if compiler smart, give these warnings: main.cpp:15:5: error: must utilize 'class' tag refer type 't' in scope t t2; ^ class main.cpp:14:7: note: class 't' hidden non-type declaration of 't' here t t; ^ if class not defined, deed forwards declaration. for example: template <typename t> void method() { using type = typename t::value_type; } method...
Read more