ASP.NET Authentication POST Policy












0















I am currently working on a POST controller. In the past I've handled logic regarding authentication in the controller itself like this:



    [HttpPost]

    public HttpResponseMessage Post([FromBody] Foo foo)

    {

        if (foo.bar !== user.bar){

            return;

    }


I am not the best c# programmer, so have no clue how this should be handled. While researching I stumbled upon Policies. So I already use a [Authenticated] tag above the controller, but based on if the foo.bar in this example is the same as me.bar I am not allowed to make this post. (So the authenticated tag is for authentication but I want to change the Authorization)



Is it possible that I can make a [Policy=("fooPoster")] and can use the body of the post in there to determine whether I am authorized or not to access the post, or can I only access the global state to determine it?






asp.net







share|improve this question























  • Are you talking about something like this? docs.microsoft.com/en-us/aspnet/core/security/authorization/…

    – Jabberwocky
    yesterday











  • @Jabberwocky This was what I ran into, yes. This seems to be for asp.net core, but I also saw it somewhat modified. Nevertheless I have less experience with this and couldn't conclude if I would be able to use the body of the post for the policy, other than that you can feed it a function (but it might be redundant to put the authorise logic somewhere else than in the controller)

    – Rowan de Graaf
    yesterday











  • Check this out stackoverflow.com/questions/35609632/…

    – Jabberwocky
    yesterday











  • Thank you! it seems to be a bit of overkill to try to fit it in there since its not just a field comparison!

    – Rowan de Graaf
    yesterday
















0















I am currently working on a POST controller. In the past I've handled logic regarding authentication in the controller itself like this:



    [HttpPost]

    public HttpResponseMessage Post([FromBody] Foo foo)

    {

        if (foo.bar !== user.bar){

            return;

    }


I am not the best c# programmer, so have no clue how this should be handled. While researching I stumbled upon Policies. So I already use a [Authenticated] tag above the controller, but based on if the foo.bar in this example is the same as me.bar I am not allowed to make this post. (So the authenticated tag is for authentication but I want to change the Authorization)



Is it possible that I can make a [Policy=("fooPoster")] and can use the body of the post in there to determine whether I am authorized or not to access the post, or can I only access the global state to determine it?






asp.net







share|improve this question























  • Are you talking about something like this? docs.microsoft.com/en-us/aspnet/core/security/authorization/…

    – Jabberwocky
    yesterday











  • @Jabberwocky This was what I ran into, yes. This seems to be for asp.net core, but I also saw it somewhat modified. Nevertheless I have less experience with this and couldn't conclude if I would be able to use the body of the post for the policy, other than that you can feed it a function (but it might be redundant to put the authorise logic somewhere else than in the controller)

    – Rowan de Graaf
    yesterday











  • Check this out stackoverflow.com/questions/35609632/…

    – Jabberwocky
    yesterday











  • Thank you! it seems to be a bit of overkill to try to fit it in there since its not just a field comparison!

    – Rowan de Graaf
    yesterday














0












0








0








I am currently working on a POST controller. In the past I've handled logic regarding authentication in the controller itself like this:



    [HttpPost]

    public HttpResponseMessage Post([FromBody] Foo foo)

    {

        if (foo.bar !== user.bar){

            return;

    }


I am not the best c# programmer, so have no clue how this should be handled. While researching I stumbled upon Policies. So I already use a [Authenticated] tag above the controller, but based on if the foo.bar in this example is the same as me.bar I am not allowed to make this post. (So the authenticated tag is for authentication but I want to change the Authorization)



Is it possible that I can make a [Policy=("fooPoster")] and can use the body of the post in there to determine whether I am authorized or not to access the post, or can I only access the global state to determine it?






asp.net







share|improve this question














I am currently working on a POST controller. In the past I've handled logic regarding authentication in the controller itself like this:



    [HttpPost]

    public HttpResponseMessage Post([FromBody] Foo foo)

    {

        if (foo.bar !== user.bar){

            return;

    }


I am not the best c# programmer, so have no clue how this should be handled. While researching I stumbled upon Policies. So I already use a [Authenticated] tag above the controller, but based on if the foo.bar in this example is the same as me.bar I am not allowed to make this post. (So the authenticated tag is for authentication but I want to change the Authorization)



Is it possible that I can make a [Policy=("fooPoster")] and can use the body of the post in there to determine whether I am authorized or not to access the post, or can I only access the global state to determine it?






asp.net




asp.net






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked yesterday









Rowan de GraafRowan de Graaf

32




32













  • Are you talking about something like this? docs.microsoft.com/en-us/aspnet/core/security/authorization/…

    – Jabberwocky
    yesterday











  • @Jabberwocky This was what I ran into, yes. This seems to be for asp.net core, but I also saw it somewhat modified. Nevertheless I have less experience with this and couldn't conclude if I would be able to use the body of the post for the policy, other than that you can feed it a function (but it might be redundant to put the authorise logic somewhere else than in the controller)

    – Rowan de Graaf
    yesterday











  • Check this out stackoverflow.com/questions/35609632/…

    – Jabberwocky
    yesterday











  • Thank you! it seems to be a bit of overkill to try to fit it in there since its not just a field comparison!

    – Rowan de Graaf
    yesterday



















  • Are you talking about something like this? docs.microsoft.com/en-us/aspnet/core/security/authorization/…

    – Jabberwocky
    yesterday











  • @Jabberwocky This was what I ran into, yes. This seems to be for asp.net core, but I also saw it somewhat modified. Nevertheless I have less experience with this and couldn't conclude if I would be able to use the body of the post for the policy, other than that you can feed it a function (but it might be redundant to put the authorise logic somewhere else than in the controller)

    – Rowan de Graaf
    yesterday











  • Check this out stackoverflow.com/questions/35609632/…

    – Jabberwocky
    yesterday











  • Thank you! it seems to be a bit of overkill to try to fit it in there since its not just a field comparison!

    – Rowan de Graaf
    yesterday

















Are you talking about something like this? docs.microsoft.com/en-us/aspnet/core/security/authorization/…

– Jabberwocky
yesterday





Are you talking about something like this? docs.microsoft.com/en-us/aspnet/core/security/authorization/…

– Jabberwocky
yesterday













@Jabberwocky This was what I ran into, yes. This seems to be for asp.net core, but I also saw it somewhat modified. Nevertheless I have less experience with this and couldn't conclude if I would be able to use the body of the post for the policy, other than that you can feed it a function (but it might be redundant to put the authorise logic somewhere else than in the controller)

– Rowan de Graaf
yesterday





@Jabberwocky This was what I ran into, yes. This seems to be for asp.net core, but I also saw it somewhat modified. Nevertheless I have less experience with this and couldn't conclude if I would be able to use the body of the post for the policy, other than that you can feed it a function (but it might be redundant to put the authorise logic somewhere else than in the controller)

– Rowan de Graaf
yesterday













Check this out stackoverflow.com/questions/35609632/…

– Jabberwocky
yesterday





Check this out stackoverflow.com/questions/35609632/…

– Jabberwocky
yesterday













Thank you! it seems to be a bit of overkill to try to fit it in there since its not just a field comparison!

– Rowan de Graaf
yesterday





Thank you! it seems to be a bit of overkill to try to fit it in there since its not just a field comparison!

– Rowan de Graaf
yesterday












1 Answer
1






active

oldest

votes


















0














You can try custom authorization. Refer to the code below.



    [HttpPost]

    [CustomAuthorization(Foo.bar)]

    public HttpResponseMessage Post([FromBody] Foo foo)

    {

        if (foo.bar !== user.bar)

        {

            return;

        }

    }







    public class CustomAuthorizationAttribute : AuthorizeAttribute

{

    private readonly string allowedroles;

    public CustomAuthorizationAttribute(string roles)

    {

        this.allowedroles = roles;

    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)

    {

        bool authorize = false;

        if (Me.bar != allowedroles)

        {

            authorize = true;

        }

        return authorize;

    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)

    {

        filterContext.Result = new HttpUnauthorizedResult();

    }

}


For more details you can go through here :






share|improve this answer























    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54251866%2fasp-net-authentication-post-policy%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    You can try custom authorization. Refer to the code below.



        [HttpPost]
    
    [CustomAuthorization(Foo.bar)]
    
    public HttpResponseMessage Post([FromBody] Foo foo)
    
    {
    
        if (foo.bar !== user.bar)
    
        {
    
            return;
    
        }
    
    }
    

    

    

    
    public class CustomAuthorizationAttribute : AuthorizeAttribute
    
{
    
    private readonly string allowedroles;
    
    public CustomAuthorizationAttribute(string roles)
    
    {
    
        this.allowedroles = roles;
    
    }
    
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    
    {
    
        bool authorize = false;
    
        if (Me.bar != allowedroles)
    
        {
    
            authorize = true;
    
        }
    
        return authorize;
    
    }
    
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    
    {
    
        filterContext.Result = new HttpUnauthorizedResult();
    
    }
    
}


    For more details you can go through here :






    share|improve this answer




























      0














      You can try custom authorization. Refer to the code below.



          [HttpPost]
      
    [CustomAuthorization(Foo.bar)]
      
    public HttpResponseMessage Post([FromBody] Foo foo)
      
    {
      
        if (foo.bar !== user.bar)
      
        {
      
            return;
      
        }
      
    }
      

      

      

      
    public class CustomAuthorizationAttribute : AuthorizeAttribute
      
{
      
    private readonly string allowedroles;
      
    public CustomAuthorizationAttribute(string roles)
      
    {
      
        this.allowedroles = roles;
      
    }
      
    protected override bool AuthorizeCore(HttpContextBase httpContext)
      
    {
      
        bool authorize = false;
      
        if (Me.bar != allowedroles)
      
        {
      
            authorize = true;
      
        }
      
        return authorize;
      
    }
      
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
      
    {
      
        filterContext.Result = new HttpUnauthorizedResult();
      
    }
      
}


      For more details you can go through here :






      share|improve this answer


























        0












        0








        0







        You can try custom authorization. Refer to the code below.



            [HttpPost]
        
    [CustomAuthorization(Foo.bar)]
        
    public HttpResponseMessage Post([FromBody] Foo foo)
        
    {
        
        if (foo.bar !== user.bar)
        
        {
        
            return;
        
        }
        
    }
        

        

        

        
    public class CustomAuthorizationAttribute : AuthorizeAttribute
        
{
        
    private readonly string allowedroles;
        
    public CustomAuthorizationAttribute(string roles)
        
    {
        
        this.allowedroles = roles;
        
    }
        
    protected override bool AuthorizeCore(HttpContextBase httpContext)
        
    {
        
        bool authorize = false;
        
        if (Me.bar != allowedroles)
        
        {
        
            authorize = true;
        
        }
        
        return authorize;
        
    }
        
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
        
    {
        
        filterContext.Result = new HttpUnauthorizedResult();
        
    }
        
}


        For more details you can go through here :






        share|improve this answer













        You can try custom authorization. Refer to the code below.



            [HttpPost]
        
    [CustomAuthorization(Foo.bar)]
        
    public HttpResponseMessage Post([FromBody] Foo foo)
        
    {
        
        if (foo.bar !== user.bar)
        
        {
        
            return;
        
        }
        
    }
        

        

        

        
    public class CustomAuthorizationAttribute : AuthorizeAttribute
        
{
        
    private readonly string allowedroles;
        
    public CustomAuthorizationAttribute(string roles)
        
    {
        
        this.allowedroles = roles;
        
    }
        
    protected override bool AuthorizeCore(HttpContextBase httpContext)
        
    {
        
        bool authorize = false;
        
        if (Me.bar != allowedroles)
        
        {
        
            authorize = true;
        
        }
        
        return authorize;
        
    }
        
    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
        
    {
        
        filterContext.Result = new HttpUnauthorizedResult();
        
    }
        
}


        For more details you can go through here :







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered yesterday









        Piyali DasPiyali Das

        1




        1






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54251866%2fasp-net-authentication-post-policy%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Homophylophilia

            Image
            Haec pagina ad tempus protecta est ob maleficia perpetua. Quaesemus, emendationes suggere in pagina disputationis vel magistratum ad hanc deprotegendam pete. Homophylophilia Hyacinthus complexus ab amante suo Apolline, in pictura Mors Hyacinthi quam Jean Broc pinxit. Homophylophilia est sui sexus vel generis amor vel mores romantici vel sexuales, res venerea masculina in masculos, aut mulier in mulieres appetentes. Hoc ingenium sexuale est "exemplar permanens vel inclinatio ad experiendam sexualem, adfectionalem, vel romanticam vim attrahendi," praecipue vel solum ex hominibus eiusdem sexús; notio "etiam ad hominis iudicium identitatis privatae socialisque in illis attractionibus conditum refert, in moribus quoque qui illos exprimant, et in societate communitatis aliorum qui illos communicent." [1] [2] Per aevos alii aliter rem definiverunt, sed Occidentali nostrae aetatis cultu civili non tantum ad ipsa acta erotica spectat, sed etiam igitur
            Read more

            Updating UILabel text programmatically using a function

            Image
            0 so I am trying to update the UIlabel text using a func. I have seen few other questions like mine and I tried their method but it doesn't work. fun returns no value when used in the UIlabel. I have shown my code below.It has to be noted that when I use the function in viewdidload I can retrieve the data. lazy var name: UILabel = { let lb = UILabel() lb.text? = getthename() lb.lineBreakMode = NSLineBreakMode.byWordWrapping lb.textColor = .mainGreen lb.textAlignment = .left lb.font = UIFont.boldSystemFont(ofSize:12.0) return lb }() func getthename() -> String { var wins : String = "" let ud = (Auth.auth().currentUser?.uid) self.ref = Database.database().reference() self.ref.child("Users").child(ud!).observeSingleEvent(of: .value, with: {(snapshot) in
            Read more

            Cloud Functions - OpenCV Videocapture Read method fails for larger files from cloud storage

            Image
            0 I created a cloud function to read a video file from cloud storage and read frames and create an image for each frame. This function works for small files which is 1-2 MB, However, this method fails while reading larger file 130 MB. import cv2 from google.cloud import storage vidcap = cv2.VideoCapture("https://storage.googleapis.com/[bucker_name]/[filename.mp4]") if vidcap.isOpened(): vidcap.open("https://storage.googleapis.com/[bucker_name]/[filename.mp4]") success,image = vidcap.read() print(success) Expected the print will return true and an image will hold an image of a first frame. python-3.x function opencv cloud share | improve this question
            Read more