Authorization filter in ASP.NET CORE MVC
Authorization filter is used to authenticate whether the user request is authorized or not for accessing the resource.
Authorization filter run before any other filter.
Let’s create a Custom AuthorizationFilter with name ‘CustomAuthorizationFilterAttribute‘ and we are going to inherit with IAuthorizationFilter interface and implement OnAuthorization method in this method we are going to check Session which has UserRole Value in it. if the value is null then we will redirect it to an error page and another condition is If Session Value does not contain Admin role still, they will redirect it to an error page.
Code Snippet of CustomAuthorizationFilterAttribute
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.AspNetCore.Routing;
using System;
namespace WebApplication4.Filters
{
public class CustomAuthorizationFilterAttribute : Attribute, IAuthorizationFilter
{
public void OnAuthorization(AuthorizationFilterContext context)
{
string currentUserRole = Convert.ToString(context.HttpContext.Session.GetString("UserRole"));
if (!string.IsNullOrEmpty(currentUserRole))
{
if (currentUserRole != "Admin")
{
context.Result = new RedirectToRouteResult
(
new RouteValueDictionary(new
{
action = "Error",
controller = "Error"
}));
}
else
{
context.Result = new RedirectToRouteResult
(
new RouteValueDictionary(new
{
action = "Error",
controller = "Error"
}));
}
}
else
{
context.Result = new RedirectToRouteResult
(
new RouteValueDictionary(new
{
action = "Error",
controller = "Error"
}));
}
}
}
}How to Apply Filter on Controller
using System;
using Microsoft.AspNetCore.Mvc;
using WebApplication4.Filters;
namespace WebApplication4.Controllers
{
[TypeFilter(typeof(CustomAuthorizationFilterAttribute))]
public class DefaultController : Controller
{
public IActionResult Index()
{
return View();
}
}
}