Did you ever wonder how to implement your own C# custom Authorize attribute on your REST API controller or controller methods ?
In the past, during my first years as a junior / medior developper, I used PostSharp to implement my own authorization layer in REST API controllers. During my learning curve of this powerful tool, I felt in love with .Net attributes. It helps to keep the code clean. And also help the developer to stay focused on the business code instead of being polluted by pure technical maintenance code.
Digging the process farer. I also discovered how it works, and that there is a lot of AOP frameworks.
Years have passed, and I had to implement my own authorize attribute again. Imagine !
People : Hey Dany, is possible to implement our own C# custom Authorize attribute ?
Me : Sure, I already did that, and PostSharp is our best friend ! …
Me : But it’s not free …
People : Ah …
Do we really have to pay to implement our C# custom Authorize attribute ?
The answer is definitely NO !
There are multiple frameworks to help you do weaving. But, to create a C# custom auth attribute, we even don’t need that.
Inherit class and override the AuthorizeCore method.
All you have to do is to create a class that inherits from AuthorizeAttribute. Then override the AuthorizeCore method and implement the way you want to validate the access to your method.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; [AttributeUsage(AttributeTargets.Method | AttributeTargets.Class)] public class MyAuthorizeAttribute : AuthorizeAttribute { protected override bool AuthorizeCore(HttpContextBase httpContext) { // Implement validation return true; } } |
Now use you C# custom Authorize attribute
Now you have implemented you own authorize attribute, you can simply use it on you controller on methods to authenticate users when calling your API’s methods.
|
1 2 3 4 5 6 7 |
[MyAuthorize] public class MyController : Controller { // Some stuff } |
To go further
As for any .Net C# attributes, you can pass arguments to the constructor of you custom attribute. And use them further for other usage. With that said, you can simply implement roles permissions, for example.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; [AttributeUsage(AttributeTargets.Method | AttributeTargets.Class)] public class MyAuthorizeAttribute : AuthorizeAttribute { protected string roles; public DoAAuthorizationHandler(params SecurityRole[] roles) => this.roles = string.Join(",", roles); protected override bool AuthorizeCore(HttpContextBase httpContext) { var user = GetUser(); // Implement the way to get the user. return this.roles.Contains(user.Role); } } |
The possibilities are infinite, and now you know a bit more about .Net attributes, you can start to dig into this concept and start to think outside the box and dream about weaving.
What about creating a .Net C# attribute to log access and usage of methods ?