What does the Authorize attribute do by default in WebAPI?

https://stackoverflow.com/questions/18099931

23-06-2022
|

Question

I'm guessing that by default the [Authorize] attribute checks for a non null object that implements IPrincipal?

Am I on the right track?

Solution

Am I on the right track?

Yes, you are. For more sure, you can take a look at the code how to implement [Authorize]:

protected virtual bool IsAuthorized(HttpActionContext actionContext)
{
    if (actionContext == null)
    {
        throw Error.ArgumentNull("actionContext");
    }

    IPrincipal user = Thread.CurrentPrincipal;
    if (user == null || !user.Identity.IsAuthenticated)
    {
        return false;
    }

    if (_usersSplit.Length > 0 && !_usersSplit.Contains(user.Identity.Name, StringComparer.OrdinalIgnoreCase))
    {
        return false;
    }

    if (_rolesSplit.Length > 0 && !_rolesSplit.Any(user.IsInRole))
    {
        return false;
    }

    return true;
}

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow