Authorization in ASP.NET Core MVC

Similar to earlier versions on MVC in ASP.NET Core we do have Authorize attribute to checks if the user is authenticated.

As the Authorize attribute is applied to the Controller, it is applicable to all the action methods in the controller. The user must be logged in, to access any of the controller action methods.

[Authorize]
public class HomeController Controller
{
    [AllowAnonymous]
    public ViewResult Details(int? id)
    { 
    }
        
    public ViewResult Create()
    {   
    }
        
    public ViewResult Edit(int id)
    {
    }
}

Authorize attribute can be applied on individual action methods as well. 
AllowAnonymous attribute allows anonymous access. 

Apply Authorize attribute globally

To apply [Authorize] attribute globally on all controllers and controller actions throughout the application, we need to modify the code in ConfigureServices method of the Startup class.

public void ConfigureServices(IServiceCollection services)
{
    // Other Code

    services.AddMvc(config => {
        var policy = new AuthorizationPolicyBuilder()
                        .RequireAuthenticatedUser()
                        .Build();
        config.Filters.Add(new AuthorizeFilter(policy));
    });

    // Other Code
}
  • AuthorizationPolicyBuilder is in Microsoft.AspNetCore.Authorization namespace 
  • AuthorizeFilter is in Microsoft.AspNetCore.Mvc.Authorization namespace

To exclue controller/action methods use [AllowAnonymous] attribute 

In addition to this simple authorization, asp.net core supports role-based, claims-based and policy-based authorization.


What is Open Redirect Vulnerability 

Most of the web applications redirect users to a login page when they access resources that require authentication. During this entire process, the user does not even know his credentials may get stolen. An example is as follows,
  • The user logs in successfully on the authentic site and he is then redirected to the attackers' website 
  • The login page of the attacker's website looks exactly like the authentic site.
  • The user logs in again on the attacker's website
  • The user is then redirected back to the authentic site.
  • During this entire process, the user does not even know his credentials are stolen.

Prevent open redirect attacks in ASP.NET Core

Simply redirecting to that URL without any validation which is what is making application vulnerable to open redirect attacks. To prevent such redirect attacks, check if the provided URL is a local URL or you are only redirecting to known trusted websites.

ASP.NET Core has built-in support for local redirection. Use the LocalRedirect() method as follows, If a non-local URL is specified an exception is thrown.

public IActionResult Login(string returnUrl)
{
    return LocalRedirect(returnUrl);
}

To check if the provided URL is a local URL, use IsLocalUrl() method.

public IActionResult Login(string returnUrl)
{
    if (Url.IsLocalUrl(returnUrl))
    {
        return Redirect(returnUrl);
    }
    else
    {
        return RedirectToAction("index""home");
    }
}





Comments