In this post, I want to outline in how to create your own Authorize tag and to make sure when you call JSON method with your custom authorize attribute to throw HTTP403 – Forbidden
1. You need to create your own Attribute inherits from AuthorizeAttribute
2. AuthorizeCore is the logic that defines whether you are authorized or not
3. OnAuthorization defines the behaviour when you are not authorized. In this case we want to throw HTTP 403 – forbidden. By doing this in your Javascript, you can catch this 403 error and throw friendly error message to the user
- public class CustomAuthorizeAttribute : AuthorizeAttribute
- {
- protected override bool AuthorizeCore(HttpContextBase httpContext)
- {
- if (httpContext == null) throw new ArgumentNullException(“httpContext”);
- return (SessionData.Member != null && SessionData.Member.MemberId > 0);
- }
- public override void OnAuthorization(AuthorizationContext filterContext)
- {
- base.OnAuthorization(filterContext);
- if (filterContext.Result == null)
- {
- return;
- }
- else if (filterContext.Result.GetType() == typeof(HttpUnauthorizedResult)
- && filterContext.HttpContext.Request.IsAjaxRequest())
- {
- filterContext.Result = new ContentResult();
- filterContext.HttpContext.Response.StatusCode = 403;
- }
- }
- }
You don’t need to do anything in your controller to implement HTTP403, it is all derived from the custom attribute, you just need to use the attribute and everything will be taken care of. Sample usage
- [CustomAuthorize]
- public ActionResult SaveJobJSON(int jobid)
- {
- string message = string.Empty;
- bool successful = false;
- JobsSavedService JobsSavedService = new JobsSavedService();
- successful = JobsSavedService.SavedJobForMember(jobid, ref message);
- JobsSavedService = null;
- return Json(new { successful = successful, message = message }, JsonRequestBehavior.AllowGet);
- }