授权标记在其他DLL中不起作用

Question

I have two projects

• Web Api
• DLL Class Library

The Web Api references classes and methods in the DLL. The Web Api also uses out of the box ASP.NET Identity for security.

The Web Api controller methods are secured with [Authorize] tags as shown below:

[Authorize]
[HttpGet]        
[Route("", Name = "GetStuff")]        
public IHttpActionResult Get()        
{            
List<Stuff> Stuffs= LookUpBusinessLogic.StuffGetAll();            
return Ok(Stuffs);        
}

The DLL also has these tags securing its method calls as such:

[Authorize]
public static List<Stuff> StuffGetAll()        
{
//Get data from somewhere
...            
return Stuffs;        
}

The problem I am facing is that the authorize tag is not working in the DLL method.

It is possible that I am completely missing how the calling user's identity gets passed through. I'd like to ask:

Does the calling users identity get passed between DLLs?

If not is there a way to secure the DLL methods based on the user identity in my example?

Answer 1

[Authorize] is an attribute which should be used only with action methods. It won't be triggered for your custom static method.

Look at its signature:

[AttributeUsageAttribute(AttributeTargets.Class|AttributeTargets.Method, Inherited = true, 
AllowMultiple = true)]
public class AuthorizeAttribute : FilterAttribute, IAuthorizationFilter

Since it inherits from FilterAttribute you know it can be triggered eg for OnActionExecuting and OnActionExecuted methods of filter.

Your code is compiling because this attribute allows usage in methods. This doesn't mean it has any functionality when used outside controller context.

To be honest I don't understand your need of allowing DLL access for specific users. If this is some kind of class library, you should check access only in classes which are using methods from external DLL.