Conditional OR with AuthorizationFilterAttributes in ASP.NET Web API 2

Question

I am writing a controller action that can be accessed by one of two groups of users; each group has it's own implementation of AuthorizationFilterAttribute containing custom logic defining how the group be authorized. I want to be able to use a conditional OR to determine that at least one of the attributes authorization filter has been met.

I was hoping that I would be able to do something like this:

public class ConfigController : ApiController
    {
        [AdminAuthorize || DealRoomAuthorizeAttribute]
        public IHttpActionResult GetBlah()
        {
            return Ok();
        }
    }

But no luck! Any ideas on how this can be acheived?

Answer 1

You cannot do the OR directly because of the way the authorization attributes work: they "cut" the pipeline if the authorization fails, so, if the first one fails it will stop the pipeline, and the other won't have the chance to be executed.

You need to implement your own authorization attribute that makes the OR yourself. It's very easy to implement, because you simply have to reuse the logic of the existing attributes. In fact, you can inherit one of them, and override the derired methods, at least OnAuthorization , by reusing the exiting logic.

More details:

• AuthorizeAttribute Class
• ASP.NET Web API Security Filters
• CodeProject WebAPI Security – Custom Authorization Filters