Make AbpMvcAuthorizeFilter and AbpApiAuthorizeFilter overridable

[aricyu]

In the previous version,There is not AbpMvcAuthorizeFilter ,

There is only AbpMvcAuthorizeAttribute. And I override this and override OnAuthorization to redirect a different page when Unauthorized.

but in lastest version.I find that there is AbpMvcAuthorizeFilter and AbpMvcAuthorizeAttribute.
in the AbpMvcAuthorizeFilter , _authorizationHelper.Authorize(methodInfo); has be called.

how to override AbpMvcAuthorizeFilter or AbpMvcAuthorizeAttribute to redirect a different page when Unauthorized?

Thanks!

[hikalkan]

Yes, it has changed. You can try to create a custom auth filter.

[hikalkan]

I changed AbpApiAuthorizeAttribute and AbpApiAuthorizeFilter classes a bit to allow override methods. So, you can do these to override AbpMvcAuthorizeFilter for example:

1. Create YourMvcAuthorizeFilter derived from AbpMvcAuthorizeFilter.
2. Override any method you need in this class: https://github.com/aspnetboilerplate/aspnetboilerplate/blob/dev/src/Abp.Web.Mvc/Web/Mvc/Authorization/AbpMvcAuthorizeFilter.cs#L14
3. Remove AbpMvcAuthorizeFilter from MVC filters and add YourMvcAuthorizeFilter.
   To do that, In your PostInitialize method of your web module, remove AbpMvcAuthorizeFilter from GlobalFilters (example: GlobalFilters.Filters.Remove(GlobalFilters.Filters.Single(f => f.Instance is AbpMvcAuthorizeFilter));). Then add your own (GlobalFilters.Filters.Add(IocManager.Resolve<YourMvcAuthorizeFilter>());)

Note: You can do same for AbpApiAuthorizeFilter if you need.

[aricyu]

great!
Thank you very much.

[jzhouw]

@hikalkan I tried above solution and override below method in my filter, but I can see the default filter is still used in the logging when the AbpAuthorizationException been threw so my custom filter method seems not get chance to run. (this is a project with Abp 2.2.2). Anything changed since the above post?

Abp.Authorization.AbpAuthorizationException:
...
at Abp.Web.Mvc.Authorization.AbpMvcAuthorizeFilter.OnAuthorization

protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext, MethodInfo methodInfo, AbpAuthorizationException ex)
        {
            filterContext.Result = new RedirectResult("~/Home/NoPermission");
        }

[ismcagdas]

@JamesAtGitHub how do you use your custom filter ?

[jzhouw]

@ismcagdas just followed the step 3 in above comments from hikalkan

[ismcagdas]

@JamesAtGitHub sorry :). Can you try GlobalFilters.Filters.Insert(0,IocManager.Resolve<YourMvcAuthorizeFilter>()); ?

[jzhouw]

@ismcagdas still not work, this is the method:

public override void PostInitialize()
        {
            GlobalFilters.Filters.Remove(GlobalFilters.Filters.Single(f => f.Instance is AbpMvcAuthorizeFilter));
            GlobalFilters.Filters.Add(IocManager.Resolve<MyMvcAuthorizeFilter>(), 0);
        }

[ismcagdas]

@JamesAtGitHub what are the values in GlobalFilters.Filters after the line GlobalFilters.Filters.Remove(GlobalFilters.Filters.Single(f => f.Instance is AbpMvcAuthorizeFilter)); is executed ? Can you debug and see ?

[jzhouw]

@ismcagdas ok two issues found:
the number of filters didn't change before and after the Remove method called
after Add method called, my custom filter was the last one of filters instead of expected the first one

[Swimburger]

@JamesAtGitHub I ran into the same issue, though totally unrelated to this project.
Try GlobalFilters.Filters.Remove(GlobalFilters.Filters.Single(f => f.Instance is AbpMvcAuthorizeFilter).Instance);.

When I passed in the Instance to the Remove function it worked, it makes sense because you pass the instance to the Add function, so we should pass it to the Remove function as well.
It's unfortunate MSFT doesn't provide more details/documentation on the Remove method.

[jzhouw]

@ismcagdas I tried @Sniels suggestion and can see my custom filter added in the global filters, but trying to access a page without permission, the HandleUnauthorizedRequest method in my custom filter didn't triggered. any suggestion or other way to try that I can make a global handler to deal with unauthorized request and show a user friendly message?

[ismcagdas]

@JamesAtGitHub could you show how do you add your custom AuthFilter ? And it's code if it is possible ?

[jzhouw]

here's the code @ismcagdas

public override void PostInitialize()
{
     var defaultFilter = GlobalFilters.Filters.Single(f => f.Instance is AbpMvcAuthorizeFilter).Instance;
     GlobalFilters.Filters.Remove(defaultFilter);
     GlobalFilters.Filters.Add(IocManager.Resolve< MyMvcAuthorizeFilter >(), 0);
}

[acjh]

Set a lower order:

GlobalFilters.Filters.Add(IocManager.Resolve<MyMvcAuthorizeFilter>(), order: -2);

[jzhouw]

this works @acjh thanks!

[jzhouw]

hmm further this works with anonymous user trying to access protected actions, while not work when authenticated user trying to access controllers/actions without permission granted with AbpMvcAuthorize