Custom authorization attribute not working in WebAPI

Question

 public class CustomAuthorizeAttribute : AuthorizationFilterAttribute
 {  
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
       return true;// if my current user is authorised
    }
 }

Above is my CustomAuthorizeAttribute Class and

[CustomAuthorize] // both [CustomAuthorize] and [CustomAuthorizeAttribute ] I tried 
public class ProfileController : ApiController
{
   //My Code..
}

When I'm calling

http://localhost:1142/api/Profile 

It is not firing CustomAuthorizeAttribute

More over My FilterConfig class is look like below

public class FilterConfig
{
    public static void RegisterGlobalFilters(GlobalFilterCollection filters)
    {            
        filters.Add(new CustomAuthorizeAttribute());
    }
}

Please help if I miss something.

Answer 1

1. Looks like you are using an MVC filter instead of a Web API filter. It can be detected in the sample because it uses HttpContextBase. Instead use the filter from the System.Web.Http.Filters namespace.
2. You need to override OnAuthorization or OnAuthorizationAsync on the Web API filter.
3. You don't need to register a global filter and decorate your controller with it. Registering it will make it run for all controllers.

Web API filter code: https://aspnetwebstack.codeplex.com/SourceControl/latest#src/System.Web.Http/Filters/AuthorizationFilterAttribute.cs

Answer 2

YOur custom attribute should inherit from System.Web.Http.Filters.AuthorizationFilterAttribute

and it should look like this

using System.Web.Http.Controllers;
using System.Web.Http.Filters;
public class CustomAuthorizeAttribute : System.Web.Http.Filters.AuthorizationFilterAttribute
{   
    public override bool AllowMultiple
    {
        get { return false; }
    }

    public override void OnAuthorization(HttpActionContext actionContext)
    {
        //Perform your logic here
        base.OnAuthorization(actionContext);
    }
}

Answer 3

Try with this.

public class CustomAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool IsAuthorized(System.Web.Http.Controllers.HttpActionContext actionContext)
    {
        return true;
    }
}

Answer 4

To add onto the other answers that have you inherit from System.Web.Http.Filters.AuthorizationFilterAttribute, I put this into my OnAuthorization method to make sure the user was logged in:

if (!actionContext.RequestContext.Principal.Identity.IsAuthenticated)
{
     // or whatever sort you want to do to end the execution of the request
     throw new HttpException(403, "Forbidden");
}