Bypass or turn off [Authorize(Roles="")] during development?

You could write a custom Authorize filter which will not perform any checks if the request is coming from localhost:

public class MyAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        if (httpContext.Request.Url.IsLoopback)
        {
            // It was a local request => authorize the guy
            return true;
        }

        return base.AuthorizeCore(httpContext);
    }
}

You can inherit from AuthorizeAttribute and separate realizations with #if DEBUG directive.

public class MyAuthorizeAttribute: AuthorizeAttribute
{
#if DEBUG
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        return true;
    }
#endif
}

Or #define YOUR_OWN_FLAG to turn behavior on and off in any build, debug or release.

For Web API:

public class MyAuthorizeAttribute : System.Web.Http.AuthorizeAttribute
{
    protected override bool IsAuthorized(HttpActionContext actionContext)
    {
        return actionContext.Request.RequestUri.IsLoopback || base.IsAuthorized(actionContext);
    }
}

Bypass or turn off [Authorize(Roles="")] during development?

Tags:

C#

Asp.Net Mvc

Authorization

Asp.Net Mvc 3

Authorize Attribute

Related

Recent Posts