Language

Authentication and Authorization for SignalR Persistent Connections

By Tom FitzMacken and Patrick Fletcher|
This topic describes how to enforce authorization on a persistent connection. For general information about integrating security into a SignalR application, see Introduction to Security.

Software versions used in this topic


Previous versions of this topic

For the SignalR 1.x version of this topic, see Authentication and Authorization for SignalR Persistent Connections (SignalR 1.x).

Questions and comments

Please leave feedback on how you liked this tutorial and what we could improve in the comments at the bottom of the page. If you have questions that are not directly related to the tutorial, you can post them to the ASP.NET SignalR forum or StackOverflow.com.

Enforce authorization

To enforce authorization rules when using a PersistentConnection you must override the AuthorizeRequest method. You cannot use the Authorize attribute with persistent connections. The AuthorizeRequest method is called by the SignalR Framework before every request to verify that the user is authorized to perform the requested action. The AuthorizeRequest method is not called from the client; instead, you authenticate the user through your application's standard authentication mechanism.

The example below shows how to limit requests to authenticated users.

public class AuthenticatedConnection : PersistentConnection 
{ 
    protected override bool AuthorizeRequest(IRequest request) 
    { 
        return request.User.Identity.IsAuthenticated; 
    } 
} 

You can add any customized authorization logic in the AuthorizeRequest method; such as, checking whether a user belongs to a particular role.

Author Information

Tom FitzMacken

Tom FitzMacken – Tom FitzMacken is a Senior Programming Writer on the Web Platform & Tools Content team.

Patrick Fletcher

Patrick Fletcher – Patrick Fletcher is a programmer-writer on the ASP.NET team, currently working on SignalR.