I am calling a webpage from an external webpage and I am passing a user id with the call (http://localhost:54697/?position='position'&user='user'). What I want to do is I want to put the user into an authentication process using the request variable.
It is a good place to do it at global.asax.cs/Application_Start() ? If so, is there any way to pass a request variable into it?
Or is there any suggestion?
UPDATE:
The external site has the credential info that is needed for my site's authorization. Shortly, I have a system on which I can go through several other websites via menus. One menu link will go to this (http://localhost:54697/?position='position'&user='user') Asp.Net MVC web site. Whenever the user clicks to the link, a userid will be sent through the link. Based on the userid I will go through an authorization
process on which I will check the userid and show menus based on the roles associated with the userid. In the controller I can get the userid
however, I do not want to check the roles in every controller. Whenever the link is clicked I want the system to go through a role provider and assign the roles associated with the userid and place role annotators to the controllers. As stated above I am not sure if it is a good place to do it at global.asax.cs/Application_Start() ? If so, is there any way to pass a request variable into it? Or Can I use the constructor of the controller for this purpose?
Related
I am using the spring security plugin and thus am able to make use of the method springSecurityService.currentUser to access the current logged in user. However, i assume that obtaining the current user within each controller action and then performing actions based on the returned user is not the recommended best practise.
Examples:
logged in user clicks link to their profile page - controller obtains current user and returns data to populate profile page for this user.
logged in user changes status on profile page - controller obtains current user, from this finds their profile and then updates the status on this profile.
ETC
This should ensure that a user accessing a page is who they say they are - as there is no passing of User Id or other identifying information from a client. However, obtaining the user in each action seems wrong, and i havent seen many examples of code which do this. Should I be using filters to intercept requests or some other flow/practise?
springSecurityService.currentUser exists for that exact purpose. The reason you need to retrieve the current user each time is because controller actions are stateless. Yeah, there's a session at play which maintains some state, but what I mean is that there's no direct transfer of state from one controller action to another. So, it is in fact best practice to obtain the current user each time.
What happens is the client provides a cookie, usually named JSESSIONID, to Grails. Grails then uses that to restore any session data, which essentially leads to springSecurityService.currentUser being able to provide the current user. So while the client does not pass the user ID, it does pass a session ID, which indirectly is identifying information.
I'm currently building a web shop (which is supposed to support multi tenancy).
So my approach is to have a url setup like
appName/shops/shop1/controller/action
appName/shops/shop2/controller/action
Depending on the shop (shop1 or shop2) I have a different assortment. Then I have a list with items and a button to add them to the shopping cart. This action is secured an only accessible for logged in users.
My Problem is the following:
Default behaviour when clicking the "secured" button is to get redirected to appName/login/auth. This way I'm losing context of the shop that the user was browsing. I'm not sure if I can provide the context/shop to the auth process in a way that I can redirect to the respective shop after a successfull log in.
Another approach would be to provide a custom button instead that redirects to the login page if the user is not logged in which provides the context/shop name.
You can use the following scheme for the urls instead:
shop1.appName/controller/action, shop2.appName/controller/action. The login urls for each of the subdomains (shop1, shop2) will be: shop1.appName/login/auth, shop2.appName/login/auth. This way the context will never be lost. In case, you want the logged in user also is able to access appname/otherController/action as well (without logging in again), you may need to do something like this: http://www.intelligrape.com/blog/2012/03/21/sharing-http-session-between-subdomains/
I've designed a mvc view in my MVC4 website which allows members to update their user details. This works ok using MVC but if i create a partial view which allows users to update their address for example using AJAX. How can i apply a level of security to determine that user x can only update userx's account. And not allow a user to login as user x and then spoof a post and update user y's account?
Regardless if your controller is an MVC controller or a WebApi controller, after the user authenticates and the Principal is set in the current thread, all you have to do is check that the user in the current context:
HttpContext.User
Is the one the data being edited belongs to.
Usually the username is populated on
HttpContext.User.Identity.Name
If the username of the user being edited is different than the authenticated user, just throw and InvalidOperationException.
I know that I can use annotation or Request mapping to restrict access to an ACTION by some specific ROLES. But now I have a different circumstance.
My scenario is: every user of my site can create posts, and they can make their own post public, private, or only share to some other users. I implement sharing post by a database table PERMISSION, which specify if a user have the right to view a post or not.
The problem arises here is that when a customer access a post through a direct link, how can I determine he/she have the privilege to view it? There's 3 circumstances:
The post is public, so it can be viewed by anyone (include not-login
user)
The post is private, so only the login-owner can view it
The post is sharing, it means only the login-user that is shared and the
owner can view it.
I want to process like this:
If the requested post is public: ok.
If the requested post is private/sharing: I want to redirect
the customer to the login page; after
logging in, the user will be re-direct
to the page he wants to see.
The problem here is that I can redirect the user to login controller/ auth action, but after that I don't know how to redirect it back. The link to every post is different by post_id, so I can't use SpringSecurityUtils.securityConfig.successHandler.defaultTargetUrl
Could anyone know a way to do this?
Dunno about grails, but spring security has a spring-security-redirect parameter which can be used to redirect the user to the specified url on successful authentication.
I think you could add your own filter that will be executed before the action is called and do the verification of the post permissions there. You can find more information about Grails Filters here.
Have you looked at the Grails Spring Security ACL plugin? I don't know it very well, but it's designed to restrict access to particular instances:
http://grails.org/plugin/spring-security-acl
I have found a quick workaround for this problem:
If the user is logged in: check the user's privilege, and return the appropriate result.
If the user is not logged in: At view action, set the post_id by:
session.post_id = 8
Redirect the user to the Login Controller/ Auth action.
At checkrole action(which is my grails.plugins.springsecurity.successHandler.defaultTargetUrl in Config.groovy), if session.post_id exists, use it to build the link for re-directing to the view action. Before redirecting, clear the session.post_id.
I know I can use the attribute [Authorize(Roles="client")] to make sure that only authenticated clients can access a page. But after that, how can I access this user's personal data? How do I programmatically get that user's account ID from that action controller?
For example, on Stack Overflow, how does my personal account page access my personal data which is stored in a database?
So far, googling "authentication", "authorization" only helped me limit access to a controller action, not how to access that user's stuff.
Assuming you're using the membership provider (which I'd assume so if you're using the attribute), the simplest way is:
var membership_user = Membership.GetUser();
which will return a MembershipUser for the currently logged-in user. From that, you can access any profile information you've set up, and also get the primary key to access anything else you've set up.
James