We are using [Authorize] attribute on base controller which redirects each unauthenticated user to log in page and grants the access to every authenticated user which is working as expected. We are also using Azure manged cache service /distributed cache service to store certain data. Now we are trying to use the Page Output caching in some places but getting the exception below
When using a custom output cache provider like 'AFCacheOutputCacheProvider', only the following expiration policies and cache features are supported: file dependencies, absolute expirations, static validation callbacks and static substitution callbacks.
at System.Web.Caching.OutputCache.InsertResponse(String cachedVaryKey, CachedVary cachedVary, String rawResponseKey, CachedRawResponse rawResponse, CacheDependency dependencies, DateTime absExp, TimeSpan slidingExp) at System.Web.Caching.OutputCacheModule.OnLeave(Object source, EventArgs eventArgs) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
I did search around this and found many posts mentioning that never use Authorize attribute with page output caching because of the logical reason that caching will not let you see the content of another users.
Here are few linked which we have already refereed, you can check those here and here - Why can't I combine [Authorize] and [OutputCache] attributes when using Azure cache (.NET MVC3 app)?
Isn't it the common requirement in applications where you have action methods protected with authorize attribute but you still want to cache the output of action methods (varying by params)?
Related
I've followed the samples in SocialBootstrapAPi for ServiceStack but I don't get it how the redirects are wired up. When I go to the Secured controller being unauthenticated I get redirected back to the index page. I was unable to replicate the behaviour in my own application. Did not find where this wirings are done - can't find them in SocialBootstrapApi's web.config?
I've inherited from the ServiceStackController<AuthUserSession> and put [Authenticate] on my base controller. This is the error I get:
[NullReferenceException: Object reference not set to an instance of an object.]
ServiceStack.ServiceInterface.SessionExtensions.SessionAs(ICacheClient cache, IHttpRequest httpReq, IHttpResponse httpRes) +90
ServiceStack.Mvc.ServiceStackController.SessionAs() +64
ServiceStack.Mvc.ServiceStackController`1.get_UserSession() +36
ServiceStack.Mvc.ServiceStackController`1.get_AuthSession() +5
ServiceStack.Mvc.ExecuteServiceStackFiltersAttribute.OnActionExecuting(ActionExecutingContext filterContext) +97
This is what I have in the AppHost.cs file:
//Enable Authentication
ConfigureAuth(container);
//Register In-Memory Cache provider.
//For Distributed Cache Providers Use: PooledRedisClientManager, BasicRedisClientManager or see: https://github.com/ServiceStack/ServiceStack/wiki/Caching
container.Register<ICacheClient>(new MemoryCacheClient());
container.Register<ISessionFactory>(c =>
new SessionFactory(c.Resolve<ICacheClient>()));
ConfigureAuth() is similar to the SocialBootstrapApi sample (not exactly the same but close) - I don't think there's something missing here.
So how does this work?
Promoting comment to an answer, per OPs request:
Did you set your IoC for your MVC controller? ControllerBuilder.Current.SetControllerFactory(new FunqControllerFactory(container));
Look at this question to see how to change the HtmlRedirect used by ServiceStack's Authentication.
You may also find the CustomAuthenticationMvc project in ServiceStack UseCases more useful since it only focuses on Authentication in MVC.
i have read a few different things, it sounds like output cache will not cache a different copy of results for each user. so if user A has 3 menus and user B only has access to 1 of them, then caching the view result would show all 3?
how can i cache things for each user so that it's not shared?
thanks!
Use VaryByCustom and redefine HttpApplication.GetVaryByCustomString:
public virtual string GetVaryByCustomString(
HttpContext context,
string custom
)
{
//Return a value unique per user
//Change depending on the authentication of your site (f.e. make use of Session)
return context.User.Identity.Name;
}
http://msdn.microsoft.com/en-us/library/system.web.httpapplication.getvarybycustomstring.aspx
http://asp.net-tutorials.com/caching/more-output-cache/
One solution is to pass a parameter with the number of menus. Then configure outputcache to cache by all parameters except this one.
Also you can configure output cache to cache only on the client, not on the server It might be useful depending of your scenario.
You can always cache user specific information on the asp.net session.
I have searched for examples and found several but they are whole large projects. I am looking for some sample on how to get started building an MVC multi-tenant application. I think, the first part would be to decipher the url.
In ASP.Net this is how I did it. I got this from looking at DNN code. How would I do the same in MVC?
Global.asax
private void Application_BeginRequest(Object source, EventArgs e)
{
HttpApplication application = (HttpApplication)source;
HttpContext context = application.Context;
string domainName = string.Empty;
// domaName now contains 'example' if application.Request was www.example.com
domainName = GetDomainName(application.Request);
// Using domain, get the info for example from the database
object myPortal = // get from database
// Save in context for use on other pages
context.Items.Add("PortalSettings", myPortal);
}
Then in my basepage I get the value from the context.
I think an even more robust means would be to define a custom route. In that custom route is where you extract the domain and put it into the route values.
You then can have the base controller (as Josh described) which defines a Domain property or the like and stores that value there for convenience (or just extracts it on demand; either way).
By pulling it into the route values up front like that, you can make use of that information anywhere in the app along the request path, not just in the controller, so you get more re-use out of it that way. You can, for example, make use of it in a custom Authorize-like filter to handle the user's rights to that domain, and so on.
Get the domain name. You are on the right track with the DNN code. Just poke around the Request static variable in the debugger; there's all kinds of cool stuff there.
You'll probably need a user store. I use a custom database, but you could use the Microsoft membership provider and profile provider. Make the domain a property of the user, or a property of an organization, and the organization a property of the user.
Store the user's domain in the cookie, encrypted. Read the cookie at the beginning of the request, and make the user has access to that org/domain.
Make a BaseController that extends Controller, then have all your controllers inherit from it. In the BaseController, override OnActionExecuting. This is a much easier place to do your initial request rigging than the Global.asax.cs's Begin_request, because you can define protected members which will be available form every controller.
According to various articles (e.g. here and here) attribute results on ASP.NET MVC Actions may be cached and not executed again when a controller action is called.
That behavior is not desired in my case (e.g. I have an authorization system based on my own attributes and IPs, role checks that need to execute every time, and other things).
How can I prevent ASP.NET MVC from caching my attributes/attribute execution results and guarantee that they are executed every time?
Look at the source code for the AuthorizeAttribute (on Codeplex or via Reflector) to see how it goes about turning off caching for authorized pages. I refactored it into a separate method on my custom authorization attribute which derives from AuthorizeAttribute.
protected void CacheValidateHandler( HttpContext context, object data, ref HttpValidationStatus validationStatus )
{
validationStatus = OnCacheAuthorization( new HttpContextWrapper( context ) );
}
protected void SetCachePolicy( AuthorizationContext filterContext )
{
// ** IMPORTANT **
// Since we're performing authorization at the action level, the authorization code runs
// after the output caching module. In the worst case this could allow an authorized user
// to cause the page to be cached, then an unauthorized user would later be served the
// cached page. We work around this by telling proxies not to cache the sensitive page,
// then we hook our custom authorization code into the caching mechanism so that we have
// the final say on whether a page should be served from the cache.
HttpCachePolicyBase cachePolicy = filterContext.HttpContext.Response.Cache;
cachePolicy.SetProxyMaxAge( new TimeSpan( 0 ) );
cachePolicy.AddValidationCallback( CacheValidateHandler, null /* data */);
}
I just finished a spirited discussion with Craig Stuntz (the author of the first article you listed).
I ended up using an AuthorizeAttribute with AuthorizeCore to guarantee that authorization is called even in the event the page is cached.
We have a requirement to have our ASP.NET MVC websites be automatically closed down by a remote notification (change in database value). Where would be the best place to implement this?
Base Controller Class
Global.asax
Custom attribute
Other
Update
Lots of suggestions to use app_offline but this scenario will be happening daily and will be purely initiated by the database so I would rather have the application take the initiative rather than something external push the file in.
Also, I will probably need to redirect the users to a holding page (preferably an MVC controller method to keep everything consistent). I'm leaning more towards catching it in my BaseController and having that handle it
There's a standard way of "gracefully" terminating ASP.NET 2.0 webapp - just drop a App_Offline.htm to the root directory of your application. See this.
I would go with Global.asax Application_BeginRequest if you have to do it programmatically.
You could Response.Redirect the page to "Offline.aspx" which can retrieve a message from the database or whatever you need. Of course you'd have to look at the request to see if it was trying to get to "Offline.aspx" otherwise you'd end up in an infinite loop.
Or maybe all your applications can be redirected to a single website which would remove most the complication.
I'm going to answer this myself as I did it a different way but thanks to everyone for their responses.
What I ended up doing is overriding OnActionExecuting() in my BaseController class (which all my controllers derived from).
In this method I check the database (using a 1 minute cache) and if the website is closed I load up a view to display a closed message. Code shown below
Protected Overrides Sub OnActionExecuting(ByVal filterContext As System.Web.Mvc.ActionExecutingContext)
MyBase.OnActionExecuting(filterContext)
Dim _cfgService = ObjectFactory.GetInstance(Of IConfigService)()
If _cfgService.DynamicConfig.WebSiteClosed Then
filterContext.Result = ErrorHandler(_cfgService.DynamicConfig.WebSiteClosedTitle, _
_cfgService.DynamicConfig.WebSiteClosedMessage)
End If
End Sub
Handling this type of behavior in the Global.asax file sounds like the best solution and redirecting to a static "ofline/closed" page. Handle the request on the Application_BeginRequest method, check to see the the site is active, if it let it continue, if it is not online Response.Redirect the request to the static page.
protected void Application_BeginRequest(object sender, EventArgs e)
{
string redirectURL = "~/Offline.aspx"; //some static page
bool isOnline = false; //SQL Call, config value
if (!isOnline && !string.IsNullOrEmpty(redirectURL))
{
Response.RedirectLocation = redirectURL;
Response.End();
}
}
Sorry, don't know about ASP.NET, but in case helpful:
We have a single APPLICATION.ASP page for our site (CMS / Database merge type stuff); this is possibly not common and therefore may therefore restrict usefulness, but could perhaps be implemented by an INCLUDE at the top of all ASPX files
We rename APPLICATION.ASP to TEST.ASP and copy HOLDING_PAGE.ASP to APPLICATION.ASP
The HOLDING_PAGE.ASP is present in the WWW folder, so always ready-and-available. It contains a "Site not available" message etc. and is self contained for all CSS (no include files, no DB access). Only exception is the company logo (which is external to that file, obviously)
This method prevents all access to the site, is not dependant on having a working DB connection, and allows us to change anything on the site without interfering with the holding page (apart from Company Logo, but changing that is likely to be benign)
We can still access the site, internally, using TEST.ASP - so we can test any new rollout features before removing the holding page and putting the site live. If you want to prevent anonymous use of TEST.ASP then deny anonymous permission.
Remove holding page is: Delete APPLICATION.ASP (i.e. the holding page) and Rename TEST.ASP to APPLICATION.ASP
We also have a database flag that causes the normal APPLICATION.ASP page to show a holding page - which we can use whilst doing more minor changes.