Develop Reference

Partial View Link on MVC LoginPage not working (User not logged-in/Authorized yet)

I am working on a website in ASP.NET MVC and working on LoginPage. On the LoginPage, we also have 'Forgot Password' link and clicking that link opens a Modal-popup (bootstrap) with content being returned as PartialView.
Problem I am facing is, when I click on 'Forgot Password' link on the page, Index method of Login controller gets called instead of ForgotPassword related method which results in LoginPage being returned in modal popup.
[AllowAnonymous]
[System.Web.Services.WebMethod()]
public ActionResult ForgotPassword()
{
return PartialView("_ForgotPassword");
}
It seems like some sort of authentication issue because if I login using our old Login Page (it's an .aspx page) and then try to manually go to a new ASP.NET MVC page, all the link with partialView on login Page works fine.
Anyone else had this issue? any pointer would be appreciated.
Thanks
Edit 1: Javascript used to call modal popup
function AttachPopup() {
$('.modal-popup').click(function (event) {
event.preventDefault();
event.stopImmediatePropagation();
var url = $(this).attr('data-content-url');
var modalId = $(this).attr('data-target-model');
var target = $(this).attr('data-target-content');
$.ajax({
url: url,
type: 'POST',
datatype: "json",
cache: false,
traditional: true,
success: function (data) {
$(target).empty();
$(target).append(data);
$(modalId).modal('show');
}
});
});
}
url comes correct but still index is called.

When the AllowAnonymous attribute, the onAuthorization method of AuthorizeAttribute simply ignores authorization and authentication checking. Even if you had a global authorization filter. It should still work. A user had a similar issue. Please check out this link

As mentioned, I was converting an aspx website to MVC. In Web.config, we had
<authorization>
<deny users="?" />
</authorization>
This was taking precedence over MVC [AllowAnonymous] attribute. Commenting out above code, fixed my problem.
Word of caution: When you do that, do check that your website is secure with [Authorize] attribute

How to redirect to login page if AbpAuthorize is failed in asp.net mvc?

I have modified the asp.net boilerplate mvc template css, but somehow, I might mess up with the code. Now if the user is not logged in/not authorized, the error pops out, click ok, instead of redirecting to the login page, it redirects to the default $urlRouterProvider in the app.js. Here is part of the app config:
app.config([
'$stateProvider', '$urlRouterProvider', '$locationProvider', '$qProvider',
function ($stateProvider, $urlRouterProvider, $locationProvider, $qProvider) {
$locationProvider.hashPrefix('');
$urlRouterProvider.otherwise("/");
$qProvider.errorOnUnhandledRejections(false);
$stateProvider
.state('login', {
url: '/Account/Login',
templateUrl:'/Views/Account/Login.cshtml'
})
.state('dashboard', {
url: '/',
templateUrl: '/App/Main/views/dashboard/dashboard.html',
data: { pageTitle: '' }
})
]);
Can any one please explain what happens behind the scenes? What is the magic code that redirects the user to the login page regardless of what you defined in the angularjs?
Thanks in advance!

After days of search, I found out the reason why it did not work is because the response is not handled by HandleUnauthorizedRequest method. It is supposed to redirect to the path you defined in the startup when receiving 401 unauthorized status.
And why it did not trigger the HandleUnauthorizedRequest is because I removed the AbpMvcAuthorize in Home controller.

How to clear apache shiro session?

I used apache shiro session for the authentication and authorization.
Am able to login with different user and permission and roles but actual problem is whenever i call a signOut function looks like shiro session is not getting wiped off.
The evident for this is whenever i clicked logout it comes main screen and if i use browser back button i can go back for the last screen.
My signOut function looks like this
// Log the user out of the application.
SecurityUtils.subject?.logout()
webRequest.getCurrentRequest().session = null
session.invalidate()
// For now, redirect back to the home page.
redirect(uri: "/")
Any help on this really appreciated struggling for this from past 2 days

This works for me with version version 1.1.4 of the shiro plugin.
def logOut() {
SecurityUtils.subject?.logout()
redirect(uri: "/")
}

This is due to browser cache. You can configure to reset your browser cache in ShiroSecurityFilters file.
class ShiroSecurityFilters {
def filters = {
requestHeadersFilter(controller: '*', action: '*') {
after = {
response.setHeader("Pragma", "no-cache")
response.setDateHeader("Expires", 0)
response.setHeader("Cache-Control", "no-cache")
response.addHeader("Cache-Control", "no-store")
}
}

Redirection in Grails Web-flow

I have question regarding redirection in Grails web-flow.
I am in a view state which will allow users to enter the answers for a question. On 2 wrong attempts I should be able to re-direct the user to view page from different controller. What i mean is
challengeQuestionOne{
onRender() {
//Display question
}
on('next') {BuildQuestion command ->
bindData(flow.recovery,command)
[return the model to flow]
if(command.hasErrors()) {
flow.command = command
return error()
}
if(check for status. If doesnot pass){
flash.message=message(code:'loginForm.account.locked', default: 'Please Contact Admin.')
redirect(controller : "login",action: "login")//how to redirect from here to diff controller
}
if (//compare answer entered) {
}
else{
//set status not active
}
}.to("challengeQuestionTwo")
on(Exception).to("error")
on('cancel').to('finish')
}
I have tried to redirect from onRender . It was redirecting to the page. But how do I display the error msg on the redirected page. How can i forward the error message from one controller to other??

Ivo Houbrechts wrote an excelent tutorial about grails webflow:
Webflow defines its own flash scope. Although it has the same semantics as the standard grails flash scope (the main purpose is to store objects only until after the next request), it is a different scope. This means that objects stored in webflow's flash scope are not visible in standard grails actions.
import org.springframework.web.context.request.RequestContextHolder
....
RequestContextHolder.currentRequestAttributes().flashScope.message = "YourMessage"
You can read more here:
http://livesnippets.cloudfoundry.com/docs/guide/

Flash scope will not work in this case as expected.
Try to use another approach to show error. E.g. you can pass parameters with redirect. Or you can throw some exception and check it on rendered page as follow:
<g:if test="${flowExecutionException}">
<div class="error"><g:message code="loginForm.account.locked"/></div>
</g:if>

grails spring security login page display

I'm using the spring security plugin in a Grails app. There are two reasons why the login page gets displayed
The user navigated to it directly
The user tried to access a page that is only available to logged-in users
In the case of (2) only, I want to display a message like "you attempted to access a page that requires login", but in the GSP code of the login page I can't find a way to distinguish between (1) and (2), is this possible?

When you get redirected, Spring Security stores a SavedRequest in the session under the SPRING_SECURITY_SAVED_REQUEST_KEY key, so you could check for the existence of that in auth.gsp:
<g:if test='${session.SPRING_SECURITY_SAVED_REQUEST_KEY}'>
// display "you attempted to access a page that requires login"
</g:if>
<g:else>
// direct access to login
</g:else>

You could change the url of of the various spring security configurations to point to a controller, and then have it branch based on info in the session. In a 1.3.7 project is did something like
security {
authenticationFailureUrl = '/logout/doLogout'
afterLogoutUrl = '/logout/doLogout'
}
then had
class LogoutController {
def doLogout = {
def wasHere = session.getAttribute('some-attribute-you-set')
if (wasHere) render view: 'requirelogin'
else render view: 'normallogin'
}
}