In order to disable browser cache, to reliably instructing the browser not to cache, I found the best solution was to create your own [NoCache] attribute class
public class NoCacheSettingsAttribute : ActionFilterAttribute
{
public override void OnResultExecuting(ResultExecutingContext filterContext)
{
filterContext.HttpContext.Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1));
filterContext.HttpContext.Response.Cache.SetValidUntilExpires(false);
filterContext.HttpContext.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
filterContext.HttpContext.Response.Cache.SetCacheability(HttpCacheability.NoCache);
filterContext.HttpContext.Response.Cache.SetNoStore();
base.OnResultExecuting(filterContext);
}
}
And a global filter settings
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
// Makes sure that cached pages are not served to any browser including chrome
filters.Add(new NoCacheSettingsAttribute());
}
I want to use [OutputCache(CacheProfile = "2Hour")] in some ActionResult of a controller and also want to use NoCacheSetting for rest of controller globally , Let say in BaseController, (all controller inherit from BaseController)
So the question is that will it work properly ? Or I have to put rest of controller 1 by one ?
Why not simply exclude controller actions already decorated with the OutputCache attribute from processing:
public class NoCacheSettingsAttribute : ActionFilterAttribute
{
public override void OnResultExecuting(ResultExecutingContext filterContext)
{
var descriptor = new ReflectedControllerDescriptor(
filterContext.Controller.GetType()
);
var action = descriptor.FindAction(
filterContext.Controller.ControllerContext,
filterContext.RequestContext.RouteData.GetRequiredString("action")
);
if (!action.GetCustomAttributes(typeof(OutputCacheAttribute), true).Any())
{
// The controller action is not decorated with the
// [OutputCache] attribute, so you could apply your NoCache logic here
filterContext.HttpContext.Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1));
filterContext.HttpContext.Response.Cache.SetValidUntilExpires(false);
filterContext.HttpContext.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
filterContext.HttpContext.Response.Cache.SetCacheability(HttpCacheability.NoCache);
filterContext.HttpContext.Response.Cache.SetNoStore();
}
}
}
Related
Is there any way to find out on client side what kind of action was executed? I just want to know if view is generated by PartialView method or View method.
I looked in headers but found nothing useful.
To achieve this I may add some headers into http response by overriding PartialView method.
protected override PartialViewResult PartialView(string viewName, object model)
{
Response.AddHeader("is-partial", "of_course_this_is_partial");
return base.PartialView(viewName, model);
}
But I want to know is there any built in solution in MVC 5? So I won't have to use a custom derived Controller class and use it everywhere.
You could use an action filter:
public class ResponseHeaderActionFilter : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
}
public override void OnActionExecuted(ActionExecutedContext filterContext)
{
}
public override void OnResultExecuting(ResultExecutingContext filterContext)
{
// use filterContext.Result to see whether it's a partial or not
// filterContext.HttpContext.Response.AddHeader()..
}
public override void OnResultExecuted(ResultExecutedContext filterContext)
{
}
}
If you make this a global action filter, it's automatically executed and you don't have to inherit from a base controller or put it as an attribute on your controller:
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
// Register global filter
GlobalFilters.Filters.Add(new ResponseHeaderActionFilter());
RegisterGlobalFilters(GlobalFilters.Filters);
RegisterRoutes(RouteTable.Routes);
}
This way, the header is automatically added to each result.
I would like to protect my public method from being called by a user.
Because I'm calling the action from an ajax script I can't use any access modifiers, (private, protected etc).
Also, [HttpPost] doesn't stop the user from doing a fake request.
Anyone got a solution?
Thanks
Create an action filter that allows action methods to be called by AJAX only
namespace MyFilters
{
[AttributeUsage(AttributeTargets.Method)]
public class AjaxOnlyAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
if (!filterContext.HttpContext.Request.IsAjaxRequest())
{
filterContext.HttpContext.Response.StatusCode = 404;
filterContext.Result = new HttpNotFoundResult();
}
else
{
base.OnActionExecuting(filterContext);
}
}
}
}
Then apply this to the action method
[AjaxOnly]
public JsonResult DoSomething()
{
....
I want to create an action filter that will be used by ONLY two controllers in my app... This action filter is supposed to be checked for every action inside the TWO controllers.
Heres my action filter code
public class AllowedToEditEHRFilter : IActionFilter
{
IUnitOfWork unitOfWork;
IRepository<EHR> ehrRepository;
public AllowedToEditEHRFilter(IUnitOfWork dependency)
{
unitOfWork = dependency;
ehrRepository = unitOfWork.EHRs;
}
public void OnActionExecuting(ActionExecutingContext filterContext)
{
int ehrId;
if (int.TryParse(filterContext.HttpContext.Request.QueryString["ehrId"], out ehrId))
{
EHR ehr = ehrRepository.FindById(ehrId);
if (ehr.UserName != Membership.GetUser().UserName)
filterContext.Result = new ViewResult { ViewName = "InvalidOwner" };
}
}
public void OnActionExecuted(ActionExecutedContext filterContext)
{
}
}
Now Im just not sure how can I configure MVC framework so that the action filter gets triggered at the appropriate times.
Im using this as reference but that is applying a GLOBAL actionfilter and it doesnt specify how to limit to just some of your controllers.
Please help.
btw Im using NinjectMVC3
This depends on what the appropriate time is.
See my original blog post
http://www.planetgeek.ch/2010/11/13/official-ninject-mvc-extension-gets-support-for-mvc3/
Or read the other pages of the doc:
https://github.com/ninject/ninject.web.mvc/wiki/Conditional-bindings-for-filters
https://github.com/ninject/ninject.web.mvc/wiki/Filter-configurations
(Probably I should link them)
Basically you need to configure a binding for the filter and define some condition:
kernel.BindFilter<AllowedToEditEHRFilter>(FilterScope.Action, 0).When...
e.g.
.WhenActionHas<AllowedToEditEHRAttribute>()
Update:
In your case simply
kernel.BindFilter<AllowedToEditEHRFilter>(FilterScope.Controller, 0).When(
(controllerContext, actionDescriptor) =>
controllerContext.Controller is PhysicalTestsController)
To apply the action filter to only some of your controllers, simply add the attribute to the controllers in question.
[AllowedToEditEHR]
public class YourController : Controller
{
...
For this to work, you should rename your filter to AllowedToEditEHRAttribute, i.e. replace "Filter" by "Attribute". This is a standard naming convention for attributes.
Update: To inject dependencies in the filter, just decorate it's constructor with the [Inject] attribute.
public class AllowedToEditEHRFilter : IActionFilter
{
IUnitOfWork unitOfWork;
IRepository<EHR> ehrRepository;
public AllowedToEditEHRFilter(IUnitOfWork dependency)
{
unitOfWork = dependency;
ehrRepository = unitOfWork.EHRs;
}
public void OnActionExecuting(ActionExecutingContext filterContext)
{
int ehrId;
if (int.TryParse(filterContext.ActionParameters["ehrId"].ToString(), out ehrId))
{
EHR ehr = ehrRepository.FindById(ehrId);
if (ehr.UserName != Membership.GetUser().UserName)
filterContext.Result = new ViewResult { ViewName = "InvalidOwner" };
}
}
public void OnActionExecuted(ActionExecutedContext filterContext)
{
}
}
And the CustomFilterProvider
public class ConfiguredFilterProvider : IFilterProvider
{
private readonly IKernel _kernel;
public ConfiguredFilterProvider(IKernel kernel)
{
_kernel = kernel;
}
public IEnumerable<Filter> GetFilters(ControllerContext controllerContext, ActionDescriptor actionDescriptor)
{
List<Filter> list = new List<Filter>();
if (controllerContext.Controller is PhysicalTestsController)
{
list.Add(new Filter(
_kernel.Get(typeof(AllowedToEditEHRFilter)),
FilterScope.Global, order: null
));
}
return list;
}
}
And in Ninject
kernel.Bind<IFilterProvider>()
.To<ConfiguredFilterProvider>();
It might not be the cleanest solution but its working.
You just have to decorate that two controllers with the action filter like this
[AllowedToEditEHRFilter]
public class YourController : Controller
{
...
}
However, I am not sure if it is allowed to have a complex object passed in a constructor of that filter.
Instead of implementing IActionFilter, extend ActionFilterAttribute and then assign the attribute to the two controllers you want to affect:
public class AllowedToEditEHRFilter : ActionFilterAttribute
{
// ...
}
and:
[AllowedToEditEHRFilter]
public class MyController : Controller
{
// ...
}
I want my login page to be SSL only:
[RequireHttps]
public ActionResult Login()
{
if (Helper.LoggedIn)
{
Response.Redirect("/account/stats");
}
return View();
}
But obviously it doesn't work on localhost when I develop and debug my application. I don't wanna use IIS 7 with SSL certificates, how can I automatically disable the RequireHttps attribute?
Update
Based on info provided by StackOverflow users and ASP.NET MVC 2 source code I created the following class that solves the problem.
public class RequireSSLAttribute : FilterAttribute, IAuthorizationFilter
{
public virtual void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext == null)
{
throw new ArgumentNullException("filterContext");
}
if (!filterContext.HttpContext.Request.IsSecureConnection)
{
HandleNonHttpsRequest(filterContext);
}
}
protected virtual void HandleNonHttpsRequest(AuthorizationContext filterContext)
{
if (filterContext.HttpContext.Request.Url.Host.Contains("localhost")) return;
if (!String.Equals(filterContext.HttpContext.Request.HttpMethod, "GET", StringComparison.OrdinalIgnoreCase))
{
throw new InvalidOperationException("The requested resource can only be accessed via SSL");
}
string url = "https://" + filterContext.HttpContext.Request.Url.Host + filterContext.HttpContext.Request.RawUrl;
filterContext.Result = new RedirectResult(url);
}
}
And it's used like this:
[RequireSSL]
public ActionResult Login()
{
if (Helper.LoggedIn)
{
Response.Redirect("/account/stats");
}
return View();
}
The easiest thing would be to derive a new attribute from RequireHttps and override HandleNonHttpsRequest
protected override void HandleNonHttpsRequest(AuthorizationContext filterContext)
{
if (!filterContext.HttpContext.Request.Url.Host.Contains("localhost"))
{
base.HandleNonHttpsRequest(filterContext);
}
}
HandleNonHttpsRequest is the method that throws the exception, here all we're doing is not calling it if the host is localhost (and as Jeff says in his comment you could extend this to test environments or in fact any other exceptions you want).
public static void RegisterGlobalFilters(GlobalFilterCollection filters) {
if (!HttpContext.Current.IsDebuggingEnabled) {
filters.Add(new RequireHttpsAttribute());
}
}
#if (!DEBUG)
[RequireHttps]
#endif
public ActionResult Login()
{
if (Helper.LoggedIn)
{
Response.Redirect("/account/stats");
}
return View();
}
You can encapsulate this requirement in a derived attribute:
class RequireHttpsNonDebugAttribute : RequireHttpsAttribute {
public override void HandleNonHttpsRequest(AuthorizationContext ctx) {
#if (!DEBUG)
base.HandleNonHttpsRequest(ctx);
#endif
}
}
MVC 6 (ASP.NET Core 1.0):
The proper solution would be to use env.IsProduction() or env.IsDevelopment().
Example:
Startup.cs - AddMvc with a custom filter:
public void ConfigureServices(IServiceCollection services)
{
// TODO: Register other services
services.AddMvc(options =>
{
options.Filters.Add(typeof(RequireHttpsInProductionAttribute));
});
}
Custom filter inherit from RequireHttpsAttribute
public class RequireHttpsInProductionAttribute : RequireHttpsAttribute
{
private bool IsProduction { get; }
public RequireHttpsInProductionAttribute(IHostingEnvironment environment)
{
if (environment == null)
throw new ArgumentNullException(nameof(environment));
this.IsProduction = environment.IsProduction();
}
public override void OnAuthorization(AuthorizationContext filterContext)
{
if (this.IsProduction)
base.OnAuthorization(filterContext);
}
protected override void HandleNonHttpsRequest(AuthorizationContext filterContext)
{
if(this.IsProduction)
base.HandleNonHttpsRequest(filterContext);
}
}
Design decisions explained:
Use environment IsProduction() or IsDevelopment() over e.g.
"#if DEBUG". Sometimes we release/publish in DEBUG mode on our test server and don't want to disable this security requirement. This needs to be disabled only in localhost/development (since we are too lazy to setup localhost SSL in IIS Express or whatever we use locally).
Use filter in Startup.cs for global setup (since we want this to apply everywhere). Startup should be responsible for registering and setting up all global rules. If your company employ a new developer, she would expect to find global setup in Startup.cs.
Use RequireHttpsAttribute logic since it's proven (by Microsoft). The only thing we want to change is when logic is applied (production) and when it's not (development/localhost). Never use "magical" strings like "http://" and "https://" when it can be avoided by reusing a Microsoft component created to provide the same logic.
Above I would consider the "proper" solution.
Note:
As an alternative, we could make a "class BaseController : Controller" and make all our controllers inherit from "BaseController" (instead of Controller). Then we only have to set the attribute 1 global place (and don't need to register filter in Startup.cs).
Some people prefer the attribute style. Please note this will eliminate design decision #2's benefits.
Example of usage:
[RequireHttpsInProductionAttribute]
public class BaseController : Controller
{
// Maybe you have other shared controller logic..
}
public class HomeController : BaseController
{
// Add endpoints (GET / POST) for Home controller
}
How do I use the ASP.NET MVC 2 Preview 2 Futures RequireHttps attribute?
I want to prevent unsecured HTTP requests from being sent to an action method. I want to automatically redirect to HTTPS.
MSDN:
RequireHttpsAttribute
RequireHttpsAttribute Members
RequireHttpsAttribute.HandleNonHttpsRequest Method
How do I use this feature?
I think you're going to need to roll your own ActionFilterAttribute for that.
public class RedirectHttps : ActionFilterAttribute {
public override void OnActionExecuting(ActionExecutingContext filterContext) {
if (!filterContext.HttpContext.Request.IsSecureConnection) {
filterContext.Result =
new RedirectResult(filterContext.HttpContext.Request.Url.
ToString().Replace("http:", "https:"));
filterContext.Result.ExecuteResult(filterContext);
}
base.OnActionExecuting(filterContext);
}
}
Then in your controller :
public class HomeController : Controller {
[RedirectHttps]
public ActionResult SecuredAction() {
return View();
}
}
You might want to read this as well.
My guess:
[RequireHttps] //apply to all actions in controller
public class SomeController
{
//... or ...
[RequireHttps] //apply to this action only
public ActionResult SomeAction()
{
}
}