I've designed a mvc view in my MVC4 website which allows members to update their user details. This works ok using MVC but if i create a partial view which allows users to update their address for example using AJAX. How can i apply a level of security to determine that user x can only update userx's account. And not allow a user to login as user x and then spoof a post and update user y's account?
Regardless if your controller is an MVC controller or a WebApi controller, after the user authenticates and the Principal is set in the current thread, all you have to do is check that the user in the current context:
HttpContext.User
Is the one the data being edited belongs to.
Usually the username is populated on
HttpContext.User.Identity.Name
If the username of the user being edited is different than the authenticated user, just throw and InvalidOperationException.
Related
I am calling a webpage from an external webpage and I am passing a user id with the call (http://localhost:54697/?position='position'&user='user'). What I want to do is I want to put the user into an authentication process using the request variable.
It is a good place to do it at global.asax.cs/Application_Start() ? If so, is there any way to pass a request variable into it?
Or is there any suggestion?
UPDATE:
The external site has the credential info that is needed for my site's authorization. Shortly, I have a system on which I can go through several other websites via menus. One menu link will go to this (http://localhost:54697/?position='position'&user='user') Asp.Net MVC web site. Whenever the user clicks to the link, a userid will be sent through the link. Based on the userid I will go through an authorization
process on which I will check the userid and show menus based on the roles associated with the userid. In the controller I can get the userid
however, I do not want to check the roles in every controller. Whenever the link is clicked I want the system to go through a role provider and assign the roles associated with the userid and place role annotators to the controllers. As stated above I am not sure if it is a good place to do it at global.asax.cs/Application_Start() ? If so, is there any way to pass a request variable into it? Or Can I use the constructor of the controller for this purpose?
I am using the spring security plugin and thus am able to make use of the method springSecurityService.currentUser to access the current logged in user. However, i assume that obtaining the current user within each controller action and then performing actions based on the returned user is not the recommended best practise.
Examples:
logged in user clicks link to their profile page - controller obtains current user and returns data to populate profile page for this user.
logged in user changes status on profile page - controller obtains current user, from this finds their profile and then updates the status on this profile.
ETC
This should ensure that a user accessing a page is who they say they are - as there is no passing of User Id or other identifying information from a client. However, obtaining the user in each action seems wrong, and i havent seen many examples of code which do this. Should I be using filters to intercept requests or some other flow/practise?
springSecurityService.currentUser exists for that exact purpose. The reason you need to retrieve the current user each time is because controller actions are stateless. Yeah, there's a session at play which maintains some state, but what I mean is that there's no direct transfer of state from one controller action to another. So, it is in fact best practice to obtain the current user each time.
What happens is the client provides a cookie, usually named JSESSIONID, to Grails. Grails then uses that to restore any session data, which essentially leads to springSecurityService.currentUser being able to provide the current user. So while the client does not pass the user ID, it does pass a session ID, which indirectly is identifying information.
I have an asp.net mvc application. I have administration page to manage users. Have a scenario where admin adds new users and those uses have its own logins. Say admin creates a user 'testuser' and the testuser logs in to the application. Meanwhile admin deletes 'testuser'. The every next click of 'testuser' must redirect to login page. How can this be done? Is this managed through web.config, or whether this can be managed using the Base Controller(All controllers inherit from Base Controller).
I'd create an overload of the AuthorizeAttribute class where you'll check the database for every request wheither the user is still allowed to be logged in in the administration page.
I don't know what your requirements are with regards to the amount of users that will use the administration section, but this can become heavy on the database to have an extra database call on every authorized action.
I have some intranet asp.net mvc3 app ,which is available for both LDAP authenticated and anonymous users.All of them are using IE. One of the views should be available for both of them, depending on status some columns should be hidden,etc.
I don't want anonymous users to receive popup authentication dialog,but can't see no way of solving problem.If I add Authorize() attribute ,it forces anonymous user to input user/password, if I remove this attribute everyone is treated as anonymous.
How can be this obstacle solved?
In your controller check to see if the user is authenticated and perform actions based off that conclusion.
if (User.Identity.IsAuthenticated){
//Handle Case
}
What's the best way to handle an expired password in an ASP.NET MVC application?
Let me explain - ASP.NET MVC is obviously set up (both in the barebones app the NerdDinner example) to handle the following scenarios:
Register new users
Allow them to change their password
Log in using a valid account/password
What it doesn't have is a really good way to do the following:
Force the user to change their password if it is expired
The ASP.NET MVC way of thinking points to the idea of having the user go to a separate URL/view to perform the password changes.
The problem with this idea is that I don't want people to be able to go to this URL if they're not logged in, and I don't want them to be able to go anywhere else in the site with an expired password.
In the past the way I've handled this is to have the user not leave the login page and have an ASP.NET panel show itself with the "oh hey you need to change your password" bit, and hide the rest of the page. At this point the user is not logged on yet, so they won't be authenticated and can't go anywhere until they change their password.
But ASP.NET MVC makes this difficult. If I do like above and have everything on the login page then I have to have a very cumbersome Login() action in order to handle all of the possible posted values. If I have it post to another action/view then I run the risk of either having to log in the user or have the change password page be not protected by authentication (since, unlike the "change password" bit you get provided with, I don't want them to be authenticated when they see the page).
I can envision a few scenarios wherein you would set something in ViewData to indicate the password is expired and insist on redirecting the user to the "Change Password" page, but I'm not sure if that's a safe thing to do.
I would consider using a custom (extending the existing) AuthorizeFilter that sets the ActionResult on the AuthorizationContext to redirect to your change password action if the user is authenticated but the password is expired. This would allow them to login normally, but restrict them to only that action if their password is expired. I use a similar approach in one of my apps that redirects a person to an event enrollment page if they are registered with the site but haven't signed up for an event yet (it's a charity event management app).
You might even be able to implement it as a separate filter and still use the existing one for authorization.
[Authorize]
[RequiresUnexpiredPassword]
public class MyController : Controller
{
...
}
Of course, you'd have to make sure the ChangePassword action is allowed to proceed without being redirected by the filter.
How about creating a custom AuthorizationAttribute and overriding the OnAuthorization method [ Sample code here: asp.net mvc Adding to the AUTHORIZE attribute ] .
In that method, you can check if the password has expired, throw PasswordExpiredException. Catch this exception in Base Controller and redirect the user to 'Change Password' action.