I have following two actions that keeps calling each other and goes in infinite loop. what am i doing wrong?
Public Overrides Sub OnAuthorization(filterContext As System.Web.Mvc.AuthorizationContext)
'This calls the AuthorzeCore function and also makes sure that the browser does not cache this function
MyBase.OnAuthorization(filterContext)
If Not IsNothing(filterContext.Result) Then
Return
End If
'Gets the calling Controller
Dim controllerName As String = filterContext.Controller.GetType().Name
'Gets the calling action
Dim actionName As String = filterContext.ActionDescriptor.ActionName
'Checks whether the logged in user has access to the action of the controller
Dim canAccess As test.Security.Permissions.PermissionTypes
canAccess = test.ApplicationSecurity.GetSecurityObject().GetAccess(controllerName & "." & actionName)
If canAccess = Security.Permissions.PermissionTypes.DISABLE Then
'User has access to the application but not to the action they are trying to access, so throw a Unauthorised exception
filterContext.HttpContext.Response.StatusCode = 403
HandleUnauthorizedRequest(filterContext)
End If
End Sub
Protected Overrides Sub HandleUnauthorizedRequest(filterContext As System.Web.Mvc.AuthorizationContext)
''To make sure that we throw a not authorised error rather not authenticated message
'If filterContext.HttpContext.Request.IsAuthenticated Then
' 'filterContext.Result = New HttpStatusCodeResult(CType(System.Net.HttpStatusCode.Forbidden, Int32))
' filterContext.Result = New RedirectToRouteResult(
'Else
' MyBase.HandleUnauthorizedRequest(filterContext)
'End If
If (filterContext.HttpContext.Request.IsAjaxRequest()) Then
Dim urlHelper As UrlHelper = New UrlHelper(filterContext.RequestContext)
filterContext.Result = New JsonResult With {.Data = New With {.Error = "NotAuthorized", .URL = urlHelper.Action("UnAuthorized", "Error")}, _
.JsonRequestBehavior = JsonRequestBehavior.AllowGet}
ElseIf filterContext.HttpContext.Response.StatusCode = 403 Then
filterContext.Result = New ViewResult With {.ViewName = "UnAuthorized"}
Else
filterContext.Result = New ViewResult With {.ViewName = "UnAuthenticated"}
End If
End Sub
You shouldn't be calling HandleUnauthorizedRequest from inside OnAuthorization, this method is called automatically when the request can't be authorized.
From the docs:
Authorization is denied in the following cases:
• The request is not associated with any user.
• The user is not authenticated.
• The user is authenticated but is not in the authorized group of Userss (if defined), or if the user is not in any
of the authorized Roles (if defined).
If authorization is denied then this method will invoke
HandleUnauthorizedRequest(HttpActionContext) to process the
unauthorized request.
Related
I have a custom authorize program called CustomAuthorize that inherits AuthorizeAttribute that simply restricts access to certain controllers and resources based on various factors specific to the user. However, I get an error on the following line:
The line:
Protected Overrides Function AuthorizeCore(httpContext As
HttpContextBase) As Boolean
The error:
An unhandled exception of type 'System.StackOverflowException'
occurred in MyBlog.DLL
Here's my whole code:
Public Class CustomAuthorize
Inherits AuthorizeAttribute
Protected Overrides Function AuthorizeCore(httpContext As HttpContextBase) As Boolean
Dim authorized = AuthorizeCore(httpContext)
' if user is not authorized, restrict access
If (authorized = False) Then
Return False
End If
' get user name
Dim username = httpContext.User.Identity.Name
' get user
Dim user = Membership.GetUser(username, True)
' get user's profile
Dim db As UserProfileDbContext = New UserProfileDbContext
Dim profile = db.UserProfiles.Where(Function(x) x.UserId = user.ProviderUserKey).Single
' TODO: if user doesn't have a profile, return false
' get route
Dim routeData = httpContext.Request.RequestContext.RouteData
' get controller
Dim controller = routeData.Values("controller").ToString
' get id
Dim id = routeData.Values("id").ToString
' if no id is set, check to see if the user owns the requested entity (company or blog)
If String.IsNullOrEmpty(id) = True Then
If controller.ToLower = "blog" Or controller.ToLower = "article" Then
If profile.IsCompanyOwner Or profile.IsBlogOwner = True Then
' if user is owner of a blog with no specified id, then it will default to their own blog
Return True
End If
End If
Else
' if controller = blog
' check for blog id
If controller.ToLower = "blog" Then
' check to see if the user owns the company to which the blog belongs
If profile.IsCompanyOwner Then
' get company from blog id
Dim db1 As BlogDbContext = New BlogDbContext
Dim blog = db1.Blogs.Where(Function(b) b.BlogId = id).Single()
If blog.CompanyId = profile.CompanyId Then
Return True
End If
ElseIf profile.IsBlogOwner Then
' if user's blog id is the blog being requested, grant access
If profile.BlogId = id Then
Return True
End If
End If
End If
' if controller = article
' check for article blog id
If controller.ToLower = "article" Then
Dim db2 As ArticleDbContext = New ArticleDbContext
Dim article = db2.Articles.Where(Function(a) a.ArticleId = id).Single
Dim articleBlogId = article.BlogId
' check to see if the user owns the company to which the blog belongs
If profile.IsCompanyOwner Then
' get company from blog id
Dim db1 As BlogDbContext = New BlogDbContext
Dim blog = db1.Blogs.Where(Function(b) b.BlogId = articleBlogId).Single()
If blog.CompanyId = profile.CompanyId Then
Return True
End If
ElseIf profile.IsBlogOwner Then
' if user's blog id is the blog being requested, grant access
If profile.BlogId = articleBlogId Then
Return True
End If
End If
End If
End If
' if we got this far, then the user shouldn't have access
Return False
End Function
Protected Overrides Sub HandleUnauthorizedRequest(filterContext As AuthorizationContext)
Dim result = New ViewResult()
result.ViewName = "Error"
result.ViewBag.ErrorMessage = "oops, you are not allowed"
filterContext.Result = result
End Sub
End Class
How can I fix this error? Thank you.
I think you want to call the MyBase.AuthorizeCore.
So you want to change this line
Dim authorized = AuthorizeCore(httpContext)
to
Dim authorized = MyBase.AuthorizeCore(httpContext)
The first line of your function is Dim authorized = AuthorizeCore(httpContext)
This line will call your method again, and the first line of that new call will do the same, ad infinitum. This causes a StackOverflowException.
Im building a website with the new ASP.NET MVC3 framework and using FormsAuth. for securing the website. I'm storing the role of a user in the UserData property of the FormsAuthenticationTicket, (setting the cookie manually), I then call the encrypt method on the ticket before adding it to the cookie(see below a Standard ticket sniplet).
if (Validate(model.UserName, model.Password))
{
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
model.UserName,
DateTime.Now,
DateTime.Now.AddMinutes(30),
false,
UserType.Administrator.ToString());
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
HttpCookie faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);
Response.Cookies.Add(faCookie);
return RedirectToAction("startpage", "mycontroller");
}
}
Now I've made a custom AuthorizeAttribute thats able to check if the user is 1. authenticated and 2. has the admin role (from the ticket). (below)
The AuthorizeCore method of this derived class will be called when an action takes places in a class that has the attribute annotion.
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
if (httpContext == null)
{
throw new ArgumentNullException("httpContext");
}
IPrincipal user = httpContext.User;
if (!user.Identity.IsAuthenticated)
{
return false;
}
string cookieName = FormsAuthentication.FormsCookieName;
HttpCookie authCookie = httpContext.Request.Cookies[cookieName];
if (authCookie == null)
return false;
FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
if (authTicket.UserData != UserType.Administrator.ToString())
return false;
return true;
So here's where im getting confused.
When I follow the code being executed (with valid credentials, in debug), and check the values of the variables made on each line, the encryptedTicket encrypts just fine before adding it to the reponsecookie.
But when I then check the AuthorizeCore method when the controller (of the index page) is being called, the parameter its getting, the HttpContext, contains the ticket with everything unencrypted, so there is no need to decrypt the ticket anymore when reading the cookie.
Why do I see the ticket succesfully being encrypted in the logon controller where I send it back to the client, but then when I receive the httpcontext in the AuthorizeAdministrator class its all unencrypted again.
Sorry for the long question/story, there's probably a simple and short answer for it.
Hope my story is clear.
Thanks.
Forms auth needs to decrypt the cookie early in the page processing pipeline, to determine if the user is authorized -- that's when it fills in the details for User.Identity, etc.
After creating an object, my page won't continue to the details page, although the object is correctly created.
Following is my code:
Function Create(ByVal collection As FormCollection) As ActionResult
Dim _NieuweKlant As New Domain.Slave.Klant
Try
If ModelState.IsValid Then
TryUpdateModel(_NieuweKlant, collection)
_NieuweKlant.UpdatedON = Now
_NieuweKlant.LaatsteWijzigingGebruiker = Now
'_NieuweKlant.LaatsteActie = Now
KlantService.createKlant(_NieuweKlant)
KlantService.SaveKlant()
'check validstate
Return Details(_NieuweKlant.KlantID)
End If
Catch ex As System.Data.Entity.Validation.DbEntityValidationException
Dim Errors = ex.EntityValidationErrors.First
For Each propertyError In Errors.ValidationErrors
ModelState.AddModelError(propertyError.PropertyName, propertyError.ErrorMessage)
Next
Return View(_NieuweKlant)
Catch ex As System.Data.Entity.Infrastructure.DbUpdateException
Return View(_NieuweKlant)
Catch Ex As Exception
' Console.Out.Write("Bericht:" & vbCrLf & Ex.Message)
' Console.Out.Write("InnerException: " & vbCrLf & Ex.InnerException.ToString)
Return View()
End Try
End Function
I also already tried RedirectToAction and when debugging there doesn't seem to be a mistake. It just won't redirect or go to the other action.
If you want to redirect you need to use RedirectToAction, like this:
Return RedirectToAction("Details", new { id = _NieuweKlant.KlantID })
As a second argument we are specifying the id action parameter so that when the page redirects this parameter gets populated:
Function Details(ByVal Id As Integer) As ActionResult
Of course this redirection will happen only if no exception is thrown.
This being said if you are invoking the Create action with AJAX things might be different in terms of redirect.
I have an ASP.NET MVC 2 application in which I am creating a custom action filter. This filter sits on the controllers in the application and verifies from the database whether that function is currently available.
Public Overrides Sub OnActionExecuting(ByVal filterContext As System.Web.Mvc.ActionExecutingContext)
Try
' Check controller name against database.
Dim controllerName = filterContext.Controller.GetType().Name
controllerName = controllerName.Remove(controllerName.Length - 10)
' Look up availability.
Dim available As Boolean = _coreService.GetControllerAvailability(controllerName)
If Not available Then
' Redirect to unavailable notice.
filterContext.Result = New RedirectResult("/Home/Unavailable/")
End If
Catch ex As Exception
_eventLogger.LogWarning(ex, EventLogEntryType.Error)
Throw
End Try
End Sub
My problem is that depending on the action that has been requested I need to redirect the user to an action that returns either a view, partial views or JSON.
Given the ActionExecutingContext can I find out what the return type of the originally requested action is?
EDIT:
Ok, I'm getting closer but have another problem.
Public Overrides Sub OnActionExecuting(ByVal filterContext As System.Web.Mvc.ActionExecutingContext)
Try
' Check controller name against database.
Dim controllerName = filterContext.Controller.GetType().Name
Dim shortName = controllerName.Remove(controllerName.Length - 10)
' Look up availability.
Dim available As Boolean = _coreService.GetControllerAvailability(shortName)
If Not available Then
' find out what type is expected to be returned
Dim actionName As String = filterContext.ActionDescriptor.ActionName
Dim controllerType = Type.GetType("Attenda.Stargate.Web." & controllerName)
Dim actionMethodInfo = controllerType.GetMethod(actionName)
Dim actionReturnType = actionMethodInfo.ReturnType.Name
Select Case actionReturnType
Case "PartialViewResult"
filterContext.Result = New RedirectResult("/Home/UnavailablePartial/")
Case "JsonResult"
filterContext.Result = New RedirectResult("/Home/UnavailableJson/")
Case Else
filterContext.Result = New RedirectResult("/Home/Unavailable/")
End Select
End If
Catch ex As Exception
_eventLogger.LogWarning(ex, EventLogEntryType.Error)
Throw
End Try
End Sub
I can use reflection to find the return type of the action method. My problem is if I have the following methods on a controller:
Public Function Create() As ViewResult
Return View()
End Function
<AcceptVerbs(HttpVerbs.Post)>
Public Function Create(values as FormCollection) As ViewResult
' Do stuff here
End Function
I get an AmbiguousMatchException thrown.
With the information I have in the OnActionExecuting method, is there anyway of being more precise with determining the overload that is being called?
I created an AuthenticationFilterAttribute based on this which returns different results based on type:
/// <summary>
/// Access to the action will be blocked if the user is not logged in.
/// Apply this to the controller level or individual actions as an attribute.
/// </summary>
public class AuthenticationFilterAttribute : ActionFilterAttribute
{
protected const string InvalidAccess = "Invalid access";
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
// Find out if the user is logged in:
Controller controller = (Controller)filterContext.Controller;
if (!controller.User.Identity.IsAuthenticated)
{
switch (GetExpectedReturnType(filterContext).Name)
{
case "JsonResult":
var jsonResult = new JsonResult();
jsonResult.Data = new { Error = true, ErrorMessage = InvalidAccess };
jsonResult.JsonRequestBehavior = JsonRequestBehavior.AllowGet;
filterContext.Result = jsonResult;
break;
// Assume same behaviour as ActionResult
default:
var actionResult = new ContentResult();
actionResult.Content = InvalidAccess;
filterContext.Result = actionResult;
break;
}
}
}
private Type GetExpectedReturnType(ActionExecutingContext filterContext)
{
// Find out what type is expected to be returned
string actionName = filterContext.ActionDescriptor.ActionName;
Type controllerType = filterContext.Controller.GetType();
MethodInfo actionMethodInfo = default(MethodInfo);
try
{
actionMethodInfo = controllerType.GetMethod(actionName);
}
catch (AmbiguousMatchException ex)
{
// Try to find a match using the parameters passed through
var actionParams = filterContext.ActionParameters;
List<Type> paramTypes = new List<Type>();
foreach (var p in actionParams)
{
paramTypes.Add(p.Value.GetType());
}
actionMethodInfo = controllerType.GetMethod(actionName, paramTypes.ToArray());
}
return actionMethodInfo.ReturnType;
}
}
Ok, this is the solution I have come up with.
Public Overrides Sub OnActionExecuting(ByVal filterContext As System.Web.Mvc.ActionExecutingContext)
Try
' Check controller name against database.
Dim controllerName = filterContext.Controller.GetType().Name
Dim shortName = controllerName.Remove(controllerName.Length - 10)
' Look up availability.
Dim available As Boolean = _coreService.GetControllerAvailability(shortName)
If Not available Then
' find out what type is expected to be returned
Dim actionName As String = filterContext.ActionDescriptor.ActionName
Dim controllerType = Type.GetType("Attenda.Stargate.Web." & controllerName)
Dim actionMethodInfo As MethodInfo
Try
actionMethodInfo = controllerType.GetMethod(actionName)
Catch ex As AmbiguousMatchException
' Try to find a match using the parameters passed through
Dim actionParams = filterContext.ActionParameters
Dim paramTypes As New List(Of Type)
For Each p In actionParams
paramTypes.Add(p.Value.GetType())
Next
actionMethodInfo = controllerType.GetMethod(actionName, paramTypes.ToArray)
End Try
Dim actionReturnType = actionMethodInfo.ReturnType.Name
Select Case actionReturnType
Case "PartialViewResult"
filterContext.Result = New RedirectResult("/Home/UnavailablePartial/")
Case "JsonResult"
filterContext.Result = New RedirectResult("/Home/UnavailableJson/")
Case Else
filterContext.Result = New RedirectResult("/Home/Unavailable/")
End Select
End If
Catch ex As Exception
_eventLogger.LogWarning(ex, EventLogEntryType.Error)
Throw
End Try
End Sub
If the Type.GetMethod(string) call fails to identify the method requested, I fetch the parameters collection from the ActionExecutingContext.ActionParameters collection and build an array of the types of the parameters passed in the request. I can then use the Type.GetMethod(string,type()) overload to be more specific about my request.
Some nice answers above, but in MVC Core, I notice you can just get to the method info by casting to a ControllerActionDescriptor, which would clean the above answers some. (I'm using this in a Blazor Webassembly Web Api backend in Preview 6)
((Microsoft.AspNetCore.Mvc.Controllers.ControllerActionDescriptor)filterContext.ActionDescriptor).MethodInfo
So getting the Return type could become:
public static class FilterHelper
{
public static Type GetReturnType(this ActionExecutingContext filterContext)
{
return ((ControllerActionDescriptor)filterContext.ActionDescriptor).MethodInfo.ReturnType;
}
}
And be used like:
Type t = actionContext.GetReturnType();
Will update with an updated full solution for 6 Preview
By the time OnActionExecuting is invoked, the action method has not been executed yet, so there's no way you know whether that action method is going to return which subclass of ActionResult. So, unless you can go with CIL analysis implementation (which I think can get ugly very quickly), I don't think what you want to do is possible.
That said, isn't the fact that you redirect users to a view when the controller isn't available enough? I mean, I don't understand why you want to redirect users to a JSON result or a partial view.
I am using the following code to set a cookie in my asp.net mvc(C#) application:
public static void SetValue(string key, string value, DateTime expires)
{
var httpContext = new HttpContextWrapper(HttpContext.Current);
_request = httpContext.Request;
_response = httpContext.Response;
HttpCookie cookie = new HttpCookie(key, value) { Expires = expires };
_response.Cookies.Set(cookie);
}
I need to delete the cookies when the user clicks logout. The set cookie is not removing/deleting with Clear/Remove. The code is as below:
public static void Clear()
{
var httpContext = new HttpContextWrapper(HttpContext.Current);
_request = httpContext.Request;
_response = httpContext.Response;
_request.Cookies.Clear();
_response.Cookies.Clear();
}
public static void Remove(string key)
{
var httpContext = new HttpContextWrapper(HttpContext.Current);
_request = httpContext.Request;
_response = httpContext.Response;
if (_request.Cookies[key] != null)
{
_request.Cookies.Remove(key);
}
if (_response.Cookies[key] != null)
{
_response.Cookies.Remove(key);
}
}
I have tried both the above functions, but still the cookie exists when i try to check exist.
public static bool Exists(string key)
{
var httpContext = new HttpContextWrapper(HttpContext.Current);
_request = httpContext.Request;
_response = httpContext.Response;
return _request.Cookies[key] != null;
}
What may be problem here? or whats the thing i need to do to remove/delete the cookie?
Clearing the cookies of the response doesn't instruct the browser to clear the cookie, it merely does not send the cookie back to the browser. To instruct the browser to clear the cookie you need to tell it the cookie has expired, e.g.
public static void Clear(string key)
{
var httpContext = new HttpContextWrapper(HttpContext.Current);
_response = httpContext.Response;
HttpCookie cookie = new HttpCookie(key)
{
Expires = DateTime.Now.AddDays(-1) // or any other time in the past
};
_response.Cookies.Set(cookie);
}
The Cookies collection in the Request and Response objects aren't proxies for the cookies in the browser, they're a set of what cookies the browser sends you and you send back. If you remove a cookie from the request it's entirely server side, and if you have no cookies in the response you're just not going to send any thing back to the client, which won't change the set of cookies in the browser at all.
To delete a cookie, make sure that it is in the response cookie collection, but has an expiration time in the past.
Just to add something else I also pass the value back as null e.g.
public static void RemoveCookie(string cookieName)
{
if (HttpContext.Current.Response.Cookies[cookieName] != null)
{
HttpContext.Current.Response.Cookies[cookieName].Value = null;
HttpContext.Current.Response.Cookies[cookieName].Expires = DateTime.Now.AddMonths(-1);
}
}
The best way to implement this is to use a tool like Reflector and see how the System.Web.Security.FormsAuthentication.SignOut method implements removing the authentication cookie.
In Reflector, open up System.Web and navigate to the FormsAuthentication object and find the SignOut method. Right click on it and select "Disassemble" (Choose your language from the menu).
VB.NET
Public Shared Sub SignOut()
FormsAuthentication.Initialize
Dim current As HttpContext = HttpContext.Current
Dim flag As Boolean = current.CookielessHelper.DoesCookieValueExistInOriginal("F"c)
current.CookielessHelper.SetCookieValue("F"c, Nothing)
If (Not CookielessHelperClass.UseCookieless(current, False, FormsAuthentication.CookieMode) OrElse current.Request.Browser.Cookies) Then
Dim str As String = String.Empty
If (current.Request.Browser.Item("supportsEmptyStringInCookieValue") = "false") Then
str = "NoCookie"
End If
Dim cookie As New HttpCookie(FormsAuthentication.FormsCookieName, str)
cookie.HttpOnly = True
cookie.Path = FormsAuthentication._FormsCookiePath
cookie.Expires = New DateTime(&H7CF, 10, 12)
cookie.Secure = FormsAuthentication._RequireSSL
If (Not FormsAuthentication._CookieDomain Is Nothing) Then
cookie.Domain = FormsAuthentication._CookieDomain
End If
current.Response.Cookies.RemoveCookie(FormsAuthentication.FormsCookieName)
current.Response.Cookies.Add(cookie)
End If
If flag Then
current.Response.Redirect(FormsAuthentication.GetLoginPage(Nothing), False)
End If
End Sub
With the above as an example, I was able to create a common method called RemoveCookie() in a shared assembly, code is below:
VB.NET
''' <summary>
''' Method to remove a cookie
''' </summary>
''' <param name="key">Key</param>
''' <remarks></remarks>
Public Shared Sub RemoveCookie(ByVal key As String)
' Encode key for retrieval and remove cookie
With HttpContext.Current
Dim cookie As New HttpCookie(.Server.UrlEncode(key))
If Not IsNothing(cookie) Then
With cookie
.HttpOnly = True
.Expires = New DateTime(&H7CF, 10, 12)
End With
' Remove from server (has no effect on client)
.Response.Cookies.Remove(.Server.UrlEncode(key))
' Add expired cookie to client, effectively removing it
.Response.Cookies.Add(cookie)
End If
End With
End Sub
Having tested this using FireBug and the Cookie add-in for FireBug (in FireFox), I can attest that the cookie immediately gets removed.
Any questions, feel free to message me.
After playing around with this for some time and trying all of the other answers here I discovered that none of the answers here are totally correct.
The part that is correct is that you have to send an expired cookie to effect the deletion. The part that nobody else picked up on (but is demonstrated in the Microsoft code posted by Ed DeGagne) is that the cookie options for the deletion must match exactly the cookie options that were used to set the cookie in the first place.
For example if you originally created the cookie with the HttpOnly option then you must also set this option when deleting the cookie. I expect the exact behavior will vary across browsers and probably over time, so the only safe option that will work long-term is to make sure that all of the cookie options in the deletion response match exactly the cookie options used to create the cookie originally.
Response.Cookies["key"].Expires= DateTime.Now;