I have multi-tenant ASP.NET MVC application which utilizes subdomains to determine the current tenant. Whether or not the domain is valid is determined via database table lookup.
Where would be the best place to have a function that checks if the domain is in the database?If the subdomain is not in the database, it should redirect to the Index action in the Error controller.
Placing the check in the Application_BeginRequest method in the Global.asax file doesn't work because a never ending redirect results.
Where would be the best place to have a function that checks if the domain is in the database?If the subdomain is not in the database, it should redirect to the Index action in the Error controller.
Placing the check in the Application_BeginRequest method in the Global.asax file doesn't work because a never ending redirect results.
That's the right place, you just need to check the request Url is not already /Error.
You might already be doing so, but I'd like to add that it seems pretty static information that you should cache instead of hitting the database for each request.
u can subclass actionFilter attribute and override onactionExecuting method. in this method u can make any database checks and redirect the user appropriately
public class CustomActionFilterAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
if(DatabaseLookup)
{
return;
}
filterContext.Result = new RedirectResult("http://servername/Error");
}
}
now u can decorate ur action methods with this custom actionfilter attribute
[CustomActionFilter]
public ActionResult mymethod()
{
//action method goes here
}
Related
I have a super simple Authentication Attribute that I'm trying to implement in an ASP.NET MVC 5 application and I'm having some trouble. I want the attribute to be applied globally, except for specific actions within a controller (for example the login form and the home page).
I've tried decorating the action with the [OverrideAuthentication] attribute with no luck. It gives me a redirect loop error because the application is still running the authentication on the login form, and keeps trying to redirect back to the login form over and over.
Has anyone else seen this behaviour? Any idea what I've stuffed up here?
By way of example, I've created a super simple filter that is currently unimplemented:
public class BasicAuthenticationAttribute
: ActionFilterAttribute, IAuthenticationFilter
{
public void OnAuthentication(AuthenticationContext filterContext)
{
throw new NotImplementedException();
}
public void OnAuthenticationChallenge(AuthenticationChallengeContext filterContext)
{
throw new NotImplementedException();
}
}
If I decorate my controller/action like this:
[BasicAuthentication]
public class AccountController : Controller
{
[HttpGet]
[OverrideAuthentication]
public ActionResult Login()
{
return View();
}
}
I get a not implemented exception when I navigate to the Login action, even though that action shouldn't be running the authentication code at all. Have I misunderstood how overrides are supposed to work?
I think you have confused authentication with authorization (as many people do). It doesn't make sense to make a [BasicAuthenticationAttribute] and register it globally, because authentication only happens upon login, not on every request.
Authorization is what takes place after the user has logged in to check whether the user has the required privileges to do a specific action, and it makes sense to do authorization globally. Authorization in MVC is handled by the [AuthorizeAttribute] and you can inherit it if you need to customize the way the authorization check is done. You can also register it as a global filter.
The [AllowAnonymousAttribute] works in conjunction with [AuthorizeAttribute], and basically tells it to skip the authorization check. It should also be noted that the [AllowAnonymousAttribute] will have no effect unless it is used with the [AuthorizeAttribute].
I just wanted to gauge opinions on how I should approach this problem and ultimately looking for a quick win (wrong way to think about things nut time pressures mean I have to think and act quickly!
I've been given a website that has a bit of an issue.
I login using standard forms authentication as User1234 and my url is as follows:
www.mywebsite.co.uk/1234/Contact.
This will take me to User1234's details.
You can put two and two together and correctly assume that 1234 is a user id of some sort.
Once authenticated, I can access the views with [Authorize] attribute present, any anonymous/unathenticated users get redirected.
However, once logged in as User1234, I can then tinker with the url like so:
www.mywebsite.co.uk/1235/Contact.
So I am authenticated as User1234 but can see User1235's data. This is BAD for obvious reasons.
When I log in, I actively set the login ID in session so in theory, I could do a check whenever a user hits an ActionResult, I could cross check the ID present in the URL against the session login ID. However, it is a rather project with lots of action results and as such, I'm reluctant to spend my Saturday afternoon adding something to each and every ActionResult.
Is there an event in the global.asax I could use that is hit on each ActionResult request where I can compare Session login ID with url ID?
Alternatively, can anyone offer some suggestions about how I can achieve this or restrict URL tampering?
You can try and do a base controller
public class BaseController : Controller
{
protected override void OnActionExecuted(ActionExecutedContext filterContext)
{
//Do your stuff here
base.OnActionExecuted(filterContext);
}
}
I assume that you don't want to change your URL routes, as you could retrieve the user id also from the session. A quick solution would be to use an ActionFilter which you can place on the affected controllers or action methods:
public class VerifyUserIdAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var sessionUserId = filterContext.HttpContext.Session["UserId"];
var routeUserId = filterContext.RouteData.Values["UserId"];
if (routeUserId != null && sessionUserId == routeUserId)
filterContext.Result = new RedirectResult("<<url to redirect to>>");
}
}
I don't understand why the URL contains a data entry point. This appears to be a design flaw. I would remove all code that uses a URL parameter and instead make sure the controller looks up what the ID is based on the logged in user.
I have a site with a lot of routes.
Some routes, e.g. /sector-overview are to a specific page that I want the user to see.
Other routes, e.g. /sectoroverview are to an an action that ultimately renders a partial which is included on the homepage.
the second route is only meant to be internal to the application, but if the user types that into their address bar (it's an easy mistake to make), the system sees that as a valid request and it'll return the HTML partial.
I could rename the second route to something like /internal-sectoroverview, but this isn't really fixing the problem, just hiding it.
Is there any way for me to prevent the request from being processed if the user types this? What's the best way for me to deal with this issue?
You can block the route by using route constraints. However, in your case I would decorate your internal Action with [ChildActionOnly] like this:
[ChildActionOnly]
public ActionResult Overview()
{
return View();
}
By doing this, the action will be only rendered when using #Html.Action or #Html.RenderAction. If you try to access it through a browser, you'll get an error.
UPDATE
To return a 404 instead of an error you can override the OnException method on the controller and handle it there. Something like this:
protected override void OnException(ExceptionContext filterContext)
{
filterContext.ExceptionHandled = true;
//check if filterContext.Exception was thrown by child action only (maybe by text)
filterContext.Result = new HttpStatusCodeResult(404);
}
If I understand right you should resolve the problem of the partial not being called using the attribute ChildActionOnly.just for reference if you don't want that a method in your action can be called at all use the NonActionAttribute
I have a similar problem issue that people finding this might also need - I want to return 404 if a certain criteria is met from a function that returns a PartialViewResult. The solution for me was
public PartialViewResult MyFunction()
{
if( criteria ) {
Response.StatusCode = 404;
return null;
}
}
Usually I protect my Actions with [Authorize] but this time I need to check if a user is authorized inside the action.
Eg
if(userIsAuthorized) {
//do stuff
}
else {
//return to login page
}
I believe I am using 'Forms Authentication'
This question is kind of similar to this but none of the answers given seemed to work.
EDIT: I have done some more digging- it seems if I breakpoint on an Action that has [Authorize], the User.Identity is set, but on Actions without it, the User.Identity is empty, even if I am logged in
If you just want to know if the user is logged in:
if (User.Identity.IsAuthenticated) { ... }
If you are trying to do anything role-specific:
if (User.IsInRole("Administrators")) { ... }
The User instance is a public property of the Controller class, so you always have access to it from a Controller you write. If no user is logged in you should have a GenericPrincipal for the User and a GenericIdentity for the User.Identity, so don't worry about checking for nulls.
Request.IsAuthenticated should work for what you're trying to do.
I suggest first figuring out what kind of Authorization your using. ;)
The answer you posted is correct. From what I remember poking around the [Authorize] attribute and related ActionFilter code MVC internally calls Page.User.Identity.IsAuthenticated just like those code examples.
Create an attribute like this: OnActionExecuting will get executed first before other code from the action
public class IsAuthenticatedAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
//do your validations here. and redirect to somewhere if needed.
filterContext.HttpContext.Response.Redirect("/") //this will send user to home.
}
}
on each action where you need to check, add attribute like this:
[IsAuthenticatedAttribute]
public ActionResult ActionName(parameters?)
{
// no need to worry about checking here.
//do you action things
}
EDIT:
This one still completes the action and then only redirect it. Not so much useful.
Put annotation [Authorize] in every your Action.
Microsoft link.
Example:
public class AdministrationController : Controller
{
// GET: User/Create
[Authorize]
public ActionResult Create()
{
}
}
I'm trying to instantiate a service and authenticate the current user within the Application_PreRequestHandlerExecute() method and then dispose of this service in the* Application_PostRequestHandlerExecute() method of the global.asax.cs class. One of the items I need for this process is the orgname which is appended at the beginning of my url route. I have mapped a route that looks like this "{orgName}/{controller}/{action}/{id}"
So my question is, within an ASP.Net MVC application is it possible to access any of the routing information (or somehow access the "orgname" in my instance) within the Application_PreRequestHandlerExecute() event? If this is not possible is there some other way to hook into an MvcHandler and do something similar (maybe I should build a custom filter?)
You need the "RequestContext" to find all the route values. I don't know any other way to get them than inside the controller.
You sould implement a "ActionFilterAttribute", then decorate your controllers with it.
the ActionFilter has the methods
// Called after the action method executes.
public virtual void OnActionExecuted(ActionExecutedContext filterContext);
// Called before the action method executes.
public virtual void OnActionExecuting(ActionExecutingContext filterContext);
that you can do all sorts of fun stuff in.