I have the following code:
[AcceptVerbs(HttpVerbs.Post), Authorize(Roles = RoleKeys.Administrators)]
public ActionResult Edit(int id, FormCollection collection)
{
User user = userRepository.GetUser(id);
try
{
this.UpdateModel(user);
userRepository.Save();
return this.RedirectToAction("Details", new { id = user.UserId });
}
catch
{
this.ModelState.AddModelErrors(user.GetRuleViolations());
return View(new UserFormViewModel(user));
}
}
If the currently logged in user is not in the Administrators role, it kicks them back to the login screen. The user is already logged in, they are just not authorize to perform the requested action.
Is there any way to have them redirected to a specific view, for example, AccessDenied?
You can define your own attribute:
public class MyAuthorizeAttribute: AuthorizeAttribute
{
public override void OnAuthorization( AuthorizationContext filterContext )
{
base.OnAuthorization(filterContext);
if (filterContext.Result is HttpUnauthorizedResult)
{
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary
{
{ "controller", "Login" },
{ "action", "AccessDenied" }
});
}
}
}
and use
[AcceptVerbs(HttpVerbs.Post), MyAuthorize(Roles = RoleKeys.Administrators)]
Related
I have a IAuthenticationFilter will check the user group in SharePoint:
public class BasicAuthFilter : ActionFilterAttribute, IAuthenticationFilter
{
public void OnAuthentication(AuthenticationContext filterContext)
{
string userLoginName = filterContext.RequestContext.HttpContext.User.Identity.Name;
if (SecurityManager.Auth(userLoginName))
return;
else
filterContext.Result = new RedirectResult(new UrlHelper(filterContext.RequestContext).Action("AccessDenied", "Error"));
}
...
}
}
It will run on every request but except ErrorController
[AllowAnonymous]
public class ErrorController : Controller
...
// Display view and link for "Logout"
public ActionResult AccessDenied()
{
return View();
}
// GET: Logout
[OutputCache(VaryByParam = "*", Duration = 0, NoStore = true)] // disable caching
public ActionResult Logout()
{
string currentUser = User.Identity.Name;
int AuthenticationAttempts = 0;
if (Session["AuthenticationAttempts"] == null || !int.TryParse(Convert.ToString(Session["AuthenticationAttempts"]), out AuthenticationAttempts))
AuthenticationAttempts = 0;
AuthenticationAttempts += 1;
if (AuthenticationAttempts == 1)
{
Session["PrevUser"] = User.Identity.Name;
Session["AuthenticationAttempts"] = AuthenticationAttempts;
return new HttpUnauthorizedResult();
}
else if (string.Compare(Convert.ToString(Session["PrevUser"]), currentUser, true) == 0) // Somehow it will have echo back, ignore it
{
return new HttpUnauthorizedResult();
}
else
{
Session.Abandon();
Session.Clear();
return RedirectToAction("Index", "Home");
}
}
}
When the Error Controller return HttpUnauthorizedResult, the browser will prompt a login. And I can get the new user name from User.Identity.Name in ErrorController.
However, when it redirect to HomeController, the user was reset to original one, I tried following but still the same
filterContext.RequestContext.HttpContext.User.Identity.Name
filterContext.HttpContext.User.Identity.Name
filterContext.Principal.Identity.Name
Do I miss something or I should assign the principal after user input?
For anybody encounter the same issue, please make sure you have test it with IIS.
This method work but cannot work in IISExpress.
I have a MVC project with 2 areas: Admin and Client. I also have a login page in the main controller. What I want to do is to Authenticate a user based on its roles. If the user is for client they can't login to admin and the other way around.
For example if you try Localhost/admin, the code checks if the user is authorised. If not it redirects you to Localhost/admin/AccountLogin. The same for Localhost/client to Localhost/client/account/login.
I want to use a customAuthorize rather than [Authorize(Roles="Admin")].
everything works fine if I don't use roles, but the problem is if you login as client you can simply change the url and go to admin. So I tried to use roles.
In admin area:
An account Controller:
public class AccountController : MainProject.Controllers.AccountController
{ }
A home controller:
[CustomAuthorize("Admin")]
public class HomeController : Controller
{
public ActionResult HomePage()
{
return View();
}
}
The custom Authorise:
public class CustomAuthorizeAttribute : AuthorizeAttribute
{
private string _loginPage { get; set; }
private string _customRole { get; set; }
public CustomAuthorizeAttribute(string userProfilesRequired)
{
_customRole = userProfilesRequired;
_loginPage = "/" + _customRole + "/Account/Login";
}
public override void OnAuthorization(AuthorizationContext filterContext)
{
var formsIdentity = filterContext.HttpContext.User.Identity as System.Web.Security.FormsIdentity;
// I want to check if the role of current user is the same as the controller If not redirect to the /account/login page.
var validRole = this.Roles == _customRole;//filterContext.HttpContext.User.IsInRole(_customRole);
if (filterContext.HttpContext.User.Identity.IsAuthenticated)
{
if (!validRole)
{
filterContext.HttpContext.Response.Redirect(_loginPage);
}
}
else
{
filterContext.HttpContext.Response.Redirect(_loginPage);
}
base.OnAuthorization(filterContext);
}
}
The Account Controller in Main Controller:
public class AccountController : Controller
{
[AllowAnonymous]
public ActionResult Login()
{
return View();
}
//
// POST: /Account/Login
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model, string ReturnUrl)
{
try
{
if (ModelState.IsValid)
{
if (model.UserName == "Arash" && model.Password == "123")
{
FormsAuthentication.SetAuthCookie(model.UserName, false);
//I need to set the roles here but not sure how
return RedirectToAction("homePage", "Home", new { area = GetArea() });
}
}
ModelState.AddModelError("", "The user name or password provided is incorrect.");
return View(model);
}
catch (Exception ex)
{
ModelState.AddModelError("", "Error: " + ex.Message);
return View(model);
}
}
}
and it the web config:
<forms loginUrl="~/Account/Login" timeout="200" />
</authentication>
<authorization>
<allow roles="Admin,Client" />
</authorization>
I searched a lot in the web but couldn't find a proper answer. I appreciate if you Could help me out to correctly implement this authorisation in MVC.
I just want to know how can I set a role to a user when login. At the moment if I set a user in login, it can't remember when it gets to CustomAuthorize class.
Any help?
Cheers,
There are a lot of ways to this but I will tell you what I used in this case.
You don't actually need to create a custom Authorization Attribute but instead make use of PostAuthenticateRequest event Handler in Global.asax given that you have a "table" roles in your database.
Add the code below in Global.asax
public override void Init()
{
this.PostAuthenticateRequest += new EventHandler(MvcApplication_PostAuthenticateRequest);
base.Init();
}
void MvcApplication_PostAuthenticateRequest(object sender, EventArgs e)
{
if (User.Identity.IsAuthenticated && User.Identity.AuthenticationType == "Forms")
{
string[] roles = GetRoleOfUser(Context.User.Identity.Name);
var newUser = new GenericPrincipal(Context.User.Identity, roles);
Context.User = Thread.CurrentPrincipal = newUser;
}
}
public string[] GetRoleOfUser(string username)
{
string[] usersInRole;
// Get the Role of User from the Database
// Should be of String Array
// Example Query to Database: 'Select UserRole FROM User WHERE Username = "arash"'
// It doesnt matter if user has One or more Role.
return usersInRole;
}
Then your account controller should be this.
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model, string ReturnUrl)
{
try
{
if (ModelState.IsValid)
{
if (model.UserName == "Arash" && model.Password == "123")
{
FormsAuthentication.SetAuthCookie(model.UserName, false);
HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
return RedirectToAction("HomePage", "Home");
}
}
ModelState.AddModelError("", "The user name or password provided is incorrect.");
return View(model);
}
catch (Exception ex)
{
ModelState.AddModelError("", "Error: " + ex.Message);
return View(model);
}
}
Now for example there is an Action in your HomeController that can only be access by Admin. You can just decorate the action with Authorize attribute like this below.
HomeController.cs
[Authorize(Roles = "Admin")]
public ActionResult AdminHomepage()
{
//For Admin Only
return View();
}
[Authorize(Roles = "Client")]
public ActionResult ClientHomepage()
{
//Client only Homepage, User with Role "Admin" cant go here.
return View();
}
[AllowAnonymous]
public ActionResult HomePageForAll()
{
//For Everyone
return View();
}
[Authorize(Roles = "Client,Admin")]
public ActionResult HomePageForClientAndAdmin()
{
return View();
}
public ActionResult HomePage()
{
return View();
}
The user will be redirected to Login URL if they are not authorized given that it is specified in Web.config (Which you already have set).
I have an action method and that can be accessed by Admin only
// Action Methods
[AuthorizationService] // My custom filter ,you can apply at controller level
public ActionResult ProjectList(Employee emp)
{
// do some work
}
//Employee class
public class Employee
{
string Name{get;set;}
string Role{get;set;}
}
// My custom filter
class AuthorizationService : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
Employee = filterContext.ActionParameters["emp"] as Employee;
if (Employee.Role!="Admin")
{
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary(
new { action = "Login", Controller ="Home"}));
}
}
}
I have developed a module which authorizes the roles from the database dynamically. Now, what i want is,when a user comes and browses different actionmethod without logging in, I am able to redirect the user to the login page. As soon as the user logs in, he should be redirected to the actionmethod/view which he was trying to access without login. The following is the code which i am using to extract the URL browsed without logging in. I also have a key defined in my web.config as serverURL which gives me initial url like localhost. How to i make the below returnurl remembered and redirect the user to the desired actionmethod/view after logging in.
returnUrl = HttpContext.Current.Request.RawUrl;
public class AuthorizeUserAttribute : AuthorizeAttribute
{
public string Feature { get; set; }
public string returnUrl { get; set; }
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
//var isAuthorized = base.AuthorizeCore(httpContext);
//if (!isAuthorized)
//{
// return false;
//}
if (httpContext != null && httpContext.Session != null && httpContext.Session["Role"] != null)
{
string userRoles = UserBL.ValidateUsersRoleFeature(httpContext.Session["Role"].ToString(), Feature);
if (!string.IsNullOrEmpty(userRoles))
{
if (userRoles.IndexOf(httpContext.Session["Role"].ToString()) >= 0)
{
return true;
}
}
return false;
}
else
return false;
}
public override void OnAuthorization(AuthorizationContext filterContext)
{
HttpSessionStateBase session = filterContext.HttpContext.Session;
if (session.IsNewSession || session["Email"] == null)
{
if (filterContext.HttpContext.Request.IsAjaxRequest())
{
// For AJAX requests, return result as a simple string,
// and inform calling JavaScript code that a user should be redirected.
JsonResult result = new JsonResult();
result.ContentType = "text/html";
result.Data = "SessionTimeout";
filterContext.Result = result;
//$.ajax({
// type: "POST",
// url: "controller/action",
// contentType: "application/json; charset=utf-8",
// dataType: "json",
// data: JSON.stringify(data),
// async: true,
// complete: function (xhr, status) {
// if (xhr.responseJSON == CONST_SESSIONTIMEOUT) {
// RedirectToLogin(true);
// return false;
// }
// if (status == 'error' || !xhr.responseText) {
// alert(xhr.statusText);
// }
// }
// });
//}
}
else
{
// For round-trip requests,
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary { { "Controller", "User" }, { "Action", "Login" } });
returnUrl = HttpContext.Current.Request.RawUrl;
}
}
else
base.OnAuthorization(filterContext);
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary(
new
{
controller = "Base",
action = "PageNotAccessible"
})
);
}
}
In attribute return the url on which user was in routes:
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary
{
{ "Controller", "User" },
{ "Action", "Login" },
{"returnUrl",HttpContext.Current.Request.RawUrl}
});
and in your action:
[AllowAnonymous]
public virtual ActionResult Login()
{
ViewBag.returnUrl = Request.QueryString["returnUrl"];
return View();
}
In View:
#using(Html.BeginForm("Login","User",new{returnUrl = ViewBag.returnUrl},FormMethod.Post))
{
<input type="submit" value="Login" />
}
and in Post Action:
[AllowAnonymous]
[HttpPost]
public virtual ActionResult Login(User model, string returnUrl)
{
if(ModelState.IsValid)
{
// check if login successful redirect to url from where user came
if(LoginSucessful)
return Redirect(returnUrl); // will be redirected to url from where user came to login
return View();
}
in your html page, create a hidden tag:
<div id="HiddenURL" class="hidden"></div>
the moment the user access a certain page, use Javascript to bind the url the user came from in a hidden value in you web page:
$(document).ready(function ()
{
$('#HiddenURL').text(window.location.href.toLowerCase());
...
}
In your asp.net page assign to action, the url taken from div text:
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary(
new
{
controller = "Base",
action = HiddenURL.Value
})
);
}
How can I redirect user after successful login to specific page. I need to do this by Authorize Attribute. In my problem I have to redirect user to page: Index/About when he/she would use specific login name, rest of users would be redirected to Index/Home.
I try this method:
public class AuthAttribute : AuthorizeAttribute
{
private string userName;
protected override bool AuthorizeCore(HttpContextBase filterContext)
{
var authorized = base.AuthorizeCore(filterContext);
if (!authorized)
{
return false;
}
string userAuthenticated = filterContext.User.Identity.Name;
bool specialUser = userName.Equals(userAuthenticated, StringComparison.OrdinalIgnoreCase);
if (specialUser)
{
filterContext.Items["RedirectToHomeAbout"] = true;
return false;
}
return true;
}
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
if (filterContext.HttpContext.Items.Contains("RedirectToHomeAbout"))
{
var routeValues = new RouteValueDictionary(new
{
controller = "Home",
action = "About",
});
filterContext.Result = new RedirectToRouteResult(routeValues);
}
else
{
base.OnAuthorization(filterContext);
}
}
This is the code from account controller:
[Authorize]
[InitializeSimpleMembership]
public class AccountController : Controller
{
//
// GET: /Account/Login
[AllowAnonymous]
public ActionResult Login(string returnUrl)
{
ViewBag.ReturnUrl = returnUrl;
return View();
}
//
// POST: /Account/Login
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model, string returnUrl)
{
if (ModelState.IsValid && WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
{
return RedirectToLocal(returnUrl);
}
// If we got this far, something failed, redisplay form
ModelState.AddModelError("", "The user name or password provided is incorrect.");
return View(model);
}
//
// POST: /Account/LogOff
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult LogOff()
{
WebSecurity.Logout();
return RedirectToAction("Index", "Home");
}
Thanks!
MarQ
Instead of override OnAuthorization, you might want to override HandleUnauthorizedRequest.
In this way, the code would look like:
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext) {
if (filterContext.HttpContext.Items.Contains("RedirectToHomeAbout"))
{
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary
{
{ "action", "About" },
{ "controller", "Home" }
});
}
else
{
//your general redirect here
}
}
If I understand your requirement correctly you can do it in your AccountController:
private string specificUserName = "specificUserName";
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model, string returnUrl)
{
if (ModelState.IsValid && WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
{
if (string.Equals(model.UserName, specificUserName))
{
return RedirectToAction("Index", "About");
}
return RedirectToAction("Index", "Home");
}
// If we got this far, something failed, redisplay form
ModelState.AddModelError("", "The user name or password provided is incorrect.");
return View(model);
}
Is it possible to make a filter that, after a controller action has been (mostly) processed, checks for a certain test condition and routes to a different view transparently to the user (i.e., no change in the URL)?
Here would be my best guess at some pseudocode:
public override void OnResultExecuting(ResultExecutingContext filterContext)
{
// If some condition is true
// Change the resulting view resolution to XYZ
base.OnResultExecuting(filterContext);
}
filterContext.Result = new ViewResult
{
ViewName = "~/Views/SomeController/SomeView.cshtml"
};
This will short-circuit the execution of the action.
also you can return view as from your action
public ActionResult Index()
{
return View(#"~/Views/SomeView.aspx");
}
This is what I ended up doing, and wrapped up into a reusable attribute and the great thing is it retains the original URL while redirecting (or applying whatever result you wish) based on your requirements:
public class AuthoriseSiteAccessAttribute : ActionFilterAttribute
{
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
base.OnActionExecuting(filterContext);
// Perform your condition, or straight result assignment here.
// For me I had to test the existance of a cookie.
if (yourConditionHere)
filterContext.Result = new SiteAccessDeniedResult();
}
}
public class SiteAccessDeniedResult : ViewResult
{
public SiteAccessDeniedResult()
{
ViewName = "~/Views/SiteAccess/Login.cshtml";
}
}
Then just add the attribute [SiteAccessAuthorise] to your controllers you wish to apply the authorisation access to (in my case) or add it to a BaseController. Make sure though the action you are redirecting to's underlying controller does not have the attribute though, or you'll be caught in an endless loop!
I have extended the AuthorizeAttribute of ASP.NET MVC action filter as DCIMAuthorize, in which I perform some security checks and if user is not authenticated or authorized then action filter will take user to access denied page. My implementation is as below:
public class DCIMAuthorize : AuthorizeAttribute
{
public string BusinessComponent { get; set; }
public string Action { get; set; }
public bool ResturnJsonResponse { get; set; }
public bool Authorize { get; set; }
public DCIMAuthorize()
{
ResturnJsonResponse = true;
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
try
{
//to check whether user is authenticated
if (!httpContext.User.Identity.IsAuthenticated)
return false;
//to check site level access
if (HttpContext.Current.Session["UserSites"] != null)
{
var allSites = (VList<VSiteList>)HttpContext.Current.Session["UserSites"];
if (allSites.Count <= 0)
return false;
}
else
return false;
// use Authorize for authorization
Authorize = false;
string[] roles = null;
//get roles for currently login user
if (HttpContext.Current.Session["Roles"] != null)
{
roles = (string[])HttpContext.Current.Session["Roles"];
}
if (roles != null)
{
//for multiple roles
string[] keys = new string[roles.Length];
int index = 0;
// for each role, there is separate key
foreach (string role in roles)
{
keys[index] = role + "-" + BusinessComponent + "-" + Action;
index++;
}
//access Authorization Details and compare with keys
if (HttpContext.Current.Application["AuthorizationDetails"] != null)
{
Hashtable authorizationDetails = (Hashtable)HttpContext.Current.Application["AuthorizationDetails"];
bool hasKey = false;
foreach (var item in keys)
{
hasKey = authorizationDetails.ContainsKey(item);
if (hasKey)
{
Authorize = hasKey;
break;
}
}
}
}
return base.AuthorizeCore(httpContext);
}
catch (Exception)
{
throw;
}
}
public override void OnAuthorization(AuthorizationContext filterContext)
{
try
{
filterContext.Controller.ViewData["ResturnJsonResponse"] = ResturnJsonResponse;
base.OnAuthorization(filterContext);
if (!filterContext.HttpContext.User.Identity.IsAuthenticated)
{
// auth failed, redirect to login page
filterContext.Result = new HttpUnauthorizedResult();
return;
}
if (!Authorize)
{
//Authorization failed, redirect to Access Denied Page
filterContext.Result = new RedirectToRouteResult(
new RouteValueDictionary{{ "controller", "Base" },
{ "action", "AccessDenied" }
//{ "returnUrl", filterContext.HttpContext.Request.RawUrl }
});
}
}
catch (Exception)
{
throw;
}
}
}
You Can Also Save All Route File Path in a Static And Use it Like This :
public static class ViewPath
{
public const string SomeViewName = "~/Views/SomeViewName.cshtml";
//...
}
And into Your ActionFilter :
context.Result = new ViewResult()
{
ViewName = ViewPath.SomeViewName /*"~/Views/SomeViewName.cshtml"*/
};