Why won't the Authorize attribute work with my roles? - asp.net-core-identity

I cannot figure out why ASP.NET Identity does not work with my roles. I created a custom UserStore and a custom RoleStore. In my UserStore I implemented the IUserRoleStore interface, and I expected at least one of those methods to be called when ASP.NET determines if the user should be authorized to call a given endpoint, but none of the methods are getting hit.
I registered the services like this:
builder.Services.AddIdentity<User, ProReceptionRole>();
builder.Services.AddTransient<IUserStore<User>, UserStore>();
builder.Services.AddTransient<IRoleStore<ProReceptionRole>, RoleStore>();
I also tried registering the services using this variant (with and without the AddRoles part - and with different ordering of the extension methods):
builder.Services.AddIdentity<User, ProReceptionRole>()
.AddUserStore<UserStore>()
.AddRoleStore<RoleStore>()
.AddRoles<ProReceptionRole>();
When I add the [Authorize(Roles = "MyRole")] attribute to my controller class, then I get 403 Forbidden, even for users that have the given role.
I read through the documentation but I can't spot my problem. The only part that I am unsure about is that it says If you are using Roles, update the RoleManager to use your RoleStore class. - and I am assuming that this is done when I register my RoleStore, but maybe I have to do something extra?
Any pointers are greatly appreciated.
Thanks!

Related

How to stop grails erasing custom validation errors

In my Grails app, I am using methods in a service to do complicated validation for user submitted data. Unfortunately, Grails is quietly sabotaging me.
I populate the domain instance with the user submitted data
I hand the instance off to the service, which analyzes the properties.
If errors are found I add them using
instance.errors.rejectValue('myValue','errors.customErrorCode','Error')
BEHIND THE SCENES, when the service passes the domain instance back to the controller grails checks for changed properties and calls validate() before returning the instance. (verifiable by seeing the beforeValidate event called on returning a domain instance from a service to a controller where one or more properties has changed)
That behavior clears any custom errors I have added and the instance I get back in the controller is now incorrectly without error.
How can I
A) stop grails from validating between service and controller
OR
B) prevent a validate() call from wiping my custom errors.
EDIT
So far I've found one partial answer,
If you use instance.get(params.id), grails will self validate behind the scenes wiping custom errors.
If you use instance.read(params.id) you can bypass this behavior to an extent.docs
But this solution is limited by domain relationships. Any other solutions welcome.
Seems that it is not custom validation. It can be because of transactional service. Service opens separate transaction for each method and clears entities after method end. You can find this mentioned in docs(read the last paragraph of part ). So errors dessappear not because of validation.
Don't know if your service is transactional. But if it is - you can add #NotTransactional annotation to method were you want not to loose errors. And
errors will be saved.
Hope it helped,
Matvei.
Not sure how your code looks like or what is causing the problem, but in any case I strongly suggest implementing custom validators in the domain class or in a command object within the constrains.
Here are some examples from grails docs:
http://docs.grails.org/2.4.0/ref/Constraints/validator.html

"Default principal object cannot be set twice" error implementing WEB API with CSLA backend

Can anyone save some of my hair? :)
I'm trying to create an asp.net WEB API interface for an older CSLA (1.x/2.x era) project. I am testing by hard coding the login on every request in various ways (once in the startup code, as an authorization request filter, inside the individual route request etc etc). All the ways I tried work exactly once perfectly and then I get the infamous:
'Default principal object cannot be set twice.'
exception in BusinessPrincipal.vb (yeah I know it's very old, but it's released software, I can't upgrade CSLA)
I know that there is an issue where you need to set HttpContext.Current.User = Thread.CurrentPrincipal; due to some internal workings of the web API and I do that already, that has not resolved the issue.
I'd like to know if anyone has implemented a web api front end and how they handled this issue or any pointers as to what could be the solution.
Worst case scenario if I could at least just login once and keep that same principal without losing it I could implement a second layer of security, that woudld be acceptable, barring anything else is there some way to just login once and not lose that principal?
That BusinessPrincipal class would be in your code base, not in CSLA itself. The Csla.Security namespace does include a BusinessPrincipalBase that is probably the base class for your BusinessPrincipal.
Classes in that namespace are here in GitHub
It is true that you can only call AppDomain.SetPrincipalPolicy one time, but you should be able to set the Thread.CurrentPrincipal and HttpContext.Current.User multiple times.

How to change scope/permissions with Microsoft.Web.WebPages.OAuth

Is there a way to change the scope/permission when using Microsoft.Web.WebPages.OAuth? The most logical place is when registering the client with OAuthWebSecurity.RegisterClient. I thought that the adding scope to the extraData parameter would possibly work, but I didn't have success with that.
Microsoft.Web.WebPages.OAuth does not expose the scope when authorizing with a client. I ended up adding custom DotNetOpenAuth clients to include my necessary scope.
The extradata is something you can pass about the provider and use it in tehe UI layer. For eg. extra data could be the icon to display when listing the provider to use for login.
Following post shows how you can write your own provider and plug it into your site
http://blogs.msdn.com/b/webdev/archive/2012/08/23/plugging-custom-oauth-openid-providers.aspx

Sample Code for Creating Custom Membership Provider

I am writing an MVC 3 application and I am trying to implement my own custom membership provider (following the sample in Apress' Pro ASP.NET MVC 3 Framework).
I created my custom class, inherited from MembershipProvider and (using ReSharper) implemented all 27 of the methods with NotImplementedExceptions.
Now, I have overridden the ValidateUser method as the book states and it works fine, but I would like to make my provider more robust and implement the other methods (e.g. set MinRequiredPasswordLength and GetNumberOfUsersOnline).
Is there some sample code that I can use to start populating these methods that I can tweak to fit my own DB/Model schema?
I can certainly use trial and error to figure it out, but a base code sample would greatly help.
EDIT:
This question was just downvoted twice. If you are going to downvote, please post a comment as to why so that I can work on improving my questions.
EDIT 2:
For example, for the following method:
public override int GetNumberOfUsersOnline()
{
throw new System.NotImplementedException();
}
I can try to write code from scratch to look at some web log, determine the users login time and approximate if they are still on, but that will take a large amount of time for me to figure out. Since all this code is from the same interface that Microsoft wrote for the standard SqlMembershipProvider, isn't there code out there (even from MS) that contains this method? If so, I want take it, modify it so it uses my DB schema instead of the aspnetdb default schema. I would prefer to have some sort of base code to work from. I thought this would be a simple and fairly standard request, but perhaps not.
You can't use the default provider's code for your custom provider, that is why you are implementing a custom one, to tweak it according to your requirements, use your own db tables etc.
Take a look at my blog posts about custom membership, custom role providers and custom membership user. There is an example there of how you can use your own database to get/set membership information.
Here's a of sample implementation of custom MembershipProvider on MSDN.
http://msdn.microsoft.com/en-us/library/6tc47t75.aspx

Grails - access only for object's owner

I'm still working on my first Grails application. This time, my problem is to limit access to some actions for particular users.
Assume users add some object, e.g. books. I would like to give access to edit a book only to admin and the user that added the book. I'm currently using Acegi plugin. I know there is newer version of that plugin, but I'm not sure if it changes anything in my problem.
The second thing is some kind similar. I have a sidebar and there is "Hello ${currentUser.username}. currentUser is a method that returns an instance of currently logged user. But the problem is that I don't have any idea where can I put this message to be able to use it everywhere. Should I put it in some service and include it everywhere? I tried to create an ApplicationController that is extended by all other controllers, but that doesn't seem to work. Have you got any ideas?
Thanks!
Grzegorz
You should use the newer Spring Security Core plugin since it has an ACL add-on plugin that does exactly what you're looking for. See http://grails.org/plugin/spring-security-acl for details.
For the second question, there's a taglib for that. In the Acegi plugin use this:
Hello <g:loggedInUserInfo field="username"/>
(see http://www.grails.org/AcegiSecurity+Plugin+-+Artifacts) and in the Spring Security Core plugin use this:
Hello <sec:username/>
(see the "Security Tags" section of http://burtbeckwith.github.com/grails-spring-security-core/docs/manual/)
For ROLE access you'll just need to specify that a particular ROLE for a particular URL has access to that action. That is if you are using the plugin's RequestMap approach. If you're using the annotation approach, just annotate the action in the controller with:
#Secured(['WHATEVER_ROLE'])
As far as only allowing the user who created the book to edit it, you can pull the user domain out of the authentication with authenticateService.userDomain(), then you can compare that user with the user who created the book (assuming you have some sort of createdBy property on your Book domain.
def loggedInUser = authenticateService.userDomain()
if (book.createdBy.equals(loggedInUser)) {
// allow editing
}
Something like that, anyway.

Resources