Can any one tell me how to implement roles based authorization in mvc3 for all the action methods.Till now in my application i have not written any code to track the user roles.
Only in the main menu of the application iam checking the roles to build the menu,but iwant to deny access to users when he types the url.I was thinking of implementing attributes.Can anyone give me suggestions .
Thanks in advance
Try Something below.
protected override void OnAuthorization(AuthorizationContext filter_context)
{
#region If auth cookie is present
if (auth_cookie != null)
{
#region IF loggedin user is a member
if (SiteUsers.LoggedInUser.UserRole == UserRole.Buyer
&& filter_context.ActionDescriptor.ControllerDescriptor.ControllerName == "Home"
&& filter_context.ActionDescriptor.ActionName == "Index")
{
filter_context.Result = RedirectToAction("Index", "Home");
}
#endregion
#region If loggedin user is a super admin
else if (SiteUsers.LoggedInUser.UserRole == UserRole.Administrator && !filter_context.ActionDescriptor.ControllerDescriptor.GetCustomAttributes(typeof(Adminstrator), false).Any())
{
if (!filter_context.ActionDescriptor.GetCustomAttributes(typeof(AllowAdmin), false).Any())
{
filter_context.Result = RedirectToAction("Home", "Admin");
}
}
#endregion
ViewBag.SiteUsers = SiteUsers;
}
#endregion
#region if authorization cookie is not present and the action method being called is not marked with the [SkipAuthentication] attribute
else if (!filter_context.ActionDescriptor.GetCustomAttributes(typeof(SkipAuthentication), false).Any())
{
if (Request.IsAjaxRequest()) filter_context.Result = Json(new ActionOutput { Results = new List<string> { Url.Action("Signin", "Home") }, Status = ActionStatus.Error }, JsonRequestBehavior.AllowGet);
else
filter_context.Result = RedirectToAction("Signin", "Home");
}
#endregion
#region if authorization cookie is not present and the action method being called is marked with the [SkipAuthentication] attribute
else
{
SiteUsers = new ReplictivityUserDetails();
ViewBag.SiteUsers = SiteUsers;
}
#endregion
}
Related
I have the following WebApi action that deletes an order from the back-end database, only for users that are in the Admin and Order roles. However, if the user is also in the Readonly role the action returns a HTTP 403 Forbidden response.
[Authorize(Roles = "Admin,Order")]
public async Task<IHttpActionResult> Delete(int orderid) {
if(User.IsInRole("Readonly")) { return Forbidden(); }
var order = await _repository.Get(orderid);
if(order != null) {
await _repository.Delete(orderid);
return NoContent();
}
else {
return NotFound();
}
}
What I'd like to know is it possible to prevent actions from being executed if users are in specific roles so that I do not have to put if(User.IsInRole("Readonly")) { return Forbidden(); } at the start of all database update-able action methods, e.g.
[Authorize(Roles = "Admin,Order")]
[NotAuthorized(Roles = "Readonly")]
public async Task<IHttpActionResult> Delete(int orderid) {
var order = await _repository.Get(orderid);
if(order != null) {
await _repository.Delete(orderid);
return NoContent();
}
else {
return NotFound();
}
}
The NotAuthorized action filter will return a HTTP 403 Forbidden response if the user is in the Readonly role.
Is this possible?
This is the code to implement a reverse of the [Authorize()] attribute and forbid users from executing MVC WebApi actions if they are a member of one or more roles.
using System;
using System.Net;
using System.Net.Http;
using System.Security.Principal;
using System.Web.Http;
using System.Web.Http.Controllers;
namespace MyAPI {
[AttributeUsage(AttributeTargets.Method,AllowMultiple = false)]
public class NotAuthorizedAttribute : AuthorizeAttribute {
public override void OnAuthorization(HttpActionContext actionContext) {
IPrincipal user = actionContext.RequestContext.Principal;
if(!user.Identity.IsAuthenticated) {
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Unauthorized);
}
else {
bool userInRole = false;
foreach(var role in Roles.Split(',')) {
if(user.IsInRole(role)) {
userInRole = true;
break;
}
}
if(userInRole) {
actionContext.Response = new HttpResponseMessage(HttpStatusCode.Forbidden);
}
}
}
}
}
To use this filter attribute simply decorate any actions that you don't want users to execute if they're a member of a restricted role, e.g. if the user is part of a read-only role they not permitted to update the database:
[Authorize(Roles = "Admin,Order")]
[NotAuthorized(Roles = "Readonly")]
public async Task<IHttpActionResult> Delete(int orderid) {
var order = await _repository.Get(orderid);
if(order != null) {
await _repository.Delete(orderid);
return NoContent();
}
else {
return NotFound();
}
}
I have two controllers, AdminController and AccountController with the following code
AccountController:
[HttpPost]
public ActionResult LogOn(LogOnViewModel model)
{
if (ModelState.IsValid)
{
_authenticationService.SetPrincipal(model.UserName);
var exists = _authenticationService.ValidateCredentials(userName, password);
FormsAuthentication.SetAuthCookie(model.UserName, false);
if(exists){
return RedirectToAction("Index", "Admin");
}
}
return RedirectToAction("LogOn");
}
AdminController:
[Authenticate]
public class AdminController : Controller
{
[HttpGet]
public ActionResult Index()
{
return View();
}
}
AuthenticateAttribute is inherited from AuthorizeAttribute and has the following code:
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var authenticated = false;
if (HttpContext.Current.User != null && HttpContext.Current.User.Identity.IsAuthenticated)
{
//some actions
}
else
{
FormsAuthentication.SignOut();
FormsAuthentication.RedirectToLoginPage();
}
return authenticated;
}
_authenticationService is the instance of AuthenticationService class and SetPrincipal() method has the following code:
public void SetPrincipal(string userName)
{
var identity = new GenericIdentity(userName);
var principal = new GenericPrincipal(identity, null);
Thread.CurrentPrincipal = principal;
if (HttpContext.Current != null)
{
var ticket = new FormsAuthenticationTicket(1,
principal.Identity.Name,
DateTime.Now,
DateTime.Now.AddMinutes(30),
false,
String.Empty,
FormsAuthentication.FormsCookiePath);
string encryptedCookie = FormsAuthentication.Encrypt(ticket);
var authenticationCookie = HttpContext.Current.Response.Cookies[FormsAuthentication.FormsCookieName];
if (authenticationCookie != null)
{
authenticationCookie.Value = encryptedCookie;
authenticationCookie.Expires = DateTime.Now.AddMinutes(30);
}
HttpContext.Current.User = principal;
}
}
When I debug and watch AuthenticationService.SetPrincipal() HttpContext.Current.User.Identity.IsAuthenticated is true. But after redirect to Index action of AdminController in AuthenticateAttribute.AuthorizeAttribute() HttpContext.Current.User.Identity.IsAuthenticated is always false. As result I redirected to LogOn view again.
What am I doing wrong?
I don't see anywhere where you actually send the cookie back to the client. In order to be authenticated on each subsequent request, you have to send the encrypted cookie back to the client so that it can pass it back to your site.
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedCookie);
Response.Cookies.Add(cookie);
I see where you try and get the current authentication cookie here:
var authenticationCookie = HttpContext.Current.Response.Cookies[FormsAuthentication.FormsCookieName];
But again, this is a GET, not a SET (or sending the cookie back) function line. At this point in your authentication, if you set a debugger, authenticationCookie is always going to be NULL.
Also, I don't see where you validate the password in any of your actions or functions. Ensure you are not overlooking that step.
One more thought/question/issue with your code. You are setting a variable called userExists in your controller action, but the function you call is a void type, so...you don't need to set that variable, just call the function.
_authenticationService.SetPrincipal(model.UserName);
return RedirectToAction("Index", "Admin");
In reference to this posted question
The answer given does not work for me and I am having the same problem here.
I'm also using aspnet authentication and a user can try to navigate to any page on the site, specifically it is very common for a user to navigate to something like /mycontroller/myaction/25 where 25 is an account or product identifier that is used very often by that user.
If the user is currently not authenticated when trying to access that url, they are redirected to the logon screen. After logon, the redirect(returnURL) is NOT navigating the user to the requested page. The page stays on the login screen.
The url that a user would paste into the address bar before login could be:
http://localhost:4082/Account/LogOn?ReturnUrl=%2fProduct%2fEdit%2f59
After entering credentials and debugging to see that the credentials were authenticated, the URL is the same
http://localhost:4082/Account/LogOn?ReturnUrl=%2fProduct%2fEdit%2f59
The difference between the stock mvc project and mine is that I have a little more than just a logon happening at the login action. Here is my code: (I've obviously broken something by making each function small and contained)
public ActionResult LogOn() {
if (User.Identity.IsAuthenticated)
return RedirectToAction("Index", "Home");
var model = new LogOnViewModel();
return View(model);
}
[HttpPost]
public ActionResult LogOn(LogOnViewModel model, string returnUrl) {
if (ModelState.IsValid) {
try {
return AttemptToAuthenticateUser(model, returnUrl);
}
catch (Exception ex) {
ModelState.AddModelError("", ex.Message);
}
}
return View(model);
}
private ActionResult AttemptToAuthenticateUser(LogOnViewModel model, string returnUrl) {
var membershipUser = GetUserFromMembershipProvider(model.Username, false);
var audit = new LoginAudit(model.Username, model.Password, Request.Browser.Browser, Request.Browser.Type, Request.UserHostAddress);
VerifyUserAccountIsApprovedNotLockedOut(membershipUser);
AuthenticateCredentials(model, audit);
AuditLogon(audit, model.Username, true);
return ForwardToLogonResultAction(membershipUser, returnUrl, model.RememberMe);
}
internal static MembershipUser GetUserFromMembershipProvider(string username, bool isUserCurrentlyLoggedIn) {
var membershipUser = Membership.GetUser(username, isUserCurrentlyLoggedIn);
if (membershipUser == null)
throw new Exception("The user account was not found");
return membershipUser;
}
internal static void VerifyUserAccountIsApprovedNotLockedOut(MembershipUser membershipUser) {
if (membershipUser.IsLockedOut || !membershipUser.IsApproved)
throw new Exception("This account has been disabled or has been locked out. Please contact Administration for support");
}
private void AuthenticateCredentials(LogOnViewModel model, LoginAudit audit) {
if (Membership.ValidateUser(model.Username, model.Password)) { }
else {
AuditLogon(audit, model.Username, false);
throw new Exception("The user name or password provided is incorrect");
}
}
private void AuditLogon(LoginAudit audit, string username, bool isSuccessfullyAuthenticated) {
if (isSuccessfullyAuthenticated)
audit.Password = string.Empty;
audit.Save(username);
}
private ActionResult ForwardToLogonResultAction(MembershipUser currentMembershipUser, string returnUrl, bool rememberMe) {
if (IsPasswordOnAccountTemporary((Guid)currentMembershipUser.ProviderUserKey))
return RedirectToAction("Edit", "ChangePassword");
if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/") && !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\")) {
return Redirect(returnUrl);
}
return ForwardUserToHomePage(currentMembershipUser.UserName, rememberMe);
}
private bool IsPasswordOnAccountTemporary(Guid userGUID) {
var profile = new Profile(userGUID);
return profile.IsTemporaryPassword;
}
Update
I tried changing the Post action so that the returnURL check is in the same action but it still doesn't work:
[HttpPost]
public ActionResult LogOn(LogOnViewModel model, string returnUrl) {
if (ModelState.IsValid) {
try {
AttemptToAuthenticateUser(model, returnUrl);
if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/") && !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
return Redirect(returnUrl);
return ForwardUserToHomePage(model.Username, model.RememberMe);
}
catch (Exception ex) {
ModelState.AddModelError("", ex.Message);
}
}
return View(model);
}
Update 2
Changing my code back to the way I orginally had it, it works perfect... so this tells me that it has more to do with the ordering of the what I'm doing than anything else... going to try to re-order the smaller methods to match the order of this action and see what happens
[HttpPost]
public ActionResult LogOn(LogOnViewModel model, string returnUrl) {
if (ModelState.IsValid) {
MembershipUser currentUser;
var audit = new LoginAudit(model.Username, model.Password, Request.Browser.Browser, Request.Browser.Type, Request.UserHostAddress);
if (Membership.ValidateUser(model.Username, model.Password)) {
audit.Password = string.Empty;
FormsAuthentication.SetAuthCookie(model.Username, model.RememberMe);
currentUser = Membership.GetUser(model.Username, true);
if (currentUser != null && currentUser.ProviderUserKey != null) {
var profile = new Profile((Guid)currentUser.ProviderUserKey);
if (profile.IsTemporaryPassword)
return RedirectToAction("Edit", "ChangePassword");
}
if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/")
&& !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\")) {
return Redirect(returnUrl);
}
return RedirectToAction("Index", "Home");
}
currentUser = Membership.GetUser(model.Username, false);
if (currentUser != null && (currentUser.IsLockedOut || !currentUser.IsApproved)) {
ModelState.AddModelError("", "This account has been locked out. Please contact ELM Administration for support.");
}
else {
ModelState.AddModelError("", "The user name or password provided is incorrect.");
}
audit.Save(model.Username);
}
return View(model);
}
Udpate 3
This fixed it, got it on my own :-)
private void AuthenticateCredentials(LogOnViewModel model, LoginAudit audit) {
if (Membership.ValidateUser(model.Username, model.Password)) {
FormsAuthentication.SetAuthCookie(model.Username, model.RememberMe);
}
else {
AuditLogon(audit, model.Username, false);
throw new Exception("The user name or password provided is incorrect");
}
}
In your Logon View, are you passing the url to the HttpPost method ?
#using (Html.BeginForm("LogOn", "Account", new { returnUrl= Request.QueryString["ReturnUrl"] }))
{
//your form elements
<input type="submit" value="Login" />
}
The fix was to set the cookie earlier than I was before. I was setting the cookie only when I called ForwardUserToHomePage method where the cookie was being set and then redirect to home/index. But since that method was never being called as I was doing a redirect(returnUrl) instead and the cookie wasn't set. Since it wasn't set, the redirect failed as the client believed the used to not yet be logged in, hence the login page was "being hit again" in actuality.
Modified my AuthenticateCredentials method to be:
private void AuthenticateCredentials(LogOnViewModel model, LoginAudit audit) {
if (Membership.ValidateUser(model.Username, model.Password)) {
FormsAuthentication.SetAuthCookie(model.Username, model.RememberMe);
}
else {
AuditLogon(audit, model.Username, false);
throw new Exception("The user name or password provided is incorrect");
}
}
I am developing an asp.net mvc 3.0 application which has a simple authentication process. User fills a form which is sent to server by ajax call and gets response, but the problem here is that using the following method :
FormsAuthentication.SetAuthCookie(person.LoginName,false);
is not enough to fill 'HttpContext.Current.User' and it needs the below method to be run :
FormsAuthentication.RedirectFromLoginPage("...");
Problem here is that as i mentioned, the loggin form uses an ajax form, and get responses with json, so redirecting is not possible.
How could I fill 'HttpContext.Current.User' ?
Thanks.
Update :
Here is register method :
[HttpPost]
public ActionResult Register(Person person)
{
var q = da.Persons.Where(x => x.LoginName == person.LoginName.ToLower()).FirstOrDefault();
if (q != null)
{
ModelState.AddModelError("", "Username is repettive, try other one");
return Json(new object[] { false, this.RenderPartialViewToString("RegisterControl", person) });
}
else
{
if (person.LoginName.ToLower() == "admin")
{
person.IsAdmin = true;
person.IsActive = true;
}
da.Persons.Add(person);
da.SaveChanges();
FormsAuthentication.SetAuthCookie(person.LoginName,false);
return Json(new object[] { true, "You have registered successfully!" });
}
}
FormsAuthentication doesn't support immediate setting of user's identity, but you should be able to fake it by something like this:
HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(
new System.Security.Principal.GenericIdentity(person.LoginName),
new string[] { /* fill roles if any */ } );
Here is the version I ended up using, which is based on the answer by #AdamTuliper-MSFT. It is only meant to be used right after logging in, but before redirect, to allow other code to access HttpContext.User.
Don't do anything if already authenticated
Doesn't modify the cookie, since this should only be used for the lifetime of this request
Shorten some things, and a little safer with userdata (should never be null, but...)
Call this after you call SetAuthCookie(), like below:
// in login function
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
AuthenticateThisRequest();
private void AuthenticateThisRequest()
{
//NOTE: if the user is already logged in (e.g. under a different user account)
// then this will NOT reset the identity information. Be aware of this if
// you allow already-logged in users to "re-login" as different accounts
// without first logging out.
if (HttpContext.User.Identity.IsAuthenticated) return;
var name = FormsAuthentication.FormsCookieName;
var cookie = Response.Cookies[name];
if (cookie != null)
{
var ticket = FormsAuthentication.Decrypt(cookie.Value);
if (ticket != null && !ticket.Expired)
{
string[] roles = (ticket.UserData as string ?? "").Split(',');
HttpContext.User = new GenericPrincipal(new FormsIdentity(ticket), roles);
}
}
}
Edit: Remove call to Request.Cookies, as #AdamTuplier-MSFT mentioned.
You need to manually set it. Rather than reinventing the wheel, note the section here on updating the current principal for the request - thats your option here.
How to set Request.IsAuthenticated to true when not using FormsAuthentication.RedirectFromLoginPage?
public void RenewCurrentUser()
{
System.Web.HttpCookie authCookie =
System.Web.HttpContext.Current.Request.Cookies[FormsAuthentication.FormsCookieName];
if (authCookie != null)
{
FormsAuthenticationTicket authTicket = null;
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
if (authTicket != null && !authTicket.Expired)
{
FormsAuthenticationTicket newAuthTicket = authTicket;
if (FormsAuthentication.SlidingExpiration)
{
newAuthTicket = FormsAuthentication.RenewTicketIfOld(authTicket);
}
string userData = newAuthTicket.UserData;
string[] roles = userData.Split(',');
System.Web.HttpContext.Current.User =
new System.Security.Principal.GenericPrincipal(new FormsIdentity(newAuthTicket), roles);
}
}
}
i have develop a Mvc3 application in that i have integrating Jquerymobile,when try to login the page Both devices are working but after login there is one Button for redirect to another view page.When i click that button in Desktop device is working fine but i mobile device it showing error like "Error in pageloding"
Here is my Controle page code
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Login(LogOnModel model, string returnUrl, FormCollection collection)
{
var silButton = Request.Params.AllKeys.FirstOrDefault(key => key.StartsWith("Button_"));
string name = silButton;
if (silButton == "Button_login")
{
try
{
string uname = model.UserName;
string pwd = model.Password;
bool id = model.RememberMe;
if (ModelState.IsValid)
{
if (Membership.ValidateUser(model.UserName, model.Password))
{
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
if (Url.IsLocalUrl(returnUrl) && returnUrl.Length > 1 && returnUrl.StartsWith("/")
&& !returnUrl.StartsWith("//") && !returnUrl.StartsWith("/\\"))
{
return Redirect(returnUrl);
}
else
{
return RedirectToAction("Index","DashBoard");
}
}
else
{
ModelState.AddModelError("", "The user name or password provided is incorrect.");
}
}
}
catch
{
return RedirectToAction("Login", "Account");
}
}
else
{
//Here i want page redirect but it showing error ;
return RedirectToActionPermanent("FacebookLogin", "IlifelooksShare");
}
return View();
}
I think its because you dont have forms authentication setup properly in your web.config - the desktop lets this continue but on iphone etc it doesnt work - try commenting out the call to validateuser and replace with if(true) and you should see it all work (without obviously validating who the user is!)