my own view after denied acces - asp.net-mvc-3

I have created a controler for Admin only and I add:
[Authorize(Roles = "Admin")]
before class definition. When I try get sites for Admin as a User I'm redirected to LogOn site. How can I change redirect to LogOn or add a extra information to logon site?

Bouncing users to the LogOn page when they're logged in but don't have access to a page is one of the downsides of using the out-of-the-box AuthorizeAttribute. You have two options:
Create a custom authorize attribute (See: Redirecting unauthorized controller in ASP.NET MVC)
Change the "loginUrl" attribute of your "forms" element in the web.config to point to an action method that handles redirection based on whether you're logged in or not. You can check in the action method to see if the user is logged in. If they are, you can display an unauthorized access view, and if they aren't you can send them on to the log in page. e.g. <authentication mode="Forms"><forms loginUrl="~/error/unauthorized" timeout="2880"></authentication>

Related

Spring OAuth2 custom Authentication with external Redirects

I am trying to implement a custom authentication mechanism in Spring.
I have an authentication mechanism, that works like this:
User visits any subpage of my page http://mypage
User gets redirected to http://mypage/login, because my WebSecurityConfigurerAdapter is configured, that any Request (except to /login and /redirect, has to be authenticated)
On the Login page a custom login mechanism happens, where I authenticate the user on an external site, that redirects the user's browser to the external page and then back to another subpage of my page: /redirect with custom data in the response
On /redirect I set the Authentication of the user, depending on the custom data and add a GrantedAuthority ROLE_FIRST
After this step the user is redirected to subpage /home, which is only visible to authenticated users with GrantedAuthority ROLE_FIRST.
If the user clicks on a button on /home a GrantedAuthority ROLE_SECOND is added to the current Authentication of the user and the user is redirected to /secret
The user is then authenticated with two factors (external login, buttonclick) and can see the content of /secret, which requires an authentication with GrantedAuthority ROLE_SECOND
So far so good, but I now want to redirect the user to the initial URL he tried to access. So if the user visited http://mypage/random in the first step, the user should be redirected to /random instead of /secret in the last step.
The problem is, I am loosing the URL in the step with the external login, because there is happening a external redirect and I can't pass the URL to the external service.
How can I manage this?
Bonus Question: What if the URL /random would be the URL to an OAuth2 Token interface instead? Would that change anything?

Enter in to a particular page through the browser after I login to the system

Need some idea on the process to land in a page after I login to my web portal. My requirement is I will enter Url of a particular page in to the browser, then system will check is the user is login to the system, if yes it will land on the page I have entered but if not then system will take me to the login page and after successful login I will be landed in to the page I have entered in the browser.
So, please tell me how to do it in plain servlet/Jsp model, Spring and Struts 1 and Struts 2.
Any post will be helpful
I know about basic jsp/servlet model.
Write a Servlet filter which will intercept every request from the brwoser, there check is the user is logged in or not. If logged in your normal flow will continue but if not then redirect to the login page. When you are redirecting to the login page, make sure you send the url hit by browser in the response. Now in client side hold the url send in response and after eneter credentials in login page when user will submit the record send the url (Hold in the client side from response) in the request and after successful login use Servelet Request dispatcher to land in the url.
I am not sure but spring-security has this feature and struts 2. But implementation process can be share by others who are familiar on this technologies. But in struts 1 it's not available and you have to do it manually.
it will very easy with spring security you just need to secure some path pattern. you doesn't need to add some code in your jsp or controller, example
for url /admin/* need administrator role
for url /user/* need user role
for url /public/* no need login (anynomous)
it just need configure at your spring-security.xml
you can start here

Correct Event to check user authentication in BaseController class

I'm in the process of converting a web application of mine to an MVC application. I think it will benefit from it but I'm a newb and a half at MVC. I want all of my controllers to inherent from a base controller and the first thing I want to do is redirect the User to the Login view if they are not authenticated. The method already written basically looks for a Cookie and if it doesn't find it does a Response.Redirect() to the login screen. I want to move this method to the BaseController but I'm not positive what's the best way to go about it. So in essence what BaseController Event should I invoke to check for authentication before loading the page?
Thanks
The MVC way to handle this is to decorate controller actions with the AuthorizationAttribute.
When you mark an action method with AuthorizeAttribute, access to that action method is restricted to users who are both authenticated and authorized. If you mark a controller with the attribute, all action methods in the controller are restricted.
The Authorize attribute lets you indicate that authorization is restricted to predefined roles or to individual users. This gives you a high degree of control over who is authorized to view any page on the site.
If an unauthorized user tries to access a method that is marked with the Authorize attribute, the MVC framework returns a 401 HTTP status code. If the site is configured to use ASP.NET forms authentication, the 401 status code causes the browser to redirect the user to the login page.

Manage Login Redirection in Pyrocms

I need to manage login in such a way that it should redirect the control after successful login to the page which call login method in pyrocms.
By default it return control to Home Page. for example i want to go gallery page but it require user to be logged in so it will redirect control to the login page and now i want to redirect the control back to the gallery page once the user successful logged in.
Finally, i have come with the exact solution which is working correctly for me.
Whenever user try to view the gallery page(restricted page) which require user login, we have to only assign the URL where we want to redirect after successful login in $redirect_to in the controller method:
$this->session->set_userdata('redirect_to',$redirect_to);
Then it will automatically redirect the control to the desired page. Because in the users controller the login function is developed in such a way that:
$redirect_to = $this->input->post('redirect_to') ? $this->input->post('redirect_to') : $this->session->userdata('redirect_to');
Hopefully this will help you sometime

Redirect to originally requested page after Login

I have added an ActionFilter to my MVC site which checks if a user is currently logged on, by checking against a session value, if they are not, they are redirected to a login page. The action filter attribute is added to each controller, so regardless of the page the user tries to view they are redirected to the login view. This bit all works fine.
When the user successfully logs in, I want them to be redirected to the page they were trying to originally access, but I don't how to get my Login Post action to know where to redirect too.
Any help greatly appreciated.
You send along a ReturnUrl when you go to the login view. Then the action method for the login view uses that value to know where to return. The following may help:
ReturnUrl in ASP.NET MVC
as well as this
ASP.NET MVC - CustomeAuthorize filter action using an external website for loggin in the user

Resources