c# - Claims authorization using Thinktecture.IdentityModel -


as explained on leastprivilege, there 2 ways setup claims authorization checks using thinktecture.identitymodel. 1 setup filter. other add attributes actions want check.

i'm using attributes option. however, i'd override behavior of sending unauthorized (but authenticated) requests login page.

instead i'd present 401 error (or unauthorized page). far, have following class override handleunauthorizedrequest , throw 401 error (if authenticated). however, way i've figured out how wire in adding class filter. doing though, skips using attribute decorations , sends action/resource through checkacess method, useless us.

    public class customclaimsauthorizeattribute : thinktecture.identitymodel.authorization.mvc.claimsauthorizeattribute {     public customclaimsauthorizeattribute()     {     }      public customclaimsauthorizeattribute(string action, params string[] resources)         : base(action, resources)     {     }       protected override void handleunauthorizedrequest(authorizationcontext filtercontext)     {         if (filtercontext.httpcontext.user.identity.isauthenticated)             throw new unauthorizedaccessexception("insufficent permissions.");          base.handleunauthorizedrequest(filtercontext);     } }

for whoever may interested. realized (ridiculously) simple using own class name attribute. 

customclaimsauthorizeattribute("myparameter") public actionresult index() {   ... }

additionally, found following in web.config file, throwing unauthorizedaccessexception won't present specified 401 error page user. instead receive general error page.

<customerrors mode="on" defaultredirect="errorpage.aspx">    <error statuscode="401" redirect="errornoaccess.aspx" /> </customerrors>

this exception produces:

"asp.net not authorized access requested resource. consider granting access rights resource asp.net request identity. asp.net has base process identity (typically {machine}\aspnet on iis 5 or network service on iis 6 , iis 7, , configured application pool identity on iis 7.5) used if application not impersonating. if application impersonating via , identity anonymous user (typically iusr_machinename) or authenticated request user."

i instead decided throw 403 (forbidden) error. override ended looking this:

protected override void handleunauthorizedrequest(authorizationcontext filtercontext) {      if (filtercontext.httpcontext.user.identity.isauthenticated)         throw new httpexception((int)httpstatuscode.forbidden, "unauthorized access");      base.handleunauthorizedrequest(filtercontext); }

and web.config error pages specified as:

<customerrors mode="on" defaultredirect="errorpage.aspx">   <error statuscode="403" redirect="errornoaccess.aspx" />   <error statuscode="404" redirect="errornotfound.aspx" />   <error statuscode="500" redirect="errorpage.aspx" /> </customerrors>

i can log in user insufficient privileges , presented errornoaccess.aspx page instead of being thrown login page (which turned loop if had 'remember me' checked).

i truely don't understand ms thinking throwing user login page because of validly authenticated, unauthorized request. there's no feedback user why thrown login page , nothing hint user try different credentials (which highly unlikely have different credentials).


-

Comments

Post a Comment

Popular posts from this blog

how to proxy from https to http with lighttpd -

i have internal site (192.168.2.1) accessible http on different server run public web-server using lighttpd. can make internal site accessible outside work follows $http["host"] == "internal.example.com" { ... proxy.server = ( "" => ( "internal" => ( "host" => "192.168.2.1", "port" => 8000 ) ) } this works, use https outside world. question is, how can proxy going https http ? i've tried this: $server["socket"] == ":443" { $http["host"] == "internal.example.com" { ... proxy.server = ( "" => ( "internal" => ( "host" => "http://192.168.2.1", "port" => 8000 ) ) } } but doesn't seem wor...
Read more

android - Automated my builds -

i have multiple app , android project want automated in build , release sequence. have ant script build , create apk of app. want have 1 script or ant file start build sequence app. maybe don't konw search, can't find easy documentation on ant. the point of use jenkins ant (or maven, i'm not sure of difference between them now) automated build sequence when people commit on project. any int appreciated maven dependencies (over ant) don't need pass around jars. recommend maven on ant day. syntax , overall process easier understand, @ end of both build tools. if able to, more recommend upgrading gradle. easy create different build types , create them ./gradlew assemble here project jake wharton can see power of gradle. there release , debug build, can make lot more if like. https://github.com/jakewharton/u2020 here android docs gradle http://tools.android.com/tech-docs/new-build-system/user-guide . if can't find looking here, check out main grad...
Read more

python - Flask migration error -

i've got application build on flask , wanted create new migration today. when run $python manage.py db upgrade i got message raise util.commanderror('only single head supported. ' alembic.util.commanderror: single head supported. script directory has multiple heads (due branching), must resolved manually editing revision files form linear sequence. run alembic branches see divergence(s). so run command $alembic branches no config file 'alembic.ini' found, or file has no '[alembic]' section any clue on about? the error messages coming alembic, use command form alembic <command> , integrating flask coming flask-migrate, need use form python manage.py db branches . to resolve multiple branches, make 1 of branches point down other branch upgrade graph straight line. see alembic's docs on branches: http://alembic.readthedocs.org/en/latest/branches.html
Read more