kristofferahl / FluentSecurity

Fluent Security configuration for ASP.NET MVC
MIT License
163 stars 47 forks source link

FluentSecurity breaking "Add-Controller"-Dialog -> select Model Class #38

Open rsacher opened 12 years ago

rsacher commented 12 years ago

I noticed, that I got the problem to add a new Controller and select my model, if I implement FluentSecurity IPolicyViolationHandler

To start, I followed http://www.revium.com.au/articles/sandbox/fluentsecurity-mvcsitemapprovider-better-net-security-management/ and noticed, that all my own models were absent, in the Select ModelClass dropdown in the Add-Controller dialog. (Sorry, using German VS2010 - so the english captions may vary a bit)

If I exclude any notion of IPolicyViolationHandler from my project, rebuild, then they show again. Tried both 1.4 and 2.0 alpha

Greetings, Reinhard

kristofferahl commented 12 years ago

Wow, just wow.. This is an odd one. My guess is that this is not an issue with FluentSecurity itself but rather the VS 2010 dialog. I have experienced this myself before but not specifically with FluentSecurity. I will see if I can recreate the problem and maybe file a bug report with microsoft.

Have you tried it with VS 2012?

kristofferahl commented 11 years ago

Did you solve this or do you still have the same issue?

bryanfife commented 11 years ago

This problem still exists. Would appreciate an update either to FS or VS.

kristofferahl commented 11 years ago

@bryanfife What version of VS and FS are you running?

bryanfife commented 11 years ago

I am using VS2012 and FS 1.4.0.


From: Kristoffer Ahl notifications@github.com To: kristofferahl/FluentSecurity FluentSecurity@noreply.github.com Cc: bryanfife bryanfife@yahoo.com Sent: Wednesday, December 5, 2012 11:00 AM Subject: Re: [FluentSecurity] FluentSecurity breaking "Add-Controller"-Dialog -> select Model Class (#38)

@bryanfife What version of VS and FS are you running? — Reply to this email directly or view it on GitHub.

rsacher commented 11 years ago

The problem still exists - so I am using 1.4 at the time being. My main problem however is, that I seem to be unable to implement a redirect-to-login on violation.

I need to secure an Area ("/Admin") from unauthorized access. I have a login page (http://localhost:3212/account/login) and can access http://localhost:3212/Admin after logging in. Accessing the above without first logging in tells me:

FluentSecurity.PolicyViolationException: Anonymous access denied [PolicyViolationException: Anonymous access denied] FluentSecurity.ExceptionPolicyViolationHandler.Handle(PolicyViolationException exception) +6 FluentSecurity.SecurityHandler.HandleSecurityFor(String controllerName, String actionName) +395 FluentSecurity.HandleSecurityAttribute.OnActionExecuting(ActionExecutingContext filterContext) +83 ..... .....

my config:

public static ISecurityConfiguration SetupFluentSecurity()
{
    SecurityConfigurator.Configure(configuration =>
    {
        configuration.GetAuthenticationStatusFrom(SecurityHelper.UserIsAuthenticated);
        configuration.GetRolesFrom(SecurityHelper.UserRoles);
        configuration.ForAllControllers().DenyAnonymousAccess();
        configuration.ForAllControllersInNamespaceContainingType<haas2013.Controllers.HomeController>().Ignore();
        configuration.ForAllControllersInNamespaceContainingType<haas2013.Areas.Admin.Controllers.HomeController>()
            .DenyAuthenticatedAccess()
            .RequireRole(RolesEnum.Admin.ToString());
    });

    return SecurityConfiguration.Current;
}

I could not find a doc on how to handle redirects in 1.4. Could you post an example please!

Thanks, Reinhard

rsacher commented 11 years ago

My workaround for this issue: If using 2.0

... not ideal but works.

Reinhard

tiesont commented 11 years ago

I solved the redirect problem by implementing a custom default policy handler, like so:

public class DenyAnonymousAccessPolicyViolationHandler : IPolicyViolationHandler
{
    public ActionResult Handle(PolicyViolationException exception)
    {
        throw new HttpException(HttpContext.Current.User.Identity.IsAuthenticated ? 403 : 401, exception.Message);
    }
}

Then assign it to be the default handler in your bootstrap/configuration setup:

 configuration.DefaultPolicyViolationHandlerIs(() => new DenyAnonymousAccessPolicyViolationHandler());

This second part requires version 2+. I don't know if there is a better way, but this got me what I considered "normal" behavior in ASP.NET, plus it gives Ajax code a meaningful response...

I should note that I'm using this in an ASP.NET MVC4 project with Castle Windsor.

rsacher commented 11 years ago

In 2.x you would have (according to the docs):

But this is only for 2.x to redirect you to /Account/Login

using System.Web.Mvc; using System.Web.Routing; using FluentSecurity;

public class DefaultPolicyViolationHandler : IPolicyViolationHandler { public string ViewName = "AccessDenied"; public ActionResult Handle(PolicyViolationException exception) { if (SecurityHelper.UserIsAuthenticated()) { return new ViewResult { ViewName = ViewName }; } else { RouteValueDictionary rvd = new RouteValueDictionary(); if (System.Web.HttpContext.Current.Request.RawUrl != "/") rvd["ReturnUrl"] = System.Web.HttpContext.Current.Request.RawUrl; rvd["controller"] = "Account"; rvd["action"] = "Login"; rvd["area"] = ""; return new RedirectToRouteResult(rvd); } } }

tiesont commented 11 years ago

You could do that, but then you always have to have an Accounts controller and a LogIn action - throwing the HttpException is relatively transparent and works with the MVC3 pattern (a LogOn action) and the MVC4 pattern (a LogIn action). It also respects the web.config settings in the authentication section, so you can have whatever URL you want for the login page...

rsacher commented 11 years ago

Ah... thanks for that piece of code... did not know this!

LionLai commented 11 years ago

I test this issue to change the interface IPolicyViolationHandler, like so:

public interface IPolicyViolationHandler
{
    //old
    //ActionResult Handle(PolicyViolationException exception);

    //change to 
    //new
    string Handle(PolicyViolationException exception);
}

then add a controller that the models will show all.

no idea why it happen. reference conflict?

kristofferahl commented 11 years ago

I'm sorry guys. I've had a look at this on several occasions but I haven't been able to reproduce it. I tried it again with the newly released beta of v.2.0 but I did not get this error. What version of MVC are you running (MVC 3 or 4)?

bryanfife commented 11 years ago

I think you can go ahead and close the issue. It seemed to resolve itself.


From: Kristoffer Ahl notifications@github.com To: kristofferahl/FluentSecurity FluentSecurity@noreply.github.com Cc: bryanfife bryanfife@yahoo.com Sent: Monday, April 15, 2013 5:16 AM Subject: Re: [FluentSecurity] FluentSecurity breaking "Add-Controller"-Dialog -> select Model Class (#38)

I'm sorry guys. I've had a look at this on several occasions but I haven't been able to reproduce it. I tried it again with the newly released beta of v.2.0 but I did not get this error. What version of MVC are you running (MVC 3 or 4)? — Reply to this email directly or view it on GitHub.