FluentSecurity breaking "Add-Controller"-Dialog -> select Model Class

[rsacher]

I noticed, that I got the problem to add a new Controller and select my model, if I implement FluentSecurity IPolicyViolationHandler

To start, I followed http://www.revium.com.au/articles/sandbox/fluentsecurity-mvcsitemapprovider-better-net-security-management/ and noticed, that all my own models were absent, in the Select ModelClass dropdown in the Add-Controller dialog. (Sorry, using German VS2010 - so the english captions may vary a bit)

If I exclude any notion of IPolicyViolationHandler from my project, rebuild, then they show again. Tried both 1.4 and 2.0 alpha

Greetings, Reinhard

[kristofferahl]

Wow, just wow.. This is an odd one. My guess is that this is not an issue with FluentSecurity itself but rather the VS 2010 dialog. I have experienced this myself before but not specifically with FluentSecurity. I will see if I can recreate the problem and maybe file a bug report with microsoft.

Have you tried it with VS 2012?

[kristofferahl]

Did you solve this or do you still have the same issue?

[bryanfife]

This problem still exists. Would appreciate an update either to FS or VS.

[kristofferahl]

@bryanfife What version of VS and FS are you running?

[bryanfife]

I am using VS2012 and FS 1.4.0.

---

From: Kristoffer Ahl notifications@github.com To: kristofferahl/FluentSecurity FluentSecurity@noreply.github.com Cc: bryanfife bryanfife@yahoo.com Sent: Wednesday, December 5, 2012 11:00 AM Subject: Re: [FluentSecurity] FluentSecurity breaking "Add-Controller"-Dialog -> select Model Class (#38)

@bryanfife What version of VS and FS are you running? — Reply to this email directly or view it on GitHub.

[rsacher]

The problem still exists - so I am using 1.4 at the time being. My main problem however is, that I seem to be unable to implement a redirect-to-login on violation.

I need to secure an Area ("/Admin") from unauthorized access. I have a login page (http://localhost:3212/account/login) and can access http://localhost:3212/Admin after logging in. Accessing the above without first logging in tells me:

FluentSecurity.PolicyViolationException: Anonymous access denied [PolicyViolationException: Anonymous access denied] FluentSecurity.ExceptionPolicyViolationHandler.Handle(PolicyViolationException exception) +6 FluentSecurity.SecurityHandler.HandleSecurityFor(String controllerName, String actionName) +395 FluentSecurity.HandleSecurityAttribute.OnActionExecuting(ActionExecutingContext filterContext) +83 ..... .....

my config:

public static ISecurityConfiguration SetupFluentSecurity()
{
    SecurityConfigurator.Configure(configuration =>
    {
        configuration.GetAuthenticationStatusFrom(SecurityHelper.UserIsAuthenticated);
        configuration.GetRolesFrom(SecurityHelper.UserRoles);
        configuration.ForAllControllers().DenyAnonymousAccess();
        configuration.ForAllControllersInNamespaceContainingType<haas2013.Controllers.HomeController>().Ignore();
        configuration.ForAllControllersInNamespaceContainingType<haas2013.Areas.Admin.Controllers.HomeController>()
            .DenyAuthenticatedAccess()
            .RequireRole(RolesEnum.Admin.ToString());
    });

    return SecurityConfiguration.Current;
}

I could not find a doc on how to handle redirects in 1.4. Could you post an example please!

Thanks, Reinhard

[rsacher]

My workaround for this issue: If using 2.0

• temporarily exclude DefaultPolicyViolationHandler.cs from project,
• remove references to it in configuration (eg: // configuration.DefaultPolicyViolationHandlerIs(() => new DefaultPolicyViolationHandler()); )
• rebuild
• add new controller - now they all show again
• revert steps 1+2
• rebuild

... not ideal but works.

Reinhard

[tiesont]

I solved the redirect problem by implementing a custom default policy handler, like so:

public class DenyAnonymousAccessPolicyViolationHandler : IPolicyViolationHandler
{
    public ActionResult Handle(PolicyViolationException exception)
    {
        throw new HttpException(HttpContext.Current.User.Identity.IsAuthenticated ? 403 : 401, exception.Message);
    }
}

Then assign it to be the default handler in your bootstrap/configuration setup:

 configuration.DefaultPolicyViolationHandlerIs(() => new DenyAnonymousAccessPolicyViolationHandler());

This second part requires version 2+. I don't know if there is a better way, but this got me what I considered "normal" behavior in ASP.NET, plus it gives Ajax code a meaningful response...

I should note that I'm using this in an ASP.NET MVC4 project with Castle Windsor.

[rsacher]

In 2.x you would have (according to the docs):

But this is only for 2.x to redirect you to /Account/Login

using System.Web.Mvc; using System.Web.Routing; using FluentSecurity;

public class DefaultPolicyViolationHandler : IPolicyViolationHandler { public string ViewName = "AccessDenied"; public ActionResult Handle(PolicyViolationException exception) { if (SecurityHelper.UserIsAuthenticated()) { return new ViewResult { ViewName = ViewName }; } else { RouteValueDictionary rvd = new RouteValueDictionary(); if (System.Web.HttpContext.Current.Request.RawUrl != "/") rvd["ReturnUrl"] = System.Web.HttpContext.Current.Request.RawUrl; rvd["controller"] = "Account"; rvd["action"] = "Login"; rvd["area"] = ""; return new RedirectToRouteResult(rvd); } } }

[tiesont]

You could do that, but then you always have to have an Accounts controller and a LogIn action - throwing the HttpException is relatively transparent and works with the MVC3 pattern (a LogOn action) and the MVC4 pattern (a LogIn action). It also respects the web.config settings in the authentication section, so you can have whatever URL you want for the login page...

[rsacher]

Ah... thanks for that piece of code... did not know this!

[LionLai]

I test this issue to change the interface IPolicyViolationHandler, like so:

public interface IPolicyViolationHandler
{
    //old
    //ActionResult Handle(PolicyViolationException exception);

    //change to 
    //new
    string Handle(PolicyViolationException exception);
}

then add a controller that the models will show all.

no idea why it happen. reference conflict?

[kristofferahl]

I'm sorry guys. I've had a look at this on several occasions but I haven't been able to reproduce it. I tried it again with the newly released beta of v.2.0 but I did not get this error. What version of MVC are you running (MVC 3 or 4)?

[bryanfife]

I think you can go ahead and close the issue. It seemed to resolve itself.

---

From: Kristoffer Ahl notifications@github.com To: kristofferahl/FluentSecurity FluentSecurity@noreply.github.com Cc: bryanfife bryanfife@yahoo.com Sent: Monday, April 15, 2013 5:16 AM Subject: Re: [FluentSecurity] FluentSecurity breaking "Add-Controller"-Dialog -> select Model Class (#38)

I'm sorry guys. I've had a look at this on several occasions but I haven't been able to reproduce it. I tried it again with the newly released beta of v.2.0 but I did not get this error. What version of MVC are you running (MVC 3 or 4)? — Reply to this email directly or view it on GitHub.