All geek questions in one place

Asp.net mvc [Authorize ()] attribute for mixed group and user

I am using ASP.NET MVC 1.1 with Windows Authentication. I try only to authorize the members of the group and myself. I am not a member of a group and should not be a member of this group. I get a Windows prompt / password every time I access the web application url. HomeController has

[HandleError] [Authorize( Roles=@ "MyDomain\\company.security.group.name")] [Authorize( Users=@ "MyDoamin\\MyName")] [OutputCache(Duration=86400,VaryByParam="PageIndex")] public class HomeController : Controller

How to enable such authorization? The web application runs under the site on IIS6. The site has directory protection to accept anonymous. Anonymity is disabled in the web application / virtual directory and the Windows Integrated security feature is enabled. Web.config has

+4
source share
2 answers

You can subtype AuthorizeAttribute to look at Users and roles. from the top of the head (untested):

 using System; using System.Linq; using System.Security.Principal; using System.Web; using System.Web.Mvc; public class MyAuthorizeAttribute : AuthorizeAttribute { // This method must be thread-safe since it is called by the thread-safe OnCacheAuthorization() method. protected override bool AuthorizeCore(HttpContextBase httpContext) { base.AuthorizeCore(httpContext); if ((!string.IsNullOrEmpty(Users) && (_usersSplit.Length == 0)) || (!string.IsNullOrEmpty(Roles) && (_rolesSplit.Length == 0))) { // wish base._usersSplit were protected instead of private... InitializeSplits(); } IPrincipal user = httpContext.User; if (!user.Identity.IsAuthenticated) { return false; } var userRequired = _usersSplit.Length > 0; var userValid = userRequired && _usersSplit.Contains(user.Identity.Name, StringComparer.OrdinalIgnoreCase); var roleRequired = _rolesSplit.Length > 0; var roleValid = (roleRequired) && _rolesSplit.Any(user.IsInRole); var userOrRoleRequired = userRequired || roleRequired; return (!userOrRoleRequired) || userValid || roleValid; } private string[] _rolesSplit = new string[0]; private string[] _usersSplit = new string[0]; private void InitializeSplits() { lock(this) { if ((_rolesSplit.Length == 0) || (_usersSplit.Length == 0)) { _rolesSplit = Roles.Split(','); _usersSplit = Users.Split(','); } } } }
+11
source

Since you are the prefix lines of your domain / user and domain / group with the @ symbol, you do not need to double the escape slash. You can try replacing these lines:

 [Authorize(Roles="MyDomain\\company.security.group.name")] [Authorize(Users="MyDoamin\\MyName")]

or

 [Authorize( Roles=@ "MyDomain\company.security.group.name")] [Authorize( Users=@ "MyDoamin\MyName")]

A few additional readings also showed that the authorization filter will check for β€œusers” and β€œroles”. If the user does not meet both requirements, they will be denied access.
To get the behavior you need, you will need to write a custom authorization filter, as suggested in the previous answer.

+13
source

Source: https://habr.com/ru/post/1299389/

More articles:


All Articles