All geek questions in one place

Securing ajax calls in an ASP.NET MVC application

I have an ASP.NET MVC application that allows you to use different access levels depending on the user. The way he is currently working is when the user accesses the page, the check is performed using the database to determine the rights that the user has. Then, the presentation is selected based on the access level that the user has. Some users see more data and have more functionality than others. Each page also offers many ajax calls to display and update the data displayed on the page.

My question is the best way to make sure that a specific ajax call originated from the view and was not manually created to return or update data that the user does not have access to? I would prefer not to go to the database to re-check each time the ajax call is made, as it was already done when the user initially loaded the page.

+3
source share
4 answers

Check the Authorize attribute , you can put it on the entire controller or only certain methods in your controller.

Examples:

[Authorize(Roles = "Administrator")] public class AdminController : Controller { //your code here }

or

 public class AdminController : Controller { //Available to everyone public ActionResult Index() { return View(); } //Just available to users in the Administrator role. [Authorize(Roles = "Administrator")] public ActionResult AdminOnlyIndex() { return View(); } }

Alternatively, you can write your own Authorize attribute to provide your own logic.

 public class CustomAuthorizeAttribute : AuthorizeAttribute { protected override bool AuthorizeCore(HttpContextBase httpContext) { IPrincipal user = httpContext.User; var validRoles = Roles.Split(',');//Roles will be a parameter when you use the Attribute List<String> userRoles = GetRolesFromDb(user);//This will be a call to your database to get the roles the user is in. return validRoles.Intersect(userRoles).Any(); } }

For use:

  [CustomAuthorizeAttribute(Roles = "Admin,Superuser")] public class AdminController : Controller { }
+2
source

It depends on what type of session you are using. Do you use the default membership provider? If you cannot pass in the user ID and sessionid, make sure that the user session is valid and that the user needs permission to make this call.

0
source

Along with the Authorize attribute, you can also only allow Ajax requests using custom attributes, as shown here .

thanks

0
source

If you use a postal service

 [Authorize] [ValidateAntiForgeryToken]

If you use use

 [Authorize]

You can also use this custom attribute.

 public class HttpAjaxRequestAttribute : ActionMethodSelectorAttribute { public override bool IsValidForRequest(ControllerContext controllerContext, System.Reflection.MethodInfo methodInfo) { if (!controllerContext.HttpContext.Request.IsAjaxRequest()) { throw new Exception("This action " + methodInfo.Name + " can only be called via an Ajax request"); } return true; } }

Then decorate your action below.

 [Authorize] [HttpAjaxRequest] public ActionResult FillCity(int State) { //code here }

Remember "Mark / Mark" if this solves your problem.

0
source

Source: https://habr.com/ru/post/1437178/

More articles:


All Articles