Security Trimming - TabStrip

16 posts, 1 answers
  1. Peter
    Peter avatar
    22 posts
    Member since:
    Jul 2013

    Posted 08 Aug 2013 Link to this post

    Hi;

    I've read that the TabStrip utlizes SecurityTrimming capabilities. Explcility stated in the documentation is if OnAuthorization returns HttpUnauthorizedResult then the tab item that made the request for the action will not be included. I have derived a class from AuthorizeAttribute and have overriden the OnAuthorization function and during a check I'm doing the following:
    filterContext.Result = new HttpUnauthorizedResult();

    After doing this the site stays on the Login Page. What do I have to do to make the TabStrip work with the authorization I placed.

    Peter
  2. Atanas Korchev
    Admin
    Atanas Korchev avatar
    8462 posts

    Posted 12 Aug 2013 Link to this post

    Hello Peter,

    What you have done should  be enough to support security trimming. 

     I have created a sample project which demonstrates the same.

    Regards,
    Atanas Korchev
    Telerik
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
  3. Kendo UI is VS 2017 Ready
  4. Peter
    Peter avatar
    22 posts
    Member since:
    Jul 2013

    Posted 12 Aug 2013 Link to this post

    Hi;

    I modified my code to perform the same things that are being done in your example and it does not work. My application stays on the login page. We have integrated Windows forms authentication in our application. Could this be getting in the way (or performing addtional checks on the return of Action requests)?

    Peter
  5. Atanas Korchev
    Admin
    Atanas Korchev avatar
    8462 posts

    Posted 13 Aug 2013 Link to this post

    Hi Peter,

     As far as we know the default behavior of the OnAuthorization method is to redirect to the login page. If you avoid calling the base implementation this should not happen as in the provided example.

    Regards,
    Atanas Korchev
    Telerik
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
  6. Peter
    Peter avatar
    22 posts
    Member since:
    Jul 2013

    Posted 13 Aug 2013 Link to this post

    Hi;

    The base call of OnAuthorization has no effect and does not check the result of the FilterContext. The calls that are made with respect to OnAuthorization are:

    • BeginInvokeAction
    • InvokeAuthorizationFilters
    • OnAuthorization

    In the BeginInvokeAction is where the Result is evaluated:

    -------------------------------------------------------------------------------------------------------------------------------

    AsyncControllerActionInvoker.AsyncControllerActionInvoker cSu0024u003cu003e8_locals24 = variable1;
    AuthorizationContext authorizationContext = this.InvokeAuthorizationFilters(controllerContext, filters.AuthorizationFilters, actionDescriptor);
    if (authorizationContext.Result == null)
    {
    AsyncControllerActionInvoker.AsyncControllerActionInvoker variable = variable1;
    if (controllerContext.Controller.ValidateRequest)
    {
    ControllerActionInvoker.ValidateRequest(controllerContext);
    }
    IDictionary<string, object> parameterValues = this.GetParameterValues(controllerContext, actionDescriptor);
    IAsyncResult asyncResult2 = this.BeginInvokeActionMethodWithFilters(controllerContext, filters.ActionFilters, actionDescriptor, parameterValues, asyncCallback, asyncState);
    action = () => {
    ActionExecutedContext actionExecutedContext = variable.u003cu003e4__this.EndInvokeActionMethodWithFilters(asyncResult2);
    variable.u003cu003e4__this.InvokeActionResultWithFilters(variable.controllerContext, filters.ResultFilters, actionExecutedContext.Result);
    };
    IAsyncResult asyncResult1 = asyncResult2;
    return asyncResult1;
    }
    else
    {
    action = () => cSu0024u003cu003e8_locals24.u003cu003e4__this.InvokeActionResult(cSu0024u003cu003e8_locals24.controllerContext, authorizationContext.Result);
    }


    ---------------------------------------------------------------------------------------------------------------------------------------------------------
    The behavior is such that when the Result has been set then the logic performs addtional operations based on the result, and does not go through the standard processing. It looks like the standard evaluation is to check the validation of the result. In this case it is an unauthorized result and as such the default operation is activated, which is to return to the login page. From what I've read this is exactly how it is suppose to work, So your assumption that calling base is what is causing the operation to fail is INCORRECT. I would appreciate if you could validate your statments before making them. I would also like to know how to get around this limitation. Based on your statments I get the impresion that Telerik did not test out security trimming with Authentication activated.

    Please let me know the solution as soon as possible. I have people who are wondering why this is not working [as described in Kendo UI documentation].



    Peter
  7. Atanas Korchev
    Admin
    Atanas Korchev avatar
    8462 posts

    Posted 13 Aug 2013 Link to this post

    Hi Peter,

     We are not sure why things are not working at your side provided that we attached a working sample. Thus we would ask you to modify that project so it mimics closely your setup. Once we reproduce the problem at our side we would get back with a solution.

    Regards,
    Atanas Korchev
    Telerik
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
  8. Peter
    Peter avatar
    22 posts
    Member since:
    Jul 2013

    Posted 13 Aug 2013 Link to this post

    Hi;

    I would prefer that you modify your example to match what I had stated in my original email. That was Securiy Trimming was not working, a return to login occurs. I.E. I have a project that has authentication activated via Windows forms. The example you supplied does work but it does not have Windows Forms authentication activated. So the problem is that you supplied an example that did not work against my use case. I do not appreciate you requesting me to check your example across my use case. This is something you should be doing. I don't work for Telerik. If you can supply an example project with security trimming active and authentication activated it would be greatly appreciatred.

    Peter
  9. Atanas Korchev
    Admin
    Atanas Korchev avatar
    8462 posts

    Posted 13 Aug 2013 Link to this post

    Hello Peter,

    We are not sure we understand what "authentication activated via Windows forms" means. As far as we know ASP.NET supports the following forms of authentication:

    - Windows
    - Forms

    So are you using windows or forms authentication?

    Regards,
    Atanas Korchev
    Telerik
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
  10. Peter
    Peter avatar
    22 posts
    Member since:
    Jul 2013

    Posted 13 Aug 2013 Link to this post

    Hi;

    I appologize for the ambiguity of my statement about authentication method. We are using forms authentication.

    Peter
  11. Answer
    Atanas Korchev
    Admin
    Atanas Korchev avatar
    8462 posts

    Posted 13 Aug 2013 Link to this post

    Hi Peter,

     Find attached updated sample project which uses forms authentication (the default implementation provided by the Internet application project template). When you run it you should see only one tab. If you log in with user admin and password 123456 you would see the other tab. 

    I hope this helps,
    Atanas Korchev
    Telerik
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
  12. Peter
    Peter avatar
    22 posts
    Member since:
    Jul 2013

    Posted 13 Aug 2013 Link to this post

    Hi;

    As a follow up question. The technique of adding content to the Tab Itemis via the Action method operation. I see that in the example selecting the tab will perform a redirect operation and not open the tab with the selected content that was associated to the tab. Is this default behavior? And how can I gewt this to work with the contetn in the tab.

    Peter
  13. Atanas Korchev
    Admin
    Atanas Korchev avatar
    8462 posts

    Posted 14 Aug 2013 Link to this post

    Hello Peter,

     Yes, this is the default behavior. Once you set the action of the tab item it starts to navigate to that action. The security trimming feature works only against the action of the tab item.

     If you don't want to set the action you can hide tabs via their Visible method:

    items.Add().Text("Hidden to all but administrators")
                .Visible(Context.User.IsInRole("Admin"));

    Regards,
    Atanas Korchev
    Telerik
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
  14. Harper
    Harper avatar
    6 posts
    Member since:
    Oct 2013

    Posted 24 Oct Link to this post

    Has this functionality changed? I'm trying to implement the same behavior, and it doesn't seem to be working. 
  15. Veselin Tsvetanov
    Admin
    Veselin Tsvetanov avatar
    290 posts

    Posted 26 Oct Link to this post

    Hi Harper,

    Attached you will find a modified version of the project discussed. It uses the last available official release (R2 2016 914). On our side, the trimming behaves as expected - on initial load there is only one tab. After a log-in, a second tab is made visible.

    Could you, please, tell us how to modify this sample so it reproduces the issue faced?

    Regards,
    Veselin Tsvetanov
    Telerik by Progress
     
    Build rich, delightful, *native* Angular 2 apps with Kendo UI for Angular 2. Try it out today! Kendo UI for Angular 2 (currently in beta) is a jQuery-free toolset, written in TypeScript, designed from the ground up to offer true, native Angular 2 components.
     
  16. Harper
    Harper avatar
    6 posts
    Member since:
    Oct 2013

    Posted 26 Oct in reply to Veselin Tsvetanov Link to this post

    Veselin - I had two issues, and was able to get security trimming working by solving the first (I had my security on the API controller, not the web controller) and punting on the second (I was using a custom IAuthorizationFilter implementation instead of extending AuthorizeAttribute). If there's a way to use a custom IAuthorizationFilter with security trimming, I'd love to hear it, but I'm up and running now.
  17. Veselin Tsvetanov
    Admin
    Veselin Tsvetanov avatar
    290 posts

    Posted 27 Oct Link to this post

    Hello Harper,

    In addition to the ​IAuthorizationFilter interface, the ​AuthorizeAttribute class inherits ​FilterAttribute class and implements several methods and properties, needed to use it as an Attribute for a controller action. Therefore, I would recommend you to keep your implementation as it is at the moment, e.g. inheriting the ​AuthorizeAttribute class.

    Regards,
    Veselin Tsvetanov
    Telerik by Progress
     
    Build rich, delightful, *native* Angular 2 apps with Kendo UI for Angular 2. Try it out today! Kendo UI for Angular 2 (currently in beta) is a jQuery-free toolset, written in TypeScript, designed from the ground up to offer true, native Angular 2 components.
     
Back to Top
Kendo UI is VS 2017 Ready