This is a migrated thread and some comments may be shown as answers.

Security Trimming - TabStrip

15 Answers 121 Views
TabStrip
This is a migrated thread and some comments may be shown as answers.
Peter
Top achievements
Rank 1
Peter asked on 08 Aug 2013, 03:42 PM
Hi;

I've read that the TabStrip utlizes SecurityTrimming capabilities. Explcility stated in the documentation is if OnAuthorization returns HttpUnauthorizedResult then the tab item that made the request for the action will not be included. I have derived a class from AuthorizeAttribute and have overriden the OnAuthorization function and during a check I'm doing the following:
filterContext.Result = new HttpUnauthorizedResult();

After doing this the site stays on the Login Page. What do I have to do to make the TabStrip work with the authorization I placed.

Peter

15 Answers, 1 is accepted

Sort by
0
Atanas Korchev
Telerik team
answered on 12 Aug 2013, 08:52 AM
Hello Peter,

What you have done should  be enough to support security trimming. 

 I have created a sample project which demonstrates the same.

Regards,
Atanas Korchev
Telerik
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
0
Peter
Top achievements
Rank 1
answered on 12 Aug 2013, 01:34 PM
Hi;

I modified my code to perform the same things that are being done in your example and it does not work. My application stays on the login page. We have integrated Windows forms authentication in our application. Could this be getting in the way (or performing addtional checks on the return of Action requests)?

Peter
0
Atanas Korchev
Telerik team
answered on 13 Aug 2013, 07:41 AM
Hi Peter,

 As far as we know the default behavior of the OnAuthorization method is to redirect to the login page. If you avoid calling the base implementation this should not happen as in the provided example.

Regards,
Atanas Korchev
Telerik
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
0
Peter
Top achievements
Rank 1
answered on 13 Aug 2013, 10:51 AM
Hi;

The base call of OnAuthorization has no effect and does not check the result of the FilterContext. The calls that are made with respect to OnAuthorization are:

  • BeginInvokeAction
  • InvokeAuthorizationFilters
  • OnAuthorization

In the BeginInvokeAction is where the Result is evaluated:

-------------------------------------------------------------------------------------------------------------------------------

AsyncControllerActionInvoker.AsyncControllerActionInvoker cSu0024u003cu003e8_locals24 = variable1;
AuthorizationContext authorizationContext = this.InvokeAuthorizationFilters(controllerContext, filters.AuthorizationFilters, actionDescriptor);
if (authorizationContext.Result == null)
{
AsyncControllerActionInvoker.AsyncControllerActionInvoker variable = variable1;
if (controllerContext.Controller.ValidateRequest)
{
ControllerActionInvoker.ValidateRequest(controllerContext);
}
IDictionary<string, object> parameterValues = this.GetParameterValues(controllerContext, actionDescriptor);
IAsyncResult asyncResult2 = this.BeginInvokeActionMethodWithFilters(controllerContext, filters.ActionFilters, actionDescriptor, parameterValues, asyncCallback, asyncState);
action = () => {
ActionExecutedContext actionExecutedContext = variable.u003cu003e4__this.EndInvokeActionMethodWithFilters(asyncResult2);
variable.u003cu003e4__this.InvokeActionResultWithFilters(variable.controllerContext, filters.ResultFilters, actionExecutedContext.Result);
};
IAsyncResult asyncResult1 = asyncResult2;
return asyncResult1;
}
else
{
action = () => cSu0024u003cu003e8_locals24.u003cu003e4__this.InvokeActionResult(cSu0024u003cu003e8_locals24.controllerContext, authorizationContext.Result);
}


---------------------------------------------------------------------------------------------------------------------------------------------------------
The behavior is such that when the Result has been set then the logic performs addtional operations based on the result, and does not go through the standard processing. It looks like the standard evaluation is to check the validation of the result. In this case it is an unauthorized result and as such the default operation is activated, which is to return to the login page. From what I've read this is exactly how it is suppose to work, So your assumption that calling base is what is causing the operation to fail is INCORRECT. I would appreciate if you could validate your statments before making them. I would also like to know how to get around this limitation. Based on your statments I get the impresion that Telerik did not test out security trimming with Authentication activated.

Please let me know the solution as soon as possible. I have people who are wondering why this is not working [as described in Kendo UI documentation].



Peter
0
Atanas Korchev
Telerik team
answered on 13 Aug 2013, 10:58 AM
Hi Peter,

 We are not sure why things are not working at your side provided that we attached a working sample. Thus we would ask you to modify that project so it mimics closely your setup. Once we reproduce the problem at our side we would get back with a solution.

Regards,
Atanas Korchev
Telerik
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
0
Peter
Top achievements
Rank 1
answered on 13 Aug 2013, 11:09 AM
Hi;

I would prefer that you modify your example to match what I had stated in my original email. That was Securiy Trimming was not working, a return to login occurs. I.E. I have a project that has authentication activated via Windows forms. The example you supplied does work but it does not have Windows Forms authentication activated. So the problem is that you supplied an example that did not work against my use case. I do not appreciate you requesting me to check your example across my use case. This is something you should be doing. I don't work for Telerik. If you can supply an example project with security trimming active and authentication activated it would be greatly appreciatred.

Peter
0
Atanas Korchev
Telerik team
answered on 13 Aug 2013, 11:15 AM
Hello Peter,

We are not sure we understand what "authentication activated via Windows forms" means. As far as we know ASP.NET supports the following forms of authentication:

- Windows
- Forms

So are you using windows or forms authentication?

Regards,
Atanas Korchev
Telerik
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
0
Peter
Top achievements
Rank 1
answered on 13 Aug 2013, 11:18 AM
Hi;

I appologize for the ambiguity of my statement about authentication method. We are using forms authentication.

Peter
0
Accepted
Atanas Korchev
Telerik team
answered on 13 Aug 2013, 11:29 AM
Hi Peter,

 Find attached updated sample project which uses forms authentication (the default implementation provided by the Internet application project template). When you run it you should see only one tab. If you log in with user admin and password 123456 you would see the other tab. 

I hope this helps,
Atanas Korchev
Telerik
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
0
Peter
Top achievements
Rank 1
answered on 13 Aug 2013, 07:27 PM
Hi;

As a follow up question. The technique of adding content to the Tab Itemis via the Action method operation. I see that in the example selecting the tab will perform a redirect operation and not open the tab with the selected content that was associated to the tab. Is this default behavior? And how can I gewt this to work with the contetn in the tab.

Peter
0
Atanas Korchev
Telerik team
answered on 14 Aug 2013, 06:00 AM
Hello Peter,

 Yes, this is the default behavior. Once you set the action of the tab item it starts to navigate to that action. The security trimming feature works only against the action of the tab item.

 If you don't want to set the action you can hide tabs via their Visible method:

items.Add().Text("Hidden to all but administrators")
            .Visible(Context.User.IsInRole("Admin"));

Regards,
Atanas Korchev
Telerik
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
0
Harper
Top achievements
Rank 1
answered on 24 Oct 2016, 08:59 PM
Has this functionality changed? I'm trying to implement the same behavior, and it doesn't seem to be working. 
0
Veselin Tsvetanov
Telerik team
answered on 26 Oct 2016, 01:06 PM
Hi Harper,

Attached you will find a modified version of the project discussed. It uses the last available official release (R2 2016 914). On our side, the trimming behaves as expected - on initial load there is only one tab. After a log-in, a second tab is made visible.

Could you, please, tell us how to modify this sample so it reproduces the issue faced?

Regards,
Veselin Tsvetanov
Telerik by Progress
 
Build rich, delightful, *native* Angular 2 apps with Kendo UI for Angular 2. Try it out today! Kendo UI for Angular 2 (currently in beta) is a jQuery-free toolset, written in TypeScript, designed from the ground up to offer true, native Angular 2 components.
 
0
Harper
Top achievements
Rank 1
answered on 26 Oct 2016, 04:47 PM
Veselin - I had two issues, and was able to get security trimming working by solving the first (I had my security on the API controller, not the web controller) and punting on the second (I was using a custom IAuthorizationFilter implementation instead of extending AuthorizeAttribute). If there's a way to use a custom IAuthorizationFilter with security trimming, I'd love to hear it, but I'm up and running now.
0
Veselin Tsvetanov
Telerik team
answered on 27 Oct 2016, 01:50 PM
Hello Harper,

In addition to the ​IAuthorizationFilter interface, the ​AuthorizeAttribute class inherits ​FilterAttribute class and implements several methods and properties, needed to use it as an Attribute for a controller action. Therefore, I would recommend you to keep your implementation as it is at the moment, e.g. inheriting the ​AuthorizeAttribute class.

Regards,
Veselin Tsvetanov
Telerik by Progress
 
Build rich, delightful, *native* Angular 2 apps with Kendo UI for Angular 2. Try it out today! Kendo UI for Angular 2 (currently in beta) is a jQuery-free toolset, written in TypeScript, designed from the ground up to offer true, native Angular 2 components.
 
Tags
TabStrip
Asked by
Peter
Top achievements
Rank 1
Answers by
Atanas Korchev
Telerik team
Peter
Top achievements
Rank 1
Harper
Top achievements
Rank 1
Veselin Tsvetanov
Telerik team
Share this question
or