I've read that the TabStrip utlizes SecurityTrimming capabilities. Explcility stated in the documentation is if OnAuthorization returns HttpUnauthorizedResult then the tab item that made the request for the action will not be included. I have derived a class from AuthorizeAttribute and have overriden the OnAuthorization function and during a check I'm doing the following:
filterContext.Result = new HttpUnauthorizedResult();
After doing this the site stays on the Login Page. What do I have to do to make the TabStrip work with the authorization I placed.
Peter
15 Answers, 1 is accepted
What you have done should be enough to support security trimming.
I have created a sample project which demonstrates the same.
Atanas Korchev
Telerik
Rank 1
I modified my code to perform the same things that are being done in your example and it does not work. My application stays on the login page. We have integrated Windows forms authentication in our application. Could this be getting in the way (or performing addtional checks on the return of Action requests)?
Peter
As far as we know the default behavior of the OnAuthorization method is to redirect to the login page. If you avoid calling the base implementation this should not happen as in the provided example.
Regards,Atanas Korchev
Telerik
Rank 1
The base call of OnAuthorization has no effect and does not check the result of the FilterContext. The calls that are made with respect to OnAuthorization are:
- BeginInvokeAction
- InvokeAuthorizationFilters
- OnAuthorization
In the BeginInvokeAction is where the Result is evaluated:
-------------------------------------------------------------------------------------------------------------------------------
AsyncControllerActionInvoker.AsyncControllerActionInvoker cSu0024u003cu003e8_locals24 = variable1;
AuthorizationContext authorizationContext = this.InvokeAuthorizationFilters(controllerContext, filters.AuthorizationFilters, actionDescriptor);
if (authorizationContext.Result == null)
{
AsyncControllerActionInvoker.AsyncControllerActionInvoker variable = variable1;
if (controllerContext.Controller.ValidateRequest)
{
ControllerActionInvoker.ValidateRequest(controllerContext);
}
IDictionary<string, object> parameterValues = this.GetParameterValues(controllerContext, actionDescriptor);
IAsyncResult asyncResult2 = this.BeginInvokeActionMethodWithFilters(controllerContext, filters.ActionFilters, actionDescriptor, parameterValues, asyncCallback, asyncState);
action = () => {
ActionExecutedContext actionExecutedContext = variable.u003cu003e4__this.EndInvokeActionMethodWithFilters(asyncResult2);
variable.u003cu003e4__this.InvokeActionResultWithFilters(variable.controllerContext, filters.ResultFilters, actionExecutedContext.Result);
};
IAsyncResult asyncResult1 = asyncResult2;
return asyncResult1;
}
else
{
action = () => cSu0024u003cu003e8_locals24.u003cu003e4__this.InvokeActionResult(cSu0024u003cu003e8_locals24.controllerContext, authorizationContext.Result);
}
---------------------------------------------------------------------------------------------------------------------------------------------------------
The behavior is such that when the Result has been set then the logic performs addtional operations based on the result, and does not go through the standard processing. It looks like the standard evaluation is to check the validation of the result. In this case it is an unauthorized result and as such the default operation is activated, which is to return to the login page. From what I've read this is exactly how it is suppose to work, So your assumption that calling base is what is causing the operation to fail is INCORRECT. I would appreciate if you could validate your statments before making them. I would also like to know how to get around this limitation. Based on your statments I get the impresion that Telerik did not test out security trimming with Authentication activated.
Please let me know the solution as soon as possible. I have people who are wondering why this is not working [as described in Kendo UI documentation].
Peter
We are not sure why things are not working at your side provided that we attached a working sample. Thus we would ask you to modify that project so it mimics closely your setup. Once we reproduce the problem at our side we would get back with a solution.
Regards,Atanas Korchev
Telerik
Rank 1
I would prefer that you modify your example to match what I had stated in my original email. That was Securiy Trimming was not working, a return to login occurs. I.E. I have a project that has authentication activated via Windows forms. The example you supplied does work but it does not have Windows Forms authentication activated. So the problem is that you supplied an example that did not work against my use case. I do not appreciate you requesting me to check your example across my use case. This is something you should be doing. I don't work for Telerik. If you can supply an example project with security trimming active and authentication activated it would be greatly appreciatred.
Peter
We are not sure we understand what "authentication activated via Windows forms" means. As far as we know ASP.NET supports the following forms of authentication:
- Windows
- Forms
So are you using windows or forms authentication?
Atanas Korchev
Telerik
Rank 1
I appologize for the ambiguity of my statement about authentication method. We are using forms authentication.
Peter
Find attached updated sample project which uses forms authentication (the default implementation provided by the Internet application project template). When you run it you should see only one tab. If you log in with user admin and password 123456 you would see the other tab.
I hope this helps,Atanas Korchev
Telerik
Rank 1
As a follow up question. The technique of adding content to the Tab Itemis via the Action method operation. I see that in the example selecting the tab will perform a redirect operation and not open the tab with the selected content that was associated to the tab. Is this default behavior? And how can I gewt this to work with the contetn in the tab.
Peter
Yes, this is the default behavior. Once you set the action of the tab item it starts to navigate to that action. The security trimming feature works only against the action of the tab item.
If you don't want to set the action you can hide tabs via their Visible method:
items.Add().Text("Hidden to all but administrators")
.Visible(Context.User.IsInRole("Admin"));
Atanas Korchev
Telerik
Rank 1
Attached you will find a modified version of the project discussed. It uses the last available official release (R2 2016 914). On our side, the trimming behaves as expected - on initial load there is only one tab. After a log-in, a second tab is made visible.
Could you, please, tell us how to modify this sample so it reproduces the issue faced?
Regards,
Veselin Tsvetanov
Telerik by Progress
Rank 1
In addition to the IAuthorizationFilter interface, the AuthorizeAttribute class inherits FilterAttribute class and implements several methods and properties, needed to use it as an Attribute for a controller action. Therefore, I would recommend you to keep your implementation as it is at the moment, e.g. inheriting the AuthorizeAttribute class.
Regards,
Veselin Tsvetanov
Telerik by Progress