FluentSecurity: RequireRolePolicyViolationHandler does not get called
Question
I have a ASP.NET MVC page with FluentSecurity. I have it set up using Ninject according to this article . I have a DenyAnonymousAccessPolicyViolationHandler that works well. I added a RequireRolePolicyViolationHandler .
In my setup, I have
configuration.For<SettingsController>().RequireRole(CMSRoles.Admin);
If I navigate to the SettingsController with a user without the required role, the RequireRolePolicyViolationHandler does not get called. Instead I am redirected to the LogOn page as defined in web.config .
Am I missing something? According to the FluentSecurity documentation it should work.
EDIT : I have a custom RoleProvider registered and I use it with FluentSecurity:
configuration.GetAuthenticationStatusFrom(() => HttpContext.Current.User.Identity.IsAuthenticated);
configuration.GetRolesFrom(() => Roles.GetRolesForUser(HttpContext.Current.User.Identity.Name));
EDIT : I created a minimal sample app: https://dl.dropboxusercontent.com/u/73642/MvcApplication1.zip . If you go to /Logged that you are redirected to the login page so the DenyAnonymousAccessPolicyViolationHandler works. You can login with any username and password you want. The go to Settings and you see that you are redirected to the login page instead of RequireRolePolicyViolationHandler beeing executed.
1 answers
solution1
0 ACCPTED 2013-07-09 15:34:50
Here's how I have it set up, hope this helps:
In App_Start/NinjectWebCommon.cs I bind the policy handlers:
kernel.Bind<IPolicyViolationHandler>().To<DenyAnonymousAccessPolicyViolationHandler>();
kernel.Bind<IPolicyViolationHandler>().To<RequireRolePolicyViolationHandler>();
I also configure Fluent Security like this (using Ninject Service Locator):
var locator = new NinjectServiceLocator(kernel);
ServiceLocator.SetLocatorProvider(() => locator);
SecurityConfigurator.Configure(
configuration =>
{
configuration.GetAuthenticationStatusFrom(() => HttpContext.Current.User.Identity.IsAuthenticated);
configuration.GetRolesFrom(SecurityHelpers.UserRoles);
//HomeController and other configurations
configuration.For<HomeController>().Ignore();
configuration.ResolveServicesUsing(ServiceLocator.Current.GetAllInstances);
}
);
GlobalFilters.Filters.Add(new HandleSecurityAttribute(), 0);
Then for each policy, I have an implementation of IPolicyViolationHandler
public class RequireRolePolicyViolationHandler : IPolicyViolationHandler
{
public ActionResult Handle(PolicyViolationException exception)
{
//Make sure you're redirecting to the desired page here. You should put a stop here to debug it and see if it's being hit.
return new HttpUnauthorizedResult(exception.Message);
}
}
I have a working solution using Custom Membership/Role Providers and Fluent Security. I posted what I think is the core configuration. Hope this helps.
EDIT: Added how to get roles.
public static class SecurityHelpers
{
public static IEnumerable<object> UserRoles()
{
var currentUser = HttpContext.Current.User.Identity.Name;
var roles = Roles.Providers["MemberAccountRoleProvider"]; //Custom Role Provider Name
return currentUser != null ? roles.GetRolesForUser(currentUser).Cast<object>().ToArray() : null;
}
}
EDIT 2 : I looked at your code and it's working fine. Add this to your code so that you can redirect to where you want. Right now you're just returning an Http results:
public class RequireRolePolicyViolationHandler : IPolicyViolationHandler
{
public ActionResult Handle(PolicyViolationException exception)
{
//return new HttpUnauthorizedResult(exception.Message);
return
new RedirectToRouteResult(
new RouteValueDictionary(new { action = "Test", controller = "Account"})); //Created a view for testing
}
}
When I try to get the settings page I'm hitting the RequireRolePolicyViolationHandler.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.