public async Task Filter_SkipsAntiforgeryVerification_WhenOverridden() { // Arrange var antiforgery = new Mock<IAntiforgery>(MockBehavior.Strict); antiforgery .Setup(a => a.ValidateRequestAsync(It.IsAny<HttpContext>())) .Returns(Task.FromResult(0)) .Verifiable(); var filter = new ValidateAntiforgeryTokenAuthorizationFilter(antiforgery.Object, NullLoggerFactory.Instance); var actionContext = new ActionContext(new DefaultHttpContext(), new RouteData(), new ActionDescriptor()); actionContext.HttpContext.Request.Method = "POST"; var context = new AuthorizationContext(actionContext, new IFilterMetadata[] { filter, new IgnoreAntiforgeryTokenAttribute(), }); // Act await filter.OnAuthorizationAsync(context); // Assert antiforgery.Verify(a => a.ValidateRequestAsync(It.IsAny<HttpContext>()), Times.Never()); }
/// <inheritdoc /> public Task OnAuthorizationAsync(AuthorizationContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } if (context == null) { throw new ArgumentNullException(nameof(context)); } if (context == null) { throw new ArgumentNullException(nameof(context)); } var accessControlRequestMethod = context.HttpContext.Request.Headers[CorsConstants.AccessControlRequestMethod]; if (string.Equals( context.HttpContext.Request.Method, CorsConstants.PreflightHttpMethod, StringComparison.Ordinal) && !StringValues.IsNullOrEmpty(accessControlRequestMethod)) { // Short circuit if the request is preflight as that should not result in action execution. context.Result = new HttpStatusCodeResult(StatusCodes.Status200OK); } // Let the action be executed. return Task.FromResult(true); }
public override void OnAuthorization(AuthorizationContext context) { if (context.ActionDescriptor.DisplayName == "FiltersWebSite.ProductsController.GetPrice") { context.HttpContext.Response.Headers.Append("filters", "Global Authorization Filter - OnAuthorization"); } }
public Task OnAuthorizationAsync(AuthorizationContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } return _antiforgery.ValidateRequestAsync(context.HttpContext); }
protected virtual bool ShouldValidate(AuthorizationContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } return true; }
public override async Task OnAuthorizationAsync(Microsoft.AspNet.Mvc.Filters.AuthorizationContext context) { if (!context.Filters.Any(item => item is IAllowAnonymousFilter)) { if (!context.Filters.Any(item => item is IAsyncAuthorizationFilter && item.GetType() != this.GetType())) { await base.OnAuthorizationAsync(context); } //to do:权限判断 } }
public override void OnAuthorization(AuthorizationContext context) { if (!HasAllowAnonymous(context)) { var user = context.HttpContext.User; var userIsAnonymous = user == null || user.Identity == null || !user.Identity.IsAuthenticated; if (userIsAnonymous) { base.Fail(context); } } }
public static void AfterOnAuthorization( this DiagnosticSource diagnosticSource, AuthorizationContext authorizationContext, IAuthorizationFilter filter) { if (diagnosticSource.IsEnabled("Microsoft.AspNet.Mvc.AfterOnAuthorization")) { diagnosticSource.Write( "Microsoft.AspNet.Mvc.AfterOnAuthorization", new { actionDescriptor = authorizationContext.ActionDescriptor, authorizationContext = authorizationContext, filter = filter }); } }
protected override bool ShouldValidate(AuthorizationContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } var method = context.HttpContext.Request.Method; if (string.Equals("GET", method, StringComparison.OrdinalIgnoreCase) || string.Equals("HEAD", method, StringComparison.OrdinalIgnoreCase) || string.Equals("TRACE", method, StringComparison.OrdinalIgnoreCase) || string.Equals("OPTIONS", method, StringComparison.OrdinalIgnoreCase)) { return false; } // Anything else requires a token. return true; }
public async Task OnAuthorizationAsync(AuthorizationContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } if (IsClosestAntiforgeryPolicy(context.Filters) && ShouldValidate(context)) { try { await _antiforgery.ValidateRequestAsync(context.HttpContext); } catch (AntiforgeryValidationException exception) { _logger.AntiforgeryTokenInvalid(exception.Message, exception); context.Result = new BadRequestResult(); } } }
public void OnAuthorization(AuthorizationContext context) { if (context.HttpContext.Request.Method == "OPTIONS") { return; } var authToken = ((FrameRequestHeaders)context.HttpContext.Request.Headers).HeaderAuthorization; if (Authorize(authToken) == false) { context.Result = new HttpStatusCodeResult(403); return; } if (AllowAction(authToken) == false) { context.Result = new HttpStatusCodeResult(403); return; } }
public async Task Filter_ValidatesAntiforgery_ForAllMethods(string httpMethod) { // Arrange var antiforgery = new Mock<IAntiforgery>(MockBehavior.Strict); antiforgery .Setup(a => a.ValidateRequestAsync(It.IsAny<HttpContext>())) .Returns(Task.FromResult(0)) .Verifiable(); var filter = new ValidateAntiforgeryTokenAuthorizationFilter(antiforgery.Object, NullLoggerFactory.Instance); var actionContext = new ActionContext(new DefaultHttpContext(), new RouteData(), new ActionDescriptor()); actionContext.HttpContext.Request.Method = httpMethod; var context = new AuthorizationContext(actionContext, new[] { filter }); // Act await filter.OnAuthorizationAsync(context); // Assert antiforgery.Verify(); }
public override void OnAuthorization(AuthorizationContext actionContext) { bool skipAuthorization = actionContext.ActionDescriptor.FilterDescriptors.Any(f => f.Filter.GetType() == typeof(AllowAnonymousFilter)); if (!skipAuthorization) { if (actionContext.HttpContext.Request.Headers.Any(h => h.Key.Equals("Authorization"))) { StringValues authHeader = StringValues.Empty; if (!actionContext.HttpContext.Request.Headers.TryGetValue("Authorization", out authHeader)) throw new ApplicationException("Could not find authroization header"); var creds = ParseAuthHeader(authHeader); var username = creds[0]; var password = creds[1]; Retry.Do(() => { IUser user; if (IsValidUser(username, password, out user)) { var principal = new UserPrincipal(user); Thread.CurrentPrincipal = principal; if (actionContext.HttpContext != null) actionContext.HttpContext.User = principal; } }, TimeSpan.FromMilliseconds(200)); } else { actionContext.HttpContext.Response.Headers.Add("WWW-Authenticate", new[] { "Basic" }); actionContext.Result = new HttpUnauthorizedResult(); } } base.OnAuthorization(actionContext); }
/// <summary> /// 执行权限验证,如果Action上存在AllowAnonymous的Attribute,则不进行验证, /// 存在Bearer的AuthorizeFilter,则只进行权限验证, /// 如果二者都不存在,则进行OAuth的验证 /// </summary> /// <param name="context">验证请求上下文</param> /// <returns></returns> public override async Task OnAuthorizationAsync(Microsoft.AspNet.Mvc.Filters.AuthorizationContext context) { if (!context.Filters.Any(item => item is IAllowAnonymous)) { if (!context.Filters.Any(item => item is AuthorizeFilter && (item as AuthorizeFilter).Policy.AuthenticationSchemes.Contains("Bearer") && item.GetType() != GetType())) { await base.OnAuthorizationAsync(context); } var result = await FrameworkConfig.IocConfig.Resolve <PermissionService>().Authorize(context); if (!result) { ErrorApiResult content = new ErrorApiResult(); content.Result = false; content.ErrorMsg = Resource.ResourceManager.GetString("ERROR_NOT_PERMISSION"); content.ErrorCode = InnerErrorCode.NOT_PERMISSION; await content.ExecuteResultAsync(context, HttpStatusCode.Unauthorized); } } }
/// <summary> /// Called when authorization is required. /// </summary> /// <param name="context">The filter context.</param> /// <returns>A task representing this function.</returns> /// <exception cref="System.ArgumentNullException">The <paramref name="context"/> parameter is <c>null</c>.</exception> public Task OnAuthorizationAsync(AuthorizationContext context) { if (context == null) { throw new ArgumentNullException(nameof(context)); } HttpRequest request = context.HttpContext.Request; string headerTokenValue = request.Headers[RequestVerificationTokenHttpHeaderName]; // Ajax POSTs using jquery have a header set that defines the token. // However using unobtrusive ajax the token is still submitted normally in the form. // if the header is present then use it, else fall back to processing the form like normal. if (headerTokenValue != null) { string antiForgeryCookieValue = request.Cookies[this.antiForgeryCookieName]; this.antiforgery.ValidateTokens(context.HttpContext, new AntiforgeryTokenSet(headerTokenValue, antiForgeryCookieValue)); return Task.FromResult<object>(null); } else { return this.antiforgery.ValidateRequestAsync(context.HttpContext); } }
public override void OnAuthorization(AuthorizationContext context) { throw new InvalidProgramException("Authorization Filter Threw"); }
#pragma warning disable 1998 public override async Task OnAuthorizationAsync(AuthorizationContext context) { }
private AuthorizationContext GetAuthorizationContext( FilterDescriptor[] filterDescriptors, RequestHeaders headers = null, bool isPreflight = false) { // HttpContext var httpContext = new DefaultHttpContext(); if (headers != null) { httpContext.Request.Headers.Add(CorsConstants.AccessControlRequestHeaders, headers.Headers.Split(',')); httpContext.Request.Headers.Add(CorsConstants.AccessControlRequestMethod, new[] { headers.Method }); httpContext.Request.Headers.Add(CorsConstants.AccessControlExposeHeaders, headers.ExposedHeaders.Split(',')); httpContext.Request.Headers.Add(CorsConstants.Origin, new[] { headers.Origin }); } var services = new ServiceCollection(); services.AddInstance<ILoggerFactory>(NullLoggerFactory.Instance); httpContext.RequestServices = services.BuildServiceProvider(); var method = isPreflight ? CorsConstants.PreflightHttpMethod : "GET"; httpContext.Request.Method = method; // AuthorizationContext var actionContext = new ActionContext( httpContext: httpContext, routeData: new RouteData(), actionDescriptor: new ActionDescriptor() { FilterDescriptors = filterDescriptors }); var authorizationContext = new AuthorizationContext( actionContext, filterDescriptors.Select(filter => filter.Filter).ToList() ); return authorizationContext; }
public void OnAuthorization(AuthorizationContext context) { Apply(context.HttpContext); }
public override void OnAuthorization(AuthorizationContext context) { context.HttpContext.Response.Headers.Append("filters", "On Controller Authorization Filter - OnAuthorization"); }
public virtual Task OnAuthorizationAsync([NotNull] AuthorizationContext context) { OnAuthorization(context); return(TaskCache.CompletedTask); }
public virtual void OnAuthorization([NotNull] AuthorizationContext context) { }
protected virtual bool HasAllowAnonymous([NotNull] AuthorizationContext context) { return(context.Filters.Any(item => item is IAllowAnonymous)); }
protected virtual void Fail([NotNull] AuthorizationContext context) { context.Result = new HttpUnauthorizedResult(); }
private AuthorizationContext GetAuthorizationContext(Action <ServiceCollection> registerServices, bool anonymous = false) { var basicPrincipal = new ClaimsPrincipal( new ClaimsIdentity( new Claim[] { new Claim("Permission", "CanViewPage"), new Claim(ClaimTypes.Role, "Administrator"), new Claim(ClaimTypes.Role, "User"), new Claim(ClaimTypes.NameIdentifier, "John") }, "Basic")); var validUser = basicPrincipal; var bearerIdentity = new ClaimsIdentity( new Claim[] { new Claim("Permission", "CupBearer"), new Claim(ClaimTypes.Role, "Token"), new Claim(ClaimTypes.NameIdentifier, "John Bear") }, "Bearer"); var bearerPrincipal = new ClaimsPrincipal(bearerIdentity); validUser.AddIdentity(bearerIdentity); // ServiceProvider var serviceCollection = new ServiceCollection(); if (registerServices != null) { serviceCollection.AddOptions(); serviceCollection.AddLogging(); registerServices(serviceCollection); } var serviceProvider = serviceCollection.BuildServiceProvider(); // HttpContext var httpContext = new Mock <HttpContext>(); var auth = new Mock <AuthenticationManager>(); httpContext.Setup(o => o.Authentication).Returns(auth.Object); httpContext.SetupProperty(c => c.User); if (!anonymous) { httpContext.Object.User = validUser; } httpContext.SetupGet(c => c.RequestServices).Returns(serviceProvider); auth.Setup(c => c.AuthenticateAsync("Bearer")).ReturnsAsync(bearerPrincipal); auth.Setup(c => c.AuthenticateAsync("Basic")).ReturnsAsync(basicPrincipal); auth.Setup(c => c.AuthenticateAsync("Fails")).ReturnsAsync(null); // AuthorizationContext var actionContext = new ActionContext( httpContext: httpContext.Object, routeData: new RouteData(), actionDescriptor: new ActionDescriptor()); var authorizationContext = new AuthorizationContext( actionContext, Enumerable.Empty <IFilterMetadata>().ToList() ); return(authorizationContext); }
public void OnAuthorization(AuthorizationContext context) { Assert.NotNull(context.ModelState.MaxAllowedErrors); Assert.Equal(_expectedMaxAllowedErrors, context.ModelState.MaxAllowedErrors); }
public virtual void OnAuthorization(AuthorizationContext context) { }