granadaCoder
Reputation: 27852
WebApi Custom System.Web.Http.AuthorizeAttribute does not recognize custom ClaimsPrincipal
Here is a link to the source code that I will explain below.
http://www.filehosting.org/file/details/510152/CustomPrincipalSimpleSOFExample.zip
I have an issue where I am trying to set a (custom) ClaimsPrincipal. And then have access to it in a custom System.Web.Mvc.AuthorizeAttribute (mvc) and also a custom System.Web.Http.AuthorizeAttribute (webapi).
Things work fine and as expected in the custom System.Web.Mvc.AuthorizeAttribute. However, in the custom System.Web.Http.AuthorizeAttribute (webapi), when I search for a cookie I set earlier, the custom ClaimsPrincipal turns into a GenericPrincipal. (Or perhaps the custom ClaimsPrincipal never gets "set").
Here is the "trigger" code.
protected void Application_PostAuthenticateRequest(Object sender, EventArgs e)
{
/* alternate the below value for invokeFormsAuthenticationTicketCode.. either true or false to see the issue */
bool invokeFormsAuthenticationTicketCode = true;
/* when "true", the MyCustomWebApiAuthorizeAttribute contains a GenericPrincipal IPrincipal, not a MyCustomClaimsPrincipal*/
if (invokeFormsAuthenticationTicketCode)
{
HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
if (authCookie != null)
{
/* we found the cookie set in the HomeController-Index (which simulates a user-successful login */
FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
Employee empFromCookie = JsonConvert.DeserializeObject<Employee>(authTicket.UserData);
if (null == empFromCookie)
{
throw new ArgumentNullException("Employee did not serialize from Cookie correctly.");
}
////////IIdentity iid = new GenericIdentity("I_Started_In_Application_PostAuthenticateRequest.GenericIdentity");
/* so we know the simulation of the user-login "passed" because the cookie exists..lets set the MyCustomClaimsPrincipal */
MyCustomClaimsIdentity iid = new MyCustomClaimsIdentity(new GenericIdentity("I_Started_In_Application_PostAuthenticateRequest.MyCustomClaimsIdentity.invokeFormsAuthenticationTicketCode = true"));
MyCustomClaimsPrincipal princ = new MyCustomClaimsPrincipal(iid);
Thread.CurrentPrincipal = princ;
HttpContext.Current.User = princ;
}
/* so I realize that here...on the first pass through of this code.... the "Thread.CurrentPrincipal" and "HttpContext.Current.User" are not being set */
}
else
{
MyCustomClaimsIdentity iid = new MyCustomClaimsIdentity(new GenericIdentity("I_Started_In_Application_PostAuthenticateRequest.MyCustomClaimsIdentity.invokeFormsAuthenticationTicketCode = false"));
MyCustomClaimsPrincipal princ = new MyCustomClaimsPrincipal(iid);
Thread.CurrentPrincipal = princ;
HttpContext.Current.User = princ;
}
}
Here is the custom Mvc AuthorizeAttribute
public class MyCustomMvcAuthorizeAttribute : AuthorizeAttribute
{
public MyCustomMvcAuthorizeAttribute()
{ }
public override void OnAuthorization(System.Web.Mvc.AuthorizationContext filterContext)
{
IPrincipal x = HttpContext.Current.User;
IPrincipal z = ClaimsPrincipal.Current;
if (x.GetType() != typeof(MyCustomClaimsPrincipal))
{
throw new ArgumentOutOfRangeException("IPrincipal was not of type MyCustomClaimsPrincipal as expected");
/* whether or not 'invokeFormsAuthenticationTicketCode = true or = false', this is always a MyCustomClaimsPrincipal */
}
}
protected override bool AuthorizeCore(System.Web.HttpContextBase httpContext)
{
IPrincipal x = HttpContext.Current.User;
IPrincipal z = ClaimsPrincipal.Current;
if (x.GetType() != typeof(MyCustomClaimsPrincipal))
{
throw new ArgumentOutOfRangeException("IPrincipal was not of type MyCustomClaimsPrincipal as expected");
/* whether or not 'invokeFormsAuthenticationTicketCode = true or = false', this is always a MyCustomClaimsPrincipal */
}
return true;
}
}
Here is the custom webApi custom AuthorizeAttribute
public class MyCustomWebApiAuthorizeAttribute : AuthorizeAttribute
{
public MyCustomWebApiAuthorizeAttribute()
{ }
public override void OnAuthorization(HttpActionContext actionContext)
{
bool issueWasHit = false;
IPrincipal x = HttpContext.Current.User;
IPrincipal z = ClaimsPrincipal.Current;
if(x.GetType() != typeof(MyCustomClaimsPrincipal))
{
//throw new ArgumentOutOfRangeException("IPrincipal was not of type MyCustomClaimsPrincipal as expected");
string thisIsTheIssue = "This is the issue. When 'invokeFormsAuthenticationTicketCode = true', this is a GenericPrincipal, not a MyCustomClaimsPrincipal";
issueWasHit = true;
}
base.OnAuthorization(actionContext);
}
protected override bool IsAuthorized(HttpActionContext actionContext)
{
bool issueWasHit = false;
IPrincipal x = HttpContext.Current.User;
IPrincipal z = ClaimsPrincipal.Current;
if (x.GetType() != typeof(MyCustomClaimsPrincipal))
{
//throw new ArgumentOutOfRangeException("IPrincipal was not of type MyCustomClaimsPrincipal as expected");
string thisIsTheIssue = "This is the issue. When 'invokeFormsAuthenticationTicketCode = true', this is a GenericPrincipal, not a MyCustomClaimsPrincipal";
issueWasHit = true;
}
return true;
}
}
Here are my custom IIdentity (ClaimsIdentity) and IPrincipal (ClaimsPrincipal)
public class MyCustomClaimsIdentity : ClaimsIdentity
{
public MyCustomClaimsIdentity(IIdentity identity)
: base(identity)
{ }
}
public class MyCustomClaimsPrincipal : ClaimsPrincipal
{
public MyCustomClaimsPrincipal(IIdentity iid)
: base(iid)
{ }
}
So I started with a new MVC4 project. Which gives you a HomeController (mvc) and a ValuesController (webapi apicontroller).
Here is the altered code for those out of the box classes. HomeController.MyHomeControllerAlternateActionResult gets the custom attribute. and the "Index" simulates a user-login by setting a cookie that the global.asxa.cs (Application_PostAuthenticateRequest method) will pick up on later.
public class HomeController : Controller
{
public ActionResult Index()
{
/* the below is simulating a user-login... the main-thing is that it is setting a "FormsAuthentication.FormsCookieName" cookie */
Employee e = new Employee();
e.SSN = "999-99-9999";
string serializedUser = JsonConvert.SerializeObject(e,
Formatting.None,
new JsonSerializerSettings()
{
ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore
});
/* so the point here is to just throw something in the "FormsAuthentication.FormsCookieName" cookie */
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(
1,
e.SSN,
DateTime.Now,
DateTime.Now.AddMinutes(15),
false,
serializedUser);
string encTicket = FormsAuthentication.Encrypt(authTicket);
HttpCookie faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
Response.Cookies.Add(faCookie);
/* cookie is in place, now redirect */
return RedirectToAction("MyHomeControllerAlternateActionResult");
}
[MyCustomMvcAuthorizeAttribute]
public ActionResult MyHomeControllerAlternateActionResult()
{
IEnumerable<string> modelViaWay1 = null;
////////IEnumerable<string> modelViaWay2 = null;
////////IEnumerable<string> modelViaWay3 = null;
string json = string.Empty;
using (var client = new HttpClient())
{
string valuesControllerUrl = Url.RouteUrl(
"DefaultApi",
new { httproute = "", controller = "Values" }, /* ValuesController */
Request.Url.Scheme
);
modelViaWay1 = client
.GetAsync(valuesControllerUrl)
.Result
.Content.ReadAsAsync<IEnumerable<string>>().Result;
////////HttpResponseMessage response = client.GetAsync(valuesControllerUrl).Result;
////////json = response.Content.ReadAsStringAsync().Result;
////////modelViaWay2 = JsonConvert.DeserializeObject<IEnumerable<string>>(json);
////////modelViaWay3 = response.Content.ReadAsAsync<IEnumerable<string>>().Result;
}
return View(); /* this will throw a "The view 'MyHomeControllerAlternateActionResult' or its master was not found or no view engine supports the searched locations" error, but that's not the point of this demo. */
}
}
And the values controller, which simply adds the (webapi) custom authorizeattribute
[MyCustomWebApiAuthorizeAttribute]
public class ValuesController : ApiController
{
// GET api/values
public IEnumerable<string> Get()
{
var x = HttpContext.Current.User;
var z = ClaimsPrincipal.Current;
return new string[] { "value1", "value2" };
}
// GET api/values/5
public string Get(int id)
{
return "value";
}
// POST api/values
public void Post([FromBody]string value)
{
}
// PUT api/values/5
public void Put(int id, [FromBody]string value)
{
}
// DELETE api/values/5
public void Delete(int id)
{
}
}
Oh yeah, I added a model....
public class Employee
{
public System.Guid EmployeeUUID { get; set; }
public string SSN { get; set; }
public string LastName { get; set; }
public string FirstName { get; set; }
public System.DateTime? CreateDate { get; set; }
public System.DateTime HireDate { get; set; }
}
So those are the main pieces (or download the code in the link to have it all).
I cannot figure out why I get a GenericPrincipal in the webapi custom authorizeattribute, but the mvc custom authorizeattribute works fine.
So if you get the download or work in my samples, the triggering mechanism is "bool invokeFormsAuthenticationTicketCode = true;" and alternating between true and false.
Hints: set breakpoints on the lines "issueWasHit = true;"....that is where the issue occurs (duh).
Here are my references/nuget packages in case of any version questions. The MVC4 app was created against DotNet FW 4.5.2
<Reference Include="Microsoft.CSharp" />
<Reference Include="System" />
<Reference Include="System.Data" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="System.Data.Entity" />
<Reference Include="System.Drawing" />
<Reference Include="System.Web.DynamicData" />
<Reference Include="System.Web.Entity" />
<Reference Include="System.Web.ApplicationServices" />
<Reference Include="System.ComponentModel.DataAnnotations" />
<Reference Include="System.Web.Extensions" />
<Reference Include="System.Web" />
<Reference Include="System.Web.Abstractions" />
<Reference Include="System.Web.Routing" />
<Reference Include="System.Xml" />
<Reference Include="System.Configuration" />
<Reference Include="EntityFramework">
<HintPath>..\packages\EntityFramework.5.0.0\lib\net45\EntityFramework.dll</HintPath>
</Reference>
<Reference Include="Microsoft.Web.Infrastructure, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<Private>True</Private>
<HintPath>..\packages\Microsoft.Web.Infrastructure.1.0.0.0\lib\net40\Microsoft.Web.Infrastructure.dll</HintPath>
</Reference>
<Reference Include="Microsoft.Web.Mvc.FixedDisplayModes, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<Private>True</Private>
<HintPath>..\packages\Microsoft.AspNet.Mvc.FixedDisplayModes.1.0.0\lib\net40\Microsoft.Web.Mvc.FixedDisplayModes.dll</HintPath>
</Reference>
<Reference Include="Newtonsoft.Json">
<HintPath>..\packages\Newtonsoft.Json.4.5.11\lib\net40\Newtonsoft.Json.dll</HintPath>
</Reference>
<Reference Include="System.Net.Http">
</Reference>
<Reference Include="System.Net.Http.Formatting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<HintPath>..\packages\Microsoft.AspNet.WebApi.Client.4.0.20710.0\lib\net40\System.Net.Http.Formatting.dll</HintPath>
</Reference>
<Reference Include="System.Net.Http.WebRequest">
</Reference>
<Reference Include="System.Web.Helpers, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<Private>True</Private>
<HintPath>..\packages\Microsoft.AspNet.WebPages.2.0.20710.0\lib\net40\System.Web.Helpers.dll</HintPath>
</Reference>
<Reference Include="System.Web.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<HintPath>..\packages\Microsoft.AspNet.WebApi.Core.4.0.20710.0\lib\net40\System.Web.Http.dll</HintPath>
</Reference>
<Reference Include="System.Web.Http.WebHost, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<HintPath>..\packages\Microsoft.AspNet.WebApi.WebHost.4.0.20710.0\lib\net40\System.Web.Http.WebHost.dll</HintPath>
</Reference>
<Reference Include="System.Web.Mvc, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<Private>True</Private>
<HintPath>..\packages\Microsoft.AspNet.Mvc.4.0.20710.0\lib\net40\System.Web.Mvc.dll</HintPath>
</Reference>
<Reference Include="System.Web.Optimization">
<HintPath>..\packages\Microsoft.AspNet.Web.Optimization.1.0.0\lib\net40\System.Web.Optimization.dll</HintPath>
</Reference>
<Reference Include="System.Web.Providers">
<HintPath>..\packages\Microsoft.AspNet.Providers.Core.1.2\lib\net40\System.Web.Providers.dll</HintPath>
</Reference>
<Reference Include="System.Web.Razor, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<Private>True</Private>
<HintPath>..\packages\Microsoft.AspNet.Razor.2.0.20715.0\lib\net40\System.Web.Razor.dll</HintPath>
</Reference>
<Reference Include="System.Web.WebPages, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<Private>True</Private>
<HintPath>..\packages\Microsoft.AspNet.WebPages.2.0.20710.0\lib\net40\System.Web.WebPages.dll</HintPath>
</Reference>
<Reference Include="System.Web.WebPages.Deployment, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<Private>True</Private>
<HintPath>..\packages\Microsoft.AspNet.WebPages.2.0.20710.0\lib\net40\System.Web.WebPages.Deployment.dll</HintPath>
</Reference>
<Reference Include="System.Web.WebPages.Razor, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<Private>True</Private>
<HintPath>..\packages\Microsoft.AspNet.WebPages.2.0.20710.0\lib\net40\System.Web.WebPages.Razor.dll</HintPath>
</Reference>
<Reference Include="System.Web.Http.Tracing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<Private>True</Private>
<HintPath>..\packages\Microsoft.AspNet.WebApi.Tracing.4.0.0\lib\net40\System.Web.Http.Tracing.dll</HintPath>
</Reference>
<Reference Include="System.Web.Http.OData, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<Private>True</Private>
<HintPath>..\packages\Microsoft.AspNet.WebApi.OData.4.0.0\lib\net40\System.Web.Http.OData.dll</HintPath>
</Reference>
<Reference Include="Microsoft.Data.Edm, Version=5.2.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<Private>True</Private>
<HintPath>..\packages\Microsoft.Data.Edm.5.2.0\lib\net40\Microsoft.Data.Edm.dll</HintPath>
</Reference>
<Reference Include="Microsoft.Data.OData, Version=5.2.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<Private>True</Private>
<HintPath>..\packages\Microsoft.Data.OData.5.2.0\lib\net40\Microsoft.Data.OData.dll</HintPath>
</Reference>
<Reference Include="System.Spatial, Version=5.2.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
<Private>True</Private>
<HintPath>..\packages\System.Spatial.5.2.0\lib\net40\System.Spatial.dll</HintPath>
</Reference>
<Reference Include="System.Xml.Linq" />
<Reference Include="WebGrease">
<Private>True</Private>
<HintPath>..\packages\WebGrease.1.3.0\lib\WebGrease.dll</HintPath>
</Reference>
<Reference Include="Antlr3.Runtime">
<Private>True</Private>
<HintPath>..\packages\WebGrease.1.3.0\lib\Antlr3.Runtime.dll</HintPath>
</Reference>
Upvotes: 0
Views: 1378
Answers (1)
granadaCoder
Reputation: 27852
So the
protected void Application_PostAuthenticateRequest
method runs twice. Once for the MVC, once for the WebApi. The cookies are empty when the Application_PostAuthenticateRequest method runs for the WebApi.
The fix was to pass the cookies (or my specific cookie) to the WebApi call. (Note the/extra code revolving around CookieContainer )
Here is the Mvc passing (the specific) cookie to the WebApi
public class HomeController : Controller
{
public ActionResult Index()
{
/* the below is simulating a user-login... the main-thing is that it is setting a "FormsAuthentication.FormsCookieName" cookie */
Employee e = new Employee();
e.SSN = "999-99-9999";
string serializedUser = JsonConvert.SerializeObject(e,
Formatting.None,
new JsonSerializerSettings()
{
ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore
});
/* so the point here is to just throw something in the "FormsAuthentication.FormsCookieName" cookie */
FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(
1,
e.SSN,
DateTime.Now,
DateTime.Now.AddMinutes(15),
false,
serializedUser);
string encTicket = FormsAuthentication.Encrypt(authTicket);
HttpCookie faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);
Response.Cookies.Add(faCookie);
/* cookie is in place, now redirect */
return RedirectToAction("MyHomeControllerAlternateActionResult");
}
[MyCustomMvcAuthorizeAttribute]
public ActionResult MyHomeControllerAlternateActionResult()
{
IEnumerable<string> modelViaWay1 = null;
////////IEnumerable<string> modelViaWay2 = null;
////////IEnumerable<string> modelViaWay3 = null;
string json = string.Empty;
CookieContainer cookieContainer = new CookieContainer();
HttpClientHandler handler = new HttpClientHandler
{
UseCookies = true,
UseDefaultCredentials = true,
CookieContainer = cookieContainer
};
foreach (string cookiename in Request.Cookies)
{
if (cookiename.Equals(FormsAuthentication.FormsCookieName, StringComparison.OrdinalIgnoreCase))
{
var cookie = Request.Cookies[cookiename];
cookieContainer.Add(new Cookie(cookie.Name, cookie.Value, cookie.Path, "localhost"));
}
}
using (var client = new HttpClient(handler))
{
string valuesControllerUrl = Url.RouteUrl(
"DefaultApi",
new { httproute = "", controller = "Values" }, /* ValuesController */
Request.Url.Scheme
);
modelViaWay1 = client
.GetAsync(valuesControllerUrl)
.Result
.Content.ReadAsAsync<IEnumerable<string>>().Result;
////////HttpResponseMessage response = client.GetAsync(valuesControllerUrl).Result;
////////json = response.Content.ReadAsStringAsync().Result;
////////modelViaWay2 = JsonConvert.DeserializeObject<IEnumerable<string>>(json);
////////modelViaWay3 = response.Content.ReadAsAsync<IEnumerable<string>>().Result;
}
return View(); /* this will throw a "The view 'MyHomeControllerAlternateActionResult' or its master was not found or no view engine supports the searched locations" error, but that's not the point of this demo. */
}
}
And now my Application_PostAuthenticateRequest looks normal again.
protected void Application_PostAuthenticateRequest(Object sender, EventArgs e)
{
HttpCookie authCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
if (authCookie != null)
{
/* we found the cookie set in the HomeController-Index (which simulates a user-successful login */
FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value);
Employee empFromCookie = JsonConvert.DeserializeObject<Employee>(authTicket.UserData);
if (null == empFromCookie)
{
throw new ArgumentNullException("Employee did not serialize from Cookie correctly.");
}
/* so we know the simulation of the user-login "passed" because the cookie exists..lets set the MyCustomClaimsPrincipal */
MyCustomClaimsIdentity iid = new MyCustomClaimsIdentity(new GenericIdentity("I_Started_In_Application_PostAuthenticateRequest.MyCustomClaimsIdentity.invokeFormsAuthenticationTicketCode = true"));
MyCustomClaimsPrincipal princ = new MyCustomClaimsPrincipal(iid);
Thread.CurrentPrincipal = princ;
HttpContext.Current.User = princ;
}
}
Bottom Line.
When an MVC and WebApi are hosted (cohosted) in the same layer....cookies are not automatically sent to the WebApi. That was my issue.
Upvotes: 0
Related Questions
- ASP.NET Core Web API custom AuthorizeAttribute issue
- Webapi 2 custom authorisation does not execute the method
- Web API AuthorizeAttribute does not return custom response
- WebApi Custom Authorize Attribute not working
- WebAPI [Authorize] returning error when logged in
- custom AuthorizeAttribute should be failing but API runs
- Custom MVC AuthorizeAttribute for ASP.NET Web API
- WebApi custom authorization attribute not working
- Custom WebApi AuthorizeAttribute
- System.Web.Http.AuthorizeAttribute not recognizing custom role provider