After researching FormsAuthentication for a few days, I decided to store a serialized object in the FormsAuth cookie's UserData property and use a custom IPrincipal object for the HttpContext.Current.User.
Most of the guides I've found say to cast the IPrincipal object to your object. I get an invalid cast exception every time though. What am I doing wrong?
MyUserData
public class MyUserData
{
public long UserId { get; set; }
public string Username { get; set; }
public bool IsSuperUser { get; set; }
public string UnitCode { get; set; }
public string EmailAddress { get; set; }
public List<string> Roles { get; set; }
// Serialize
public override string ToString()
{
JavaScriptSerializer serializer = new JavaScriptSerializer();
string result = serializer.Serialize(this);
return result;
}
// Deserialize
public static MyUserData FromString(string text)
{
JavaScriptSerializer serializer = new JavaScriptSerializer();
return serializer.Deserialize<MyUserData>(text);
}
}
CustomPlatformPrincipal
public class MyCustomPrincipal : IPrincipal
{
public MyUserData MyUserData { get; set; }
public IIdentity Identity { get; private set; }
public MyCustomPrincipal(MyUserData myUserData)
{
MyUserData = myUserData;
Identity = new GenericIdentity(myUserData.Username);
}
public bool IsInRole(string role)
{
return MyUserData.Roles.Contains(role);
}
}
Global.asax.cs
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
HttpCookie authCookie = Context.Request.Cookies[FormsAuthentication.FormsCookieName];
if (authCookie == null || authCookie.Value == "")
{
return;
}
FormsAuthenticationTicket authTicket;
try
{
authTicket = FormsAuthentication.Decrypt(authCookie.Value);
}
catch
{
return;
}
if (Context.User != null)
{
// the from string deserializes the data
MyUserData myUserData = MyUserData.FromString(authTicket.UserData);
Context.User = new MyCustomPrincipal(myUserData);
}
}
My Page
var myUserData = ((MyCustomPrincipal)(HttpContext.Current.User)).MyUserData;
// invalid cast exception (can't cast IPrincipal to MyCustomPrincipal)
Article I was following: http://primaryobjects.com/CMS/Article147.aspx
So it seems the only way I could get my data is to decrypt the auth cookie, then deserialize the authCookie's userData string.
Any suggestions?
Update
Tried following the suggestions on this SO question: Implementing a Custom Identity and IPrincipal in MVC
Code is below, but it didn't work.
[Serializable]
public class MyCustomPrincipal : IPrincipal, ISerializable
{
public CustomUserData CustomUserData { get; set; }
public IIdentity Identity { get; private set; }
//public MyCustomPrincipal (IIdentity identity) { Identity = identity; }
public MyCustomPrincipal(CustomUserData customUserData)
{
CustomUserData = customUserData;
Identity = new GenericIdentity(customUserData.Username);
}
public bool IsInRole(string role)
{
return PlatformUserData.Roles.Contains(role);
}
public void GetObjectData(SerializationInfo info, StreamingContext context)
{
if (context.State == StreamingContextStates.CrossAppDomain)
{
MyCustomPrincipal principal = new MyCustomPrincipal (this.CustomUserData );
info.SetType(principal.GetType());
System.Reflection.MemberInfo[] serializableMembers;
object[] serializableValues;
serializableMembers = FormatterServices.GetSerializableMembers(principal.GetType());
serializableValues = FormatterServices.GetObjectData(principal, serializableMembers);
for (int i = 0; i < serializableMembers.Length; i++)
{
info.AddValue(serializableMembers[i].Name, serializableValues[i]);
}
}
else
{
throw new InvalidOperationException("Serialization not supported");
}
}
}
Did you run in the debug mode? You can put break point on HttpContext.Current.User, you will see what type the user was at that moment.
And from your Application_AuthenticateRequest method, there is no guarantee that the User will be your expected type. There are many exit points before reaching your custom type setup.
Even this code: Context.User != null. It was wrong with your expectation. I have not gone through the detail of the Context.User, however, in term of your context, you were expecting the Context.User was your custom user. So the valid check should be:
var custom = Context.Current as MyCustomPrinciple;
if(custom == null)
{
// Your construct code here.
}
My strongly suggestion is: you need to go in debug mode, to see exactly what was going on.
Related
I need to have different validation for the same object. So I thought to use Metadatatype to define the different rules the code is below:
public class ValidateObjectAttribute : ValidationAttribute
{
private readonly Type _validationMetaDataType;
public ValidateObjectAttribute(Type validationMetaDataType)
{
_validationMetaDataType = validationMetaDataType;
}
protected override ValidationResult IsValid(object value, ValidationContext validationContext)
{
var modelType = value.GetType();
AssociatedMetadataTypeTypeDescriptionProvider associatedMetadataTypeTypeDescriptionProvider = null;
if (_validationMetaDataType != null)
{
associatedMetadataTypeTypeDescriptionProvider = new AssociatedMetadataTypeTypeDescriptionProvider(modelType, _validationMetaDataType);
TypeDescriptor.AddProvider(associatedMetadataTypeTypeDescriptionProvider, modelType);
}
var validationctx = new ValidationContext(value);
var results = new List<ValidationResult>();
Validator.TryValidateObject(value, validationctx, results, true);
if (associatedMetadataTypeTypeDescriptionProvider != null)
{
TypeDescriptor.RemoveProvider(associatedMetadataTypeTypeDescriptionProvider, modelType);
TypeDescriptor.Refresh(value);
}
if (results.Count == 0) return ValidationResult.Success;
return new ValidationResult($"Validation fail for prop: {validationContext.DisplayName}");
}
}
public class BarMetaData1
{
[Required]
public string BarField1;
[Required]
public string BarField2;
}
public class FooMetaData1
{
[Required]
public string FooField1;
[Required]
public string FooField2;
[Required, ValidateObject(typeof(BarMetaData1))]
public Bar FooObject1;
}
public class FooMetaData2
{
public string FooField1;
[Required]
public string FooField2;
[Required, ValidateObject(typeof(BarMetaData1))]
public Bar FooObject1;
}
public class BaseValidation
{
public bool IsValid(Type validationMetaDataType)
{
var modelType = this.GetType();
AssociatedMetadataTypeTypeDescriptionProvider associatedMetadataTypeTypeDescriptionProvider = null;
if (validationMetaDataType != null)
{
associatedMetadataTypeTypeDescriptionProvider = new AssociatedMetadataTypeTypeDescriptionProvider(modelType, validationMetaDataType);
TypeDescriptor.AddProvider(associatedMetadataTypeTypeDescriptionProvider, modelType);
TypeDescriptor.Refresh(this);
}
var validationctx = new ValidationContext(this);
var results = new List<ValidationResult>();
Validator.TryValidateObject(this, validationctx, results, true);
if (associatedMetadataTypeTypeDescriptionProvider != null)
{
TypeDescriptor.RemoveProvider(associatedMetadataTypeTypeDescriptionProvider, modelType);
}
return results.Count == 0;
}
}
public class Foo : BaseValidation
{
public string FooField1 { get; set; }
public string FooField2 { get; set; }
public Bar FooObject1 { get; set; }
}
public class Bar
{
public string BarField1 { get; set; }
public string BarField2 { get; set; }
}
the validation is call in this way:
public void Index()
{
Foo fooInstance = new Foo()
{
FooObject1 = new Bar()
};
fooInstance.IsValid(typeof(FooMetaData2));
fooInstance.IsValid(typeof(FooMetaData1));
Foo fooInstance2 = new Foo()
{
FooObject1 = new Bar()
};
fooInstance2.IsValid(typeof(FooMetaData2));
}
What is the issue:
first validation [fooInstance.IsValid(typeof(FooMetaData2))] is right (2 mandatory fields missing),
second validation call [fooInstance.IsValid(typeof(FooMetaData1))] the result is wrong (3 mandatory field missing but the code notify me only 2), it seems that the code apply the validation describe in FooMetaData2 class instead of FooMetaData1
Someone can explain to me why?
thanks
I solved using fluentValidator plugin
My requirement is to allow only a few properties to be used in OData $filter option. Here I have a student model, which contains a bunch of properties. I want only the 'name' property have the $filter capability enabled. But somehow it is not working. Can anybody please help me.
The following is my code
My model:
public class Student
{
public string Id { get; set; }
public string Name { get; set; }
public string AccessType { get; set; }
public string SortOrder { get; set; }
public string Status { get; set; }
}
My QueryValidator:
public class RestrictiveFilterByQueryValidator : FilterQueryValidator
{
static readonly string[] allowedProperties = { "name" };
public RestrictiveFilterByQueryValidator(DefaultQuerySettings defaultQuerySettings)
: base(defaultQuerySettings)
{
}
public override void ValidateSingleValuePropertyAccessNode(
SingleValuePropertyAccessNode propertyAccessNode,
ODataValidationSettings settings)
{
string propertyName = null;
if (propertyAccessNode != null)
{
propertyName = propertyAccessNode.Property.Name;
}
if (propertyName != null && !allowedProperties.Contains(propertyName))
{
throw new ODataException(
String.Format("Filter on {0} not allowed", propertyName));
}
base.ValidateSingleValuePropertyAccessNode(propertyAccessNode, settings);
}
public static implicit operator System.Web.Http.OData.Query.Validators.FilterQueryValidator(RestrictiveFilterByQueryValidator v)
{
throw new NotImplementedException();
}
}
My custom queryable attribute:
public class MyQueryableAttribute : QueryableAttribute
{
public override void ValidateQuery(HttpRequestMessage request, System.Web.Http.OData.Query.ODataQueryOptions queryOptions)
{
if (queryOptions.Filter != null)
{
queryOptions.Filter.Validator = new RestrictiveFilterByQueryValidator(new DefaultQuerySettings());
}
// HttpRequestMessage request, ODataQueryOptions queryOptions
base.ValidateQuery(request, queryOptions);
}
}
Finally my API controller method:
[MyQueryable]
public ActionResult<IEnumerable<Student>> GetAllStudent()
{
}
When I followed the above code, my normal $filter with valid properties also don't work as expected. I think I am missing something. Any help will be grateful.
Do not call the base implementation of the Validator if the property IS Valid.
It's not that obvious but the base implementation exists to format the error message in a standard way so you return nothing when it is valid and call the base only when it is NOT valid!
public override void ValidateSingleValuePropertyAccessNode(
SingleValuePropertyAccessNode propertyAccessNode,
ODataValidationSettings settings)
{
string propertyName = null;
if (propertyAccessNode != null)
{
propertyName = propertyAccessNode.Property.Name;
}
if (propertyName != null && !allowedProperties.Contains(propertyName))
{
base.ValidateSingleValuePropertyAccessNode(propertyAccessNode, settings);
}
}
public class Login : IHttpHandler, System.Web.SessionState.IRequiresSessionState
{
public void ProcessRequest(HttpContext context)
{
try
{
var jsonString = String.Empty;
using (var inputStream = new StreamReader(context.Request.InputStream))
{
jsonString = inputStream.ReadToEnd();
}
User user = JsonConvert.DeserializeObject<User>(jsonString);
BusinessEntities.LoginSession ls = new BusinessEntities.LoginSession();
ls = VerifyLoginCredentials(user.Username.Trim(), user.Password.Trim());
context.Session["user"] = null;
context.Session.Clear();
if (ls.isValid)
{
context.Session["user"] = ls;
context.Response.Write("1");
}
else
{
context.Response.Write("0");
}
}
catch (Exception ex)
{
context.Response.Write("0");
}
}
public bool IsReusable
{
get
{
return false;
}
}
}
There are lot of users logs in to the system using this method. sometimes after login session takes another sessions value.
Lets say User A and B logged in and User A send a request to get the product details but User A getting results of User B. This is strange. do i done something wrong ?
EDIT
public static BusinessEntities.LoginSession VerifyLoginCredentials(string username, string password)
{
return DAL.Creadentials.VerifyLoginCredentials(username, password);
}
public class LoginSession
{
public bool isValid { get; set; }
public string Username { get; set; }
public string NewId { get; set; }
public DateTime PasswordLastResetDate { get; set; }
}
I want to create a custom attribute using Glass Mapper for getting the Sitecore URL, because it is not possible to lazy load a property with SitecoreInfo(SitecoreInfoType.Url) and we have some performance issues loading URL of mapped items, where the URL will never be used.
Here is what I've got so far:
The Configuration
public class SitecoreUrlConfiguration : AbstractPropertyConfiguration
{
public SitecoreInfoUrlOptions UrlOptions { get; set; }
public bool IsLazy { get; set; }
}
The Attribute
public class SitecoreUrlAttribute : AbstractPropertyAttribute
{
public SitecoreUrlAttribute()
{
this.IsLazy = true;
this.UrlOptions = SitecoreInfoUrlOptions.Default;
}
/// <summary>
/// Gets or sets a value indicating whether is lazy.
/// </summary>
public bool IsLazy { get; set; }
public SitecoreInfoUrlOptions UrlOptions { get; set; }
public override AbstractPropertyConfiguration Configure(PropertyInfo propertyInfo)
{
var config = new SitecoreUrlConfiguration();
this.Configure(propertyInfo, config);
return config;
}
public void Configure(PropertyInfo propertyInfo, SitecoreUrlConfiguration config)
{
config.UrlOptions = this.UrlOptions;
config.IsLazy = this.IsLazy;
base.Configure(propertyInfo, config);
}
}
The Mapper
public class SitecoreUrlMapper : AbstractDataMapper
{
public override object MapToProperty(AbstractDataMappingContext mappingContext)
{
var context = mappingContext as SitecoreDataMappingContext;
if (context == null)
{
throw new MapperException("Mapping Context is null");
}
var item = context.Item;
var scConfig = this.Configuration as SitecoreUrlConfiguration;
if (scConfig == null)
{
throw new MapperException("SitecoreUrlConfiguration is null");
}
var urlOptions = Utilities.CreateUrlOptions(scConfig.UrlOptions);
urlOptions.Language = null;
// now, what?
}
}
So far, so good. But how can I lazy load the URL in the mapper? Does anyone have an idea?
The only way I actually see is to map a Lazy<T> and add a new property to the class which returns the value of this when accessing it. So in you mapper, where you put // now what? I would return the lazy string:
return new Lazy<string>(() => LinkManager.GetItemUrl(item, urlOptions));
Then in your model, put these two properties:
[SitecoreUrl]
public Lazy<string> LazyUrl { private get; set; }
[SitecoreIgnore]
public virtual string Url
{
get
{
return this.LazyUrl.Value;
}
}
You can achieve pretty similar to this with a bit of creativity and the new Delegate functionality
In the fluent configuration map the type like so:
SitecoreType<IWhatever> sitecoreType = new SitecoreType<IWhatever>();
sitecoreType.Delegate(y => y.Url).GetValue(GetLazyUrl);
private LazyString GetLazyUrl(SitecoreDataMappingContext arg)
{
var item = context.Item;
return new LazyString(
() =>
{
// the necessary actions to get the url
});
}
public class LazyString : Lazy<string>
{
public LazyString(Func<string> valueFactory) : base(valueFactory)
{
}
public override string ToString()
{
return Value;
}
public static implicit operator string(LazyString lazyString)
{
return lazyString.Value;
}
}
It's not a string, but for the purposes of many applications, will behave like one.
I have next (simplified) view model:
public class RegisterModel
{
public string UserName { get; set; }
[MustExistIf("SomeProperty", "some value", "SomeOtherProperty", ErrorMessage = "You have to select something")]
public string LastName { get; set; }
public AddressModel Address { get; set; }
}
public class AddressModel
{
public string Street { get; set; }
public string House { get; set; }
}
and I have custom validator
public class MustExistIfAttribute : ValidationAttribute, IClientValidatable
{
private string _masterName { get; set; }
private object _masterValue { get; set; }
private string _dependantName { get; set; }
public MustExistIfAttribute(string masterName, object masterValue, string dependantName)
{
this._masterName = masterName;
this._masterValue = masterValue;
this._dependantName = dependantName;
}
protected override ValidationResult IsValid(object value, ValidationContext validationContext)
{
// get value of master property
var masValue = _getValue(validationContext.ObjectInstance, _masterName);
// get value of property whch depends on master property
var depValue = _getValue(validationContext.ObjectInstance, _dependantName);
if (masValue.Equals(_masterValue)) // if value in request is equal to value in specified in data annotation
{
if (depValue == null) // if dependant value does not exist
{
return new ValidationResult(FormatErrorMessage(validationContext.DisplayName));
}
}
return ValidationResult.Success;
}
public override bool IsValid(object value)
{
return base.IsValid(value);
}
public IEnumerable<ModelClientValidationRule> GetClientValidationRules(ModelMetadata metadata, ControllerContext context)
{
var modelClientValidationRule = new ModelClientValidationRule
{
ValidationType = "mustexistif",
ErrorMessage = FormatErrorMessage(metadata.DisplayName)
};
modelClientValidationRule.ValidationParameters.Add("mastername", this._masterName);
modelClientValidationRule.ValidationParameters.Add("mastervalue", this._masterValue);
modelClientValidationRule.ValidationParameters.Add("dependantname", this._dependantName);
yield return modelClientValidationRule;
}
private static object _getValue(object objectInstance, string propertyName)
{
...
}
}
I have next javascript (please neglect returning false in mustexitif method - it's just for test purposes)
(function () {
jQuery.validator.addMethod('mustexistif', function (value, element, params) {
var masterName = params['mastername'];
var masterValue = params['mastervalue'];
var dependantName = params['dependantname'];
return false;
});
var setValidationValues = function (options, ruleName, value) {
options.rules[ruleName] = value;
if (options.message) {
options.messages[ruleName] = options.message;
}
};
var $Unob = $.validator.unobtrusive;
$Unob.adapters.add("mustexistif", ["mastername", "mastervalue", "dependantname"], function (options) {
var value = {
mastername: options.params.mastername,
mastervalue: options.params.mastervalue,
dependantname: options.params.dependantname
};
setValidationValues(options, "mustexistif", value);
});
})();
It works as expected when I decorate LastName property of RegisterModel class with MustExistIf annotation (like in provided code).
But what I really want is to decorate complex Address property of RegisterModel with MustExistIf annotation. Problem is that when I do that no unobrusive adapter gets registered (javascript doing that IS NOT triggered).
So, there is difference when I decoreate simple and complex properties. My solution does not allow me to decorate properties of Address class (FYI, I tried that and then also validation is working fine). Is there a way to accomplish what I intended? Am I missing something? Woud solution be to validate on model level? But then is it possible to do client side validation?
Maybe you can use Remote Validation.
http://msdn.microsoft.com/en-us/library/gg508808%28v=vs.98%29.aspx