Error after configuring Authorization on Web.config

Asked

Viewed 1,201 times

3

I’m having trouble accessing the MVC application right after setting up in Web.config to authenticate with the windows user. Error occurs when enabling the following line:

<authentication mode="Windows" />
<authorization>
  <allow users="maquinaLocal\usuario"/>
  <deny users="?" />
</authorization>

And when executing the application the following error occurs:

Server Error in Application '/'. Access denied. Description: Error accessing the resources needed to fulfill this request. Maybe the server is not configured to access the required URL.

Remembering that my Home controller is like this:

public ActionResult Index()
    {
        var windowsIdentity = WindowsIdentity.GetCurrent();
        if (windowsIdentity != null)
            ViewBag.User = windowsIdentity.Name;

        return View();
    }

And when I comment on the "Authorization" line of Web.config the application works normally.

<!--<authorization>
  <allow users="maquinaLocal\usuario"/>
  <deny users="?" />
</authorization>-->

What can it be?

c# asp.net-mvc

1 answer

2


Your setup is wrong. This doesn’t even work:

<allow users="maquinaLocal\usuario"/>

The configuration below:

<authentication mode="Windows" />
<authorization>
  <deny users="?" />
</authorization>

It says that all non-authenticated users must be denied access. Others may have access to everything.

In the MVC, for authentication, a Attribute called AuthorizeAttribute. Each Controller that requires authentication should be noted with it. For example:

[Authorize]
public class TestesController : Controller
{ ... }

Of course this attribute has little utility if you are using Active Directory to allow or block users. One of the things I did in an application of mine was to rewrite the authorization attribute by checking either the structure of the Active Directory itself, or the database. For example:

[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited = true, AllowMultiple = true)]
public class ActiveDirectoryAuthorizeAttribute : AuthorizeAttribute
{
    private String[] _permissoes = new String[] { "GrupoDaTI" };
    public ActiveDirectoryUserViewModel ActiveDirectoryInfo;
    private MeuProjetoContext contexto = new MeuProjetoContext();

    public ActiveDirectoryAuthorizeAttribute(params String[] permissoes) 
    {
        _permissoes = _permissoes.Concat(permissoes).ToArray();
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var baseReturn = base.AuthorizeCore(httpContext);
        ActiveDirectoryInfo = ActiveDirectoryHelper.GetADUserByLogin(httpContext.User.Identity.Name);
        var grupos = ActiveDirectoryInfo.Groups.Select(g => g.DisplayName).ToList();

        var permissoesUsuario = false;
        permissoesUsuario = contexto.GrupoUsuario.Where(s => grupos .Contains(s.Grupo.Nome)).Any();

        return permissoesUsuario && baseReturn;
    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        filterContext.Result = new RedirectResult("/NaoAutorizado");
    }
}

This is an example of how it can be done. Another thing you can do is store the Security Identifiers from the Active Directory that may have access to a certain point in the application.

ActiveDirectoryInfo and ActiveDirectoryHelper can be found in this answer.

Browser other questions tagged c# asp.net-mvc

You are not signed in. Login or sign up in order to post.