I'll make this post short and get straight to the seriousness of the situation. Our application has the concept of "Organizations" which are comprised of "Members". We recently found a huge security flaw in our application. If a Member that does not belong to a specific Organization (but is logged into the application) gets access to a URL for any of that Organization's pages, he/she can access that page.
Is there something built into .NET Core 3.0 or Web API that would allow us to stop users from being able to access Organization pages that user is not a Member of? The only way I can think to do it is check if the Member (based on their MemberId) belongs to the Organization (based on OrganizationId). However, that check would have to be added to every single API controller. There has to be a better way! Any help is appreciated...
Decided that I am going to:
1) Create a custom exception
2) Throw it in a base repo class that all of my derived classes are inheriting from
3) Propagate it up and catch it at the base controller class using an ActionFilter
4) Return 403 (w/ custom exception error message) to user (Angular)
5) Have the Angular HTTP interceptor handle the error message, meaning show to user
If anyone has a better idea please let me know.
Related
I am using C# Razor in order to make a social network. There are wepages that contain sensible data and I don't want someone to go to that url and see it. Not even by going to the Inspect Element and open it through there. So is there a way to warn the user that "This web page is not allowed"?
You have to implement authentication and authorization in order to control who can actually access any given route in an mvc application. I can only recommend that you start by reading the official site www.asp.net/mvc/overview/security about authorization and authentication.
With the proper authentication/authorization the server will simply not send any data, or you could redirect to a specific "not allowed page"
I agree with Louis, you should get this book here which helped me a ton. http://www.apress.com/9781430257523
The literal answer you are looking for concerns the use of authorization attributes you place above controller actions or controllers themselves. So an action might look like this
[Authorize]
public ActionResult UserAccount(Guid id){...}
By setting up authentication using ASP.Net Identity you will be able to automatically redirect visitors who are not logged in to another page etc.
Also if you need to make sure that the current logged in user is not going to (for example) another user's personal page (account settings?) you would do a simple check on the server side to prevent this. Something like so (Pseudo code)
if(User.Identity.GetUserId() != account.OwningUserId)
return RedirectToAction("404", "Shared");
On an existing host I've added Web API Models & Controllers. I've added the following four:
Products
Orders
Categories
Users
When someone accesses the localhost:port\api\products, it returns all the products in JSON format.
The Create, Update and Delete statements are completely disabled, so we are only able to use GET-requests on the API (so either \api\products for a list of all products or api\products\# for a single products with id #).
Because the other CRUD's aren't used, there isn't a lot of security that should be added to the Web API, except for one thing: The Users
These will also return emails and such, which would be better to keep private and unreadable without the proper authorization (without entire log-in pages, but a way to authenticate yourself when accessing the Web API in for example Android HttpGetRequests).
So, the question: How should I add authorization for only the UsersController accessed by the Web API.
And, how can I encrypt the JSON in C# and decrypt it in Android again. If this second part is too big to answer I'll make a new question later on, my main focus is the low-end [<- without log-in pages, so built in into the GET-request] authorization of the Web API's GET-request for Users.
Edit 1: I did found this link where a new project is made with Authorization Changed to Individual Users. I also see that the user is registered and then logged in with POST and GET requests.
The following questions came into mind when reading through this link:
How to change the Web API's Authorization to Individual Users on an existing project?
Our authorization is done through OAuth (mainly Google-account) with our work e-mail address. I guess it's not possible / easy to authorize in the same way as in the link with a Google-account on Web API GET-requests.
Edit 2: After using the first link provided by Vladimir Gondarev I've added the [Authorize] to both the Get methods in the UsersController. In my project everything else was already used before, like a class that uses the AuthorizeAttribute, so just adding the [Authorize] was already enough for the first step. Now in the browser I get an unauthorized (JSON) back when I'm not logged in, which is good.
The next step would be to add the OAuth-authorization to the Android app, but that is an entire new problem / question that I will look into first before asking a new stackoverflow-question.
The simplest solution would be "Basic Authentification". In order to to implement it you have to derive from AuthorizeAttribute and then apply it to a method or a controller.
Here you find further info:
What is basic Authentification:
http://www.asp.net/web-api/overview/security/basic-authentication
Implementation:
ASP.net Web API RESTful web service + Basic authentication
You don't have to encrypt anything as long as you use HTTPS transport.
I have an mvc application that I allow businesses to log in using
https://storea.mydomain.com https://storeb.mydomain.com etc etc
Each of the businesses has users created and I have a table that matches business ID to EmployeeId. I am trying to lock the application down so an authenticated user of businessA cant access information from BusinessB.
Where is the best place for me to be checking the user is allowed to access the subdomain? Do I override the OnActionExecuted action checking what the subdomain is then look at a session value to see if they match, if different log them out.
Or this there a more elegant way to do this?
Suggestions and advise on best practices would be great! thank you
A custom Authorize attribute seems a good place to perform this. You could override the AuthorizeCore method where you will have access to the HttpContext and you will be able to perform the custom authorization logic based on the subdomain.
As I understand it, your MVC application uses a single database to store the information for all the businesses you have. This is why you'd be worried about Bussines A accesing Bussines B information.
So for me, your database is the place to check which information can access each user depending on the business they belong to.
I think you don't even need to use subdomains for this.
In cases like these I use the repository pattern and in every query/data access you ensure you pass in a where clause that contains the business id.
ex:
select * from orders where orderid=#orderId and companyID=#companyId
It is very important to do this on the query as you want data rules in place to prevent improper querying. Doing this on an Authorize attribute for example doesn't guarantee someone hasn't tampered with data to load another company's information.
In addition I have the http://mvcsecurity.codeplex.com/ extensions to help secure ids stored on pages to help prevent tampering.
I'm creating my first ASP.NET MVC 3 app and I have a problem with creating class instance based on user role.
I have a Class called Account and it contains information about user accounts and few methods which allow me to manipulate(update) user account information. For example ChangeNickName, AddToGroup, RemoveFromGroup, Ban and so on.
As you can see problem with these methods is that I dont want to allow anyone to use AddToGroup or Ban method but only user with specified role (i'm using ASP.NET default role implementation system)
So I wonder is there a way I could add attribute [Authorize(Roles = "Admin")] to my AddTogroupMethod just like I use it on Controller methods
I know that with proper implementation of controllers I dont need something like this but I want to make sure that I dont allow anyone to make instance of class (or use specified methods by accident) if user is not part of specified role.
So for example if I by accident add access to AddToGroup method in user controller I would still be able to prevent them from exploiting bug because of attribute attached to this method
If I can't solve this problem with attributes is there a way to make VS to block me from debugging application if I make a call to AddToGroup method from xy class
If you have any ides how to make this working I'm open to suggestions
Than in advance
You should probably use the AuthorizeAttribute, however you can check the role of a current user in code using Roles.UserIsInRole.
There's a little info on this in MVC here (the assembly seems to have changed between 3.5/4.0):
asp.net mvc -> Roles.IsUserInRole(username,role)
I have an existing community backend and I like to use Umbraco for my presentation layer. How can I implement login/logout with .Net forms authentication? (I don't want to use the Member functionality). I have different type of users that get's access to different type of pages. How can I control this? User control?
Umbraco uses the ASP.NET member / role provider model for it's membership system, and it's a pretty straightforward step to swap the default one out for your own implementation. I've done this in the past where I wanted to authenticate members against an Active Directory store but I can't imagine it being much more difficult to authenticate against a custom database.
The benefit from this is you get full integration with the Umbraco membership system, and by using a custom role provider, editors will be able to restrict pages using the built in page-editing facilities as opposed to you having to hook in your own security controls.
You should be able to create a simple membership provider by extending the UmbracoMembershipProvider class and overriding the ValidateUser method. I haven't done this myself, but I know of others who have.
To authenticate against a custom role provider, you'll need to create a class derived from RoleProvider. The methods you'll be interested in overriding are - IsUserInRole, FindUsersInRole, GetAllRoles and GetRolesForUser.
Here's a link to a Scott Guthrie blog post which has more information on the provider API than you'll ever need to know, including the source code for the default providers.
I've used two approaches on my umbraco sites. Both approaches include user controls for login and logout that are responsible for authenticating a user with a custom solution and clearing credentials respectively. I also add, for both approaches, an umbracoMembersOnly attribute to any document types that I want to protect.
In the first approach, I had each individual template check to see whether or not the user was restricted from access. To abstract this, I created a siteuser class with an isMember or isLoggedIn method that was available site-wide and could be called from either an XSLT or User Control macro. The benefit to this approach is that I could tailor custom messages on each template rather than merely providing the same access denied page.
The second approach - which is the one I favor now - if to create a Permissions macro that is responsible for checking the user's right to access any page (i.e. checks for an umbracoMembersOnly attribute and, if true, checks for a session variable). This macro gets included in the master template, and so executes on every template. If the user doesn't have permission to access the current page, I redirect to the same page but with an ?alttemplate=RestrictedPage or similar appended to the query string. (Make sure that your Permissions macro checks for an alttemplate=RestrictedPage in the query string, or you'll end up in an infinite loop of redirects.)
You can checkout http://osMemberControls.codeplex.com