Error after setting up authorization in Web.config

2

I'm having trouble accessing the MVC application shortly after making the configuration in Web.config to do the authentication with the windows user. The error occurs when you enable the following line:

<authentication mode="Windows" />
<authorization>
  <allow users="maquinaLocal\usuario"/>
  <deny users="?" />
</authorization>

And when running the application the following error occurs:

Server Error in Application '/'. Access denied.   Description: An error occurred while accessing the resources needed to fulfill this request. Maybe the server is not configured to access the required URL.

Remembering that my Home controller looks like this:

public ActionResult Index()
    {
        var windowsIdentity = WindowsIdentity.GetCurrent();
        if (windowsIdentity != null)
            ViewBag.User = windowsIdentity.Name;

        return View();
    }

And when I comment on the "authorization" line of Web.config the application works normally.

<!--<authorization>
  <allow users="maquinaLocal\usuario"/>
  <deny users="?" />
</authorization>-->

What can this be?

    
asked by anonymous 31.08.2015 / 21:59

1 answer

1

Your configuration is wrong. This does not even work:

<allow users="maquinaLocal\usuario"/>

The configuration below:

<authentication mode="Windows" />
<authorization>
  <deny users="?" />
</authorization>

Says that any unauthenticated user should be denied access. The rest can have access to everything.

In the MVC, to perform authentication, an Attribute is called AuthorizeAttribute . Each Controller that needs authentication must be annotated with it. For example:

[Authorize]
public class TestesController : Controller
{ ... }

Of course this attribute is of little use if you are using Active Directory to allow or block users. One of the things I did in one application of mine was to rewrite the authorization attribute by checking either the Active Directory structure itself, or the database. For example:

[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited = true, AllowMultiple = true)]
public class ActiveDirectoryAuthorizeAttribute : AuthorizeAttribute
{
    private String[] _permissoes = new String[] { "GrupoDaTI" };
    public ActiveDirectoryUserViewModel ActiveDirectoryInfo;
    private MeuProjetoContext contexto = new MeuProjetoContext();

    public ActiveDirectoryAuthorizeAttribute(params String[] permissoes) 
    {
        _permissoes = _permissoes.Concat(permissoes).ToArray();
    }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var baseReturn = base.AuthorizeCore(httpContext);
        ActiveDirectoryInfo = ActiveDirectoryHelper.GetADUserByLogin(httpContext.User.Identity.Name);
        var grupos = ActiveDirectoryInfo.Groups.Select(g => g.DisplayName).ToList();

        var permissoesUsuario = false;
        permissoesUsuario = contexto.GrupoUsuario.Where(s => grupos .Contains(s.Grupo.Nome)).Any();

        return permissoesUsuario && baseReturn;
    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        filterContext.Result = new RedirectResult("/NaoAutorizado");
    }
}

This is an example of how it can be done. Another thing you can do is to store Active Directory Security Identifiers that can have access to a particular point in the application.

ActiveDirectoryInfo and ActiveDirectoryHelper can be found in this answer .

    
31.08.2015 / 22:12