locked
Using Roles and Users together with [Authorize] attribute not working RRS feed

  • Question

  • User882828011 posted

    I was asked to create an MVC application where i will have different authorizations for different AD groups and different users. For example some of the controllers that can only accessed by some AD groups (ADMIN and SuperUser). Some other controller can be access by anyone with windows credential. So in my web.confi I have  <deny users="?"/> in my web.config which allow non anonymous users to access most of my controllers. For controllers i wanted to restricted access to Admin and Superuser groups i decorated each of the Controller like this: [Authorize(Roles = "ADMIN, SuperUsers"]. Everything seem to work correctly but now I would like to add a few users who are not part of the ADMIN or SuperUser to have access to the same controllers that ADMIN and SuperUsers have accessed to so decorated the controller like this [Authorize(Roles = "ADMIN, SuperUsers", Users = 'user1, user2"]. Here is where it is not working and the user1 or user2 got 401 error when trying to access those restricted controllers. So my questions is what did i do wrong?

    Thank you in advance.

    Tuesday, August 11, 2020 9:21 PM

All replies

  • User-474980206 posted

    probably the user name includes the domain.

    Tuesday, August 11, 2020 9:32 PM
  • User882828011 posted

    That is not the case. Using myself as an sample whether myself in there or not I don't have  access neither

    [Authorize(Roles = "ADMIN, SuperUsers", Users = "me")]. 

    [Authorize(Roles = "ADMIN, SuperUsers")]. 

    Keep in mind these are AD (Active Directory) groups and users
    Wednesday, August 12, 2020 12:05 PM
  • User882828011 posted
    I realized that I posted in the wrong forum and this post should have been posted in the Security section instead and therefore i created a new post there. My apologies. Moderator please remove this post if you like.
    Wednesday, August 12, 2020 1:13 PM
  • User882828011 posted
    This what I tried: -- this works since myaccount is me [Authorize(Users = "mydomain\\myaccount")] --- This does not work because i am not in any of those groups which is understandable [Authorize(Roles = "mydomain\\ADMIN, mydomain\\SuperUsers")] -- This should have work but it did not and I don't know why? [Authorize(Roles = "mydomain\\ADMIN, mydomain\\SuperUsers", Users = "mydomain\\myaccount")] Can some experts tell me why the third scenario did not work.
    Wednesday, August 12, 2020 2:41 PM
  • User882828011 posted
    Anyone? any suggestions?
    Wednesday, August 12, 2020 4:07 PM
  • User-474980206 posted

    I don't know which authentication role provider you are using, but its probably not loading the ad roles. one issue with ad roles, there may be too many to store in a cookie (i have hundreds of ad roles), so you may need to add the roles to the principal after the cookie is read. use the after authenticate event to read the AD and add roles.

    note: I create a whitelist of roles to load by my custom ad role provider (only the ones used by my apps), so they fit in the cookie.

    Wednesday, August 12, 2020 4:49 PM
  • User882828011 posted
    burce - thank you for your reply. I did not know that I have to configure any provider and I can't seem to find any provider listed in the web.config neither. is that why it did not work for me? I thought I just have to decorate my controller with a [Authorize] attribute and that's it. What am I missing in order to use the [Authorize] attribute? Here is one of the controller that have decorated with the [Authorize] attribute: [Authorize(Roles = "mydomain\\ADMIN, mydomain\\SuperUsers", Users = "mydomain\\myaccount")] public class DataAssignmentController : Controller { }
    Wednesday, August 12, 2020 5:08 PM
  • User-474980206 posted

    you need a identity role provider to load the roles. the default user manager comes with one. if you are just using windows authentication, you will need to find or create one that supports the AD as one is not included.

    google for creating a MVC custom role provider. then google for accessing the AD.

    Wednesday, August 12, 2020 6:07 PM
  • User882828011 posted
    Since this is a Intranet site there is no login required so do I still need to create identity role provider to support AD?
    Wednesday, August 12, 2020 9:05 PM
  • User882828011 posted
    Implemented a custom role provider for Active Directory did not help and I don't think I need it. I think I didn't explained my issue clearly so let me try again. If I have these in my web.config then the site worked correctly everything available to the defined roles and users, I have access to the site because me (myaccount) listed as a user. If i remove me (delete this entry: ) then I got 401 access denied error. So everything is good but there are controllers in my site that are not available to ADMIN, SuperUsers group and 5 additional Users, who are not in ADMIN and SuperUsers groups, and i am one of those users. So I changed my web.config to look like below And decorated the controllers that only available for ADMIN, SuperUsers groups and 5 additional users like below and I would expect the DataAssignment would be available to me but instead I got 401 error and this is my problem that I don't know why. ONLY the Users that are not seem to work and [Authorize(Roles = "mydomain\\ADMIN, mydomain\\SuperUsers", Users="mydomain\\myaccount, mydomain\\user, mydomain\\user2, mydomain\\user3, mydomain\\user4")] public class DataAssignmentController : Controller { } I am in the hot seat to have this problem fixed but i can seem to explained why and what fix is? Much appreciated. Edit: I am not sur why my post are lumped together.
    Thursday, August 13, 2020 5:07 PM
  • User-474980206 posted

    MVC does not have builtin support for AD roles, just principal. You need a custom role provider that will query for the roles and add to the principal. here is a simple implementation:

      https://gist.github.com/DamienBraillard/4dbd6aa2c56edf5a8e57c59b6e08da94

     out of the box, MVC and windows authentication only supports [Authorize]. If some roles are supported, then you may have a custom authorize attribute. 

    Thursday, August 13, 2020 10:26 PM