I have developed an asp.net mvc site and trying to use antiforgerytoken in Ajax post.
I can include antiforgerytoken in the ajax request and setup that in my controller.
However, when webapp is running and I inspect browser, I can modify the __RequestVerificationToken variable before I pass it to the server.
In this example, initially it was:
__RequestVerificationToken: "_C9FNX_hWGQ7kndoTNZS7f-s4j44GHKQpWMnAf-862GVKleXSC…_zXqMdgXNME9uIYQy4cI0k-B5EW73oXbfys9Dmkt1vWJA2oA1"
But I manipulated it and changed its value to:
__RequestVerificationToken: "yyy"
My controller function receives __RequestVerificationToken without any problem, even that it was manipulated.
[System.Web.Mvc.HttpPost]
[ValidateAntiForgeryToken]
public IHttpActionResult GrabaResolucionCiudadano([FromBody] BE_Resolucion c)
{
BL_Resolucion b = new BL_Resolucion();
try
{
c = FillDatosPrevio(c);
if (ModeloValido)
{
b.SaveData(c);
}
}
catch (Exception ex)
{
throw ex;
}
finally
{
b.Dispose(); b = null;
}
}
How should antiforgerytoken be used?
Related
Scenario
Hi I have command API controller written in ASP.Net core 2.2. Controller inherited from ControllerBase and has attribute ApiController. I would like to add Location header. I have also query odata controller. Odata version: 7.2.2.
Odata codes:
My Odata controller:
[ODataRoutePrefix("categories")]
public class ODataCategoriesController : ODataController
Odata Get action:
[EnableQuery]
[ODataRoute("{id}")]
public async Task<ActionResult<Category>> GetAsync(Guid id)
Startup
opt.EnableEndpointRouting = false;
...
app.UseHttpsRedirection();
app.UseMvc(options =>
{
options.EnableDependencyInjection();
options.Select().Filter().OrderBy().Count().Expand().MaxTop(100).SkipToken();
options.MapODataServiceRoute("odata", "api/odata", GetExplicitEdmModel());
});
Tried
I've tried using CreatedAtAction but I received: InvalidOperationException: No route matches the supplied values.
In my POST controller:
return CreatedAtAction("Get", "ODataCategories", new { id= categoryResponse.Id }, categoryResponse);
Tried 2
I have also tried with return Location header manually. But I recieved:
Header is not present in response.
Code
[HttpPost]
[ProducesResponseType((int)HttpStatusCode.Created)]
[ProducesResponseType((int)HttpStatusCode.BadRequest)]
public async Task<ActionResult<CreateCategoryResponse>> PostCategory(
[FromBody]CreateCategoryCommand createCategoryCommand)
{
CreateCategoryResponse categoryResponse =
await _mediator.Send(createCategoryCommand);
if (categoryResponse == null)
{
return BadRequest();
}
HttpContext.Response.Headers["Location"] =
$"SomeBuiltLocation";
return Created("", categoryResponse);
}
Summary
I am looking for solution which enable me to include Location header. It does not matter if it be with CreatedAt or by hand.
Should be able to create it by hand as well.
[HttpPost]
[ProducesResponseType((int)HttpStatusCode.Created)]
[ProducesResponseType((int)HttpStatusCode.BadRequest)]
public async Task<ActionResult<CreateCategoryResponse>> PostCategory(
[FromBody]CreateCategoryCommand createCategoryCommand) {
CreateCategoryResponse categoryResponse =
await _mediator.Send(createCategoryCommand);
if (categoryResponse == null) {
return BadRequest();
}
var result = new CreatedResult("SomeBuiltLocation", categoryResponse);
return result;
}
edit:background on project. This was project was created following the concepts from the tutorials here on data access with razor pages https://learn.microsoft.com/en-us/aspnet/core/data/ef-rp/?view=aspnetcore-2.2. i did not do views or controllers so I currently do not have any actions i can redirect to. do i need to add a controllers folder?
When I save changes to my edit of the model subcategories, I want to go back to the categories page. Normally, this would be fine with a simple RedirectToPage("/index").
That doesn't work here because my index OnGet uses a string ID to filter through the the subcategories (which feels like I'm probably doing that wrong... but it works). Below is what I currently have and it obviously doesn't work:
Edit - OnPost:
public async Task<IActionResult> OnPostAsync()
{
if (!ModelState.IsValid)
{
return Page();
}
_context.Attach(Subcategory).State = EntityState.Modified;
try
{
await _context.SaveChangesAsync();
}
catch (DbUpdateConcurrencyException)
{
if (!SubcategoryExists(Subcategory.SubcategoryId))
{
return NotFound();
}
else
{
throw;
}
}
return RedirectToPage("./Index", "?id" , Subcategory.CategoryName);
}
Index - OnGet:
public async Task OnGetAsync(string id)
{
title = id;
Subcategory = await _context.Subcategory.ToListAsync();
foreach (Subcategory item in Subcategory.ToList())
{
if (item.CategoryName != id)
{
Subcategory.Remove(item);
}
}
}
Can anyone tell me how to properly route the OnPost of my edit razor page to the OnGet of my index razor page?
I've tried to do some research on handlers but I couldn't find a good understandable definition of how to do this.
It is a bit hard to see where you have hooked stuff up, as you have only provided the methods.
Given that OnGetAsync(string id) if mapped to /index you could use something like:
return RedirectToAction("Index", new { id = Subcategory.CategoryName.ToString() });
I would also suggest that you call your methods the same as the endpoint. So if OnGetAsync is your index endpoint. Then call it Index.
Hopefully this helps you, or else you need to provide me with more code.
the fix to the problem without building a controller was pretty much what Kristian Barrnet was saying:
return RedirectToPage("./Index", new { id = Subcategory.CategoryName.ToString() });
however, I should probably add some controllers here anyway to make this a lot more organized
In my application I have a set of errors that are "expected" and thus they shouldn't redirect the user to a full error page when they occur. For example, I would like to show the error message in a red box above the current page.
I can easily catch an error on a model action and show the message on the current view, but I was wondering how to do it globally.
I tried a custom middleware with TempData and a filter with ModelState, but can't wrap my head around how to actually pass the error data back to the current page.
This works for a single model (setting the error data in TempData):
public async Task<IActionResult> OnPost() {
try {
// methodThatThrows
}
catch (ApplicationError e) {
TempData["Error"] = e.Message;
return RedirectToPage("Current_Page");
}
return RedirectToPage("Other_Page");
}
For some reason, this doesn't work (in a global middleware), as TempData is empty when the redirect completes. Also setting the middleware doesn't really work with showing the other, more critical errors in the normal error page:
public class ApplicationErrorMiddleware {
private readonly RequestDelegate _next;
private readonly ITempDataDictionaryFactory _tempFactory;
public ApplicationErrorMiddleware(RequestDelegate next, ITempDataDictionaryFactory tempFactory) {
_next = next;
_tempFactory = tempFactory;
}
public async Task InvokeAsync(HttpContext httpContext) {
try {
await _next(httpContext);
}
catch (ApplicationError ex) {
HandleError(httpContext, ex);
}
}
private void HandleError(HttpContext context, ApplicationError error) {
var tempData = _tempFactory.GetTempData(context);
tempData.Add("Error", error.Message);
context.Response.Redirect(context.Request.Path);
}
}
By the tip of #hiiru, I went through a wild goose chase through the configuration options to find a working solution.
My issue was a missing call from the middleware HandleError-method:
private void HandleError(HttpContext context, ApplicationError error) {
var tempData = _tempFactory.GetTempData(context);
tempData.Add("Error", error.Message);
tempData.Save(); // this call was missing
context.Response.Redirect(context.Request.Path);
}
After popping that in there, the tempdata is sent with the redirection back to the original page. Note that this is using the default cookie-based temp data, so no specific configuration is needed.
Now, this works, but it might not be the best way to do this.
I am writing an MVC4 app, and in the controller, I need to be able to make a call to a web service to access the iTunes search service in order to get some cover art for a DVD.
I have the following very simple code
public static string GetAlbumArt(Movie movie) {
Task<string> lookupTask = LookupAlbumArt(movie.Title, movie.Year);
lookupTask.Wait(5000);
if (lookupTask.IsCompleted)
{
return lookupTask.Result;
}
else
{
return Timeout;
}
}
private static async Task<string> LookupAlbumArt(string title, int year)
{
using (var client = new HttpClient())
{
string response= await client.GetStringAsync(
"http://itunes.apple.com/search?term=hoosiers&media=movie"
);
return response;
}
}
When I run this and set breakpoints at the return Timeout line in GetAlbumArt and also at the return response line in LookupAlbumArt, the Timeout breakpoint is hit first, and then the LookupAlbumArt return statement is hit, and the correct content is in the response variable.
If I remove the timeout parameter from lookupTask.Wait(5000), the wait GetStringAsync call never returns, and the page never loads.
This feels like a pretty straightforward task, and I'm stumped as to what I'm doing wrong.
I have an intranet application setup with windows authentication. Like in most applications, certain parts of the application are accessible to specific roles only. When a user not in desired role would try to access that area, he should be shown a friendly "You do not have permission to view this page" view.
I searched and looked at several resources that guides to extend the Authorize Attribute. I tried that approach, but it simply doesn't work. I still get the IIS error message and the breakpoint in this custom attributes never gets hit. The breakpoint in my extended attibute doen't get hit even when a user in role visits the page. So, I am wondering if I am missing anything ?
This is what I have -
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class AuthorizeRedirect : AuthorizeAttribute
{
private const string IS_AUTHORIZED = "isAuthorized";
public string RedirectUrl = "~Areas/Errors/Http401";
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
bool isAuthorized = base.AuthorizeCore(httpContext);
httpContext.Items.Add(IS_AUTHORIZED, isAuthorized);
return isAuthorized;
}
public override void OnAuthorization(AuthorizationContext filterContext)
{
base.OnAuthorization(filterContext);
var isAuthorized = filterContext.HttpContext.Items[IS_AUTHORIZED] != null ? Convert.ToBoolean(filterContext.HttpContext.Items[IS_AUTHORIZED]) : false;
if(!isAuthorized && filterContext.RequestContext.HttpContext.User.Identity.IsAuthenticated)
{
filterContext.RequestContext.HttpContext.Response.Redirect(RedirectUrl);
}
}
}
CONTROLLER -
[AuthorizeRedirect]
[HttpPost, ValidateInput(true)]
public ActionResult NewPart(PartsViewModel vmodel) {..}
Any ideas?
Thanks
I think you could use custom error pages instead. Use AuthorizeAttribute to restrict access by callers to an action method.
[Authorize (Roles="Editor, Moderator", Users="Ann, Gohn")]
public ActionResult RestrictedAction()
{
// action logic
}
Then you could use one of the ways those are proposed by #Marco. I like handle HTTP status code within Application_EndRequest. So, it is possible to solve your problem using by following:
protected void Application_EndRequest()
{
int status = Response.StatusCode;
if (Response.StatusCode == 401)
{
Response.Clear();
var rd = new RouteData();
rd.DataTokens["area"] = "Areas";
rd.Values["controller"] = "Errors";
rd.Values["action"] = "Http401";
IController c = new ErrorsController();
c.Execute(new RequestContext(new HttpContextWrapper(Context), rd));
}
}
To clearly specifiey what happens to an existing response when the HTTP status code is an error, you should use existingResponse attribute of <httpErrors> element in your configuration file. If you want to the error page appears immediately, then use Replace value, in otherwise - PassThrough (see details in my issue).