Base solution for your next web application
Open Closed

IP based security for specific tenants/users #7739

User avatar
0
razkhan78 created

Hi

We are trying to apply ip based access for specific tenants/users, we tried below code but it seems to be firing for each request on system.

app.Use(async (context, next) => { var test = context.Request.Path; IocManager.Instance.Using<TenantManager>(async tenantManager => { if (!tenantManager.ValidateIPAddress()) { throw new AbpAuthorizationException(); } });

            await next.Invoke();
        });

Is there any other better approach available? or can we override AbpMVCAuthorize?

Go to accepted answer
5 Answer(s)
  • User Avatar
    0
    musa.demir created

    What is your ValidateIPAddress method code inside? Do you do ip restriction for the whole project or only for specific endpoints? If the user has ip authorization, will the application check the normal permissions or bypass it and authorize user?

  • User Avatar
    0
    razkhan78 created

    "What is your ValidateIPAddress method code inside?" ==>It checks allowed IP address for user if that user is flagged to validate.

    Do you do ip restriction for the whole project or only for specific endpoints? ==>Whole

    If the user has ip authorization, will the application check the normal permissions or bypass it and authorize user? ==>It will check rest permissions as it is but first we want to validate IPaddress.

  • User Avatar
    0
    musa.demir created

    You can create an AuthorizationFilter like

      public class AbpMvcIpBasedAuthFilter : IAsyncAuthorizationFilter, ITransientDependency
    {    
        public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
        {
           //control if this request needs to be authorized
            if (!ThisRequestNeedsToBeAuthorized(context)){
                    return;
            }
            
            //this request needs to be authorized, control ip
            try
            {
                //do your logic in here
                //throw new AbpAuthorizationException("Your message");
            }
            catch (Exception ex)
            {
                Logger.Error(ex.ToString(), ex);

                _eventBus.Trigger(this, new AbpHandledExceptionData(ex));

                if (ActionResultHelper.IsObjectResult(context.ActionDescriptor.GetMethodInfo().ReturnType))
                {
                    context.Result = new ObjectResult(new AjaxResponse(_errorInfoBuilder.BuildForException(ex)))
                    {
                        StatusCode = context.HttpContext.User.Identity.IsAuthenticated
                            ? (int)System.Net.HttpStatusCode.Forbidden
                            : (int)System.Net.HttpStatusCode.Unauthorized
                    };
                }
                else
                {
                    context.Result = new StatusCodeResult((int)System.Net.HttpStatusCode.InternalServerError);
                }
            }
        }
    }

    And add it to Mvc filter Startup.cs

    ...
services.Configure<MvcOptions>(mvcOptions =>
{
    mvcOptions.Filters.AddService(typeof(AbpMvcIpBasedAuthFilter));
});

return services.AddAbp<AbpZeroTemplateWebMvcModule>(options =>
...

    To fill ThisRequestNeedsToBeAuthorizedfunction: check this: AbpAuthorizationFilter.cs and this: AuthorizationHelper.cs

  • User Avatar
    0
    musa.demir created

    You can also check: https://docs.microsoft.com/tr-tr/aspnet/core/mvc/controllers/filters?view=aspnetcore-2.2

  • User Avatar
    0
    ismcagdas created
    Support Team

    This issue is closed because it has not had recent activity for a long time.

Assignee
No one
Labels
Non yet