Activities of "hongbing.wang"
Hi @ismcagdas,
What is your product version? v12.4.0 What is your product type (Angular or MVC)? Angular What is product framework type (.net framework or .net core)? .net 7
We need to implement API rate limiting / throttling for third-party facing / external APIs (AppServices).
Please advise whether the attribute-driven rate limiting / throttling such as [EnableRateLimiting("Api")] and sliding window limit, is available.
Please advise the steps. Thank you.
Hi @ismcagdas,
What is your product version? v12.4.0 What is your product type (Angular or MVC)? Angular What is product framework type (.net framework or .net core)? .net 7
The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server. Using the Cookie, attacker can gain access to the application as authorized user and can modify the data, and he can pose as legitimate users, gain information, and take actions under the assumed identity. Please see the details in the following screenshots.
When copying an admin's Abp.AuthToken cookie to a non-admin user, WMS Pro shows an error message: "Request data failed, Session.UserId is null! Probably, user is not logged in.". Reload the page, the user is logged out. This is normal. Please investigate why sometimes the user is not logged out. Refresh the page, the non-admin user is shown as an admin.
Related:
My question at https://support.aspnetzero.com/QA/Questions/10654/Login-Issue-w-Antiforgery-Tokens
Why do we have to comment out [ValidateAntiForgeryToken] in the following places: \webapi\src\umsplus.Web.Core\Controllers\TenantCustomizationController.cs //[ValidateAntiForgeryToken] public async Task<JsonResult> UploadLightLogo() ... //[ValidateAntiForgeryToken] public async Task<JsonResult> UploadCustomCss() ... \webapi\src\umsplus.Web.Core\Controllers\UsersControllerBase.cs //[ValidateAntiForgeryToken] public async Task<JsonResult> ImportFromExcel() ...
...\webapi\src\umsplus.Web.Host\Startup\Startup.cs services.AddControllersWithViews(options => { options.Filters.Add(new AbpAutoValidateAntiforgeryTokenAttribute());
It should be done for dynamic web api automatically. Does this mean, with this set, we don't need to set the attribute [ValidateAntiForgeryToken] in the places?
Hi @ismcagdas,
What is your product version? v12.4.0 What is your product type (Angular or MVC)? Angular What is product framework type (.net framework or .net core)? .net 7
Abp.AuthToken and Abp.AuthRefresh are not cleared following logout in production build with the implementation of HTTP-only-cookie by integrating server and client in the same app. But this problem doesn't occur in debug build where the server and the client are separate. Please see the following screenshot for more details.
Please advise the steps to resolve the issue in the HTTP-only production build.
After upgrading to ASP.NET Zero 12.4.2, record count dropdown list has extra white padding when expanded. See the screenshot below.
Please note that the Angular client version shows 12.4.0. We can reproduce it by deleting node_modules and rebuild.
With the original source for 12.4.2, if the client version shows 12.0.0, it doesn't have the issue.
Please investigate this dependency issue.
The issue happens to Zero app 12.4.2 and our web app if you remove the yarn.lock, delete node_modules folder and regenerate it.
The versions: Angular 16 and PrimeNG 16.4.1
- Angular 16 and PrimeNG 16.4.1: The element count display seems to be a default behavior in this combination, without an explicit disabling option.
- Downgrading to PrimeNG 15: While this removes the count, it introduces dependency warnings, indicating potential compatibility issues.
Please advise how to resolve the issue. Thank you.
After upgrading to ASP.NET Zero 12.4.2, in production build, I got the following exception with running umsplus.ServiceCore.Host.exe.
Unhandled exception. System.IO.FileNotFoundException: Could not load file or assembly 'Castle.Services.Logging.SerilogIntegration, Version=5.0.0.0, Culture=neutral, PublicKeyToken=407dd0808d44fbdc'. The system cannot find the file specified.
File name: 'Castle.Services.Logging.SerilogIntegration, Version=5.0.0.0, Culture=neutral, PublicKeyToken=407dd0808d44fbdc'
at System.Reflection.RuntimeAssembly.InternalLoad(AssemblyName assemblyName, StackCrawlMark& stackMark, AssemblyLoadContext assemblyLoadContext, RuntimeAssembly requestingAssembly, Boolean throwOnFileNotFound)
at System.Reflection.Assembly.Load(AssemblyName assemblyRef)
at Serilog.Settings.Configuration.ConfigurationReader.LoadConfigurationAssemblies(IConfiguration section, AssemblyFinder assemblyFinder)
at Serilog.Settings.Configuration.ConfigurationReader..ctor(IConfiguration configSection, AssemblyFinder assemblyFinder, ConfigurationReaderOptions readerOptions, IConfiguration configuration)
at Serilog.ConfigurationLoggerConfigurationExtensions.GetConfigurationReader(IConfiguration configuration, ConfigurationReaderOptions readerOptions, DependencyContext dependencyContext)
at Serilog.ConfigurationLoggerConfigurationExtensions.Configuration(LoggerSettingsConfiguration settingConfiguration, IConfiguration configuration, ConfigurationReaderOptions readerOptions)
at Serilog.ConfigurationLoggerConfigurationExtensions.Configuration(LoggerSettingsConfiguration settingConfiguration, IConfiguration configuration, String sectionName, DependencyContext dependencyContext)
at umsplus.ServiceCore.ServiceCoreAppModule.PreInitialize() in E:\jenkins_ws\workspace\WmsPLUS_Developement\trunk\services\ServiceCore.Host\ServiceCoreAppModule.cs:line 50
at Abp.Modules.AbpModuleManager.<>c.<StartModules>b__15_0(AbpModuleInfo module)
at System.Collections.Generic.List1.ForEach(Action1 action)
at Abp.Modules.AbpModuleManager.StartModules()
at Abp.AbpBootstrapper.Initialize()
at umsplus.ServiceCore.Program.<>c.<CreateHostBuilder>b__2_1(IServiceCollection services) in E:\jenkins_ws\workspace\WmsPLUS_Developement\trunk\services\ServiceCore.Host\Program.cs:line 54
at Microsoft.Extensions.Hosting.HostBuilder.InitializeServiceProvider()
at Microsoft.Extensions.Hosting.HostBuilder.Build()
at umsplus.ServiceCore.Program.Main(String[] args) in E:\jenkins_ws\workspace\WmsPLUS_Developement\trunk\services\ServiceCore.Host\Program.cs:line 31
at umsplus.ServiceCore.Program.<Main>(String[] args)
However, dotnet umsplus.Web.Host.dll runs fine.
In our production build, umsplus.ServiceCore.Host.exe and umsplus.Web.Host.dll are in the same folder sharing the same Castle.Services.Logging.SerilogIntegration.dll.
The version of Castle.Services.Logging.SerilogIntegration.dll in the folder is 5.1.1.
nuget package castle.core-serilog\5.1.1\lib\net6.0\Castle.Services.Logging.SerilogIntegration.dll, the latest version 5.1.1.
<PackageReference Include="Castle.Core-Serilog" Version="5.1.1" />
The dependency:
umsplus.Web.Host -> umsplus.Web.Core -> umsplus.EntityFrameworkCore -> umsplus.Core -> Abp.ZeroCore.EntityFrameworkCore 8.4.0 -> Abp.ZeroCore 8.4.0 -> Abp.Zero.Common 8.4.0 -> Abp 8.4.0 -> Castle.Core (>= 5.1.1) umsplus.Web.Host -> Castle.Core-Serilog 5.1.1 -> Castle.Core (= 5.1.1).
The decompiler info on Castle.Services.Logging.SerilogIntegration.dll.
#region Assembly Castle.Services.Logging.SerilogIntegration, Version=5.0.0.0, Culture=neutral, PublicKeyToken=407dd0808d44fbdc // C:\Users<username>.nuget\packages\castle.core-serilog\5.1.1\lib\net6.0\Castle.Services.Logging.SerilogIntegration.dll // Decompiled with ICSharpCode.Decompiler 8.1.1.7464 #endregion
Not sure why there is a version conflict / mismatch 5.0.0.0 and 5.1.1.
In debug build, umsplus.ServiceCore.Host.exe and umsplus.Web.Host.dll run is separate folder. They run fine without the version conflict issue.
The requirement: “API documentation should be available from a folder/url within WMS Pro (e.g. /apidoc). This folder would serve as the root folder for the API documentation, so that it can be filled out with multiple pages and resources independent of the main WMS Pro app.”
Our Zero app's server and angular client are within the same application. We aim to incorporate a folder for HTML documentation for APIs, allowing access from outside the Zero web app.
I’ve created a new folder under \server\wwwroot\apidoc.
Initial attempt in Configure() of Startup.cs (in ASP.NET Core):
`#if HTTPONLY_COOKIE && RELEASE app.Use(async (context, next) => { if (context.Request.Path.HasValue && context.Request.Path.Value.StartsWith("/apidoc")) { // Rewrite the request to remove the '/apidoc' prefix context.Request.Path = context.Request.Path.Value.Substring("/apidoc".Length); await next(); } else { await next(); } });
app.UseStaticFiles(); // Assuming this middleware is for serving static files
app.Use(async (context, next) =>
{
if (context.Response.StatusCode == 404 && !Path.HasExtension(context.Request.Path.Value))
{
context.Request.Path = "/index.html";
await next();
}
});
#endif`
FYI: The existing code was: `#if HTTPONLY_COOKIE && RELEASE app.Use(async (context, next) => { await next(); if (context.Response.StatusCode == 404 && !Path.HasExtension(context.Request.Path.Value)) { context.Request.Path = "/index.html"; await next(); } }); #endif
app.UseStaticFiles();`
The problem: "\apidoc" was always redirected by the ‘catch all’ route of the angular app. The intended ASP.NET Core rewrite didn't work as expected.
Please advise how to resolve the issue.
Thank you for your support.
Using SQL Server Management Studio (SSMS), I am able to copy an encrypted password from any Operator on an installation into any other Operator on any installation (same machine / installation, completely different machine / installation).
To replicate:
On Computer A
Create a new Operator and give them any password
Open SSMS > dbo.AbpUsers, show top 1000 (for example)
Locate the newly created Operator, copy the value in the ‘Password’ field
On Computer B
Open SSMS > dbo.AbpUsers, edit top 200 (for example - edit required)
Locate the admin user (typically entry #2)
Delete the value in the ‘Password’ field, and replace with the copied value from Computer A
Press the Enter key to save the change to the database
Log in using the ‘admin’ Operator, but use the password you created for the new Operator on Computer A
Log in should be successful
No evidence of tampering, no warning, no errors, it just works.
Expected behaviour is that simply copying any encrypted password from one Operator to another - ESPECIALLY on a completely different installation - should NOT allow the login to work.
What's the cause of the issue? Does ASP.NET Zero use ASP.NET Identity framework PasswordHasher? By default, is there a salt? Please confirm that user passwords are hashed with salt. Is there a configuration available to resolve the issue?
Hi support team,
We need to find a way to access the AppPermissions.Pages permission, the root of the permission tree, and dynamically add or remove a root menu item. Please advise which method we should use.
I tried with the following code. The problem is role.Permissions is null, but the user’s role does have permissions, see the screenshot. What did I miss?
private async Task RemoveAlarmPermissionsAsync()
{
var roleId = (int)AbpSession.UserId;
var role = await _roleManager.GetRoleByIdAsync(roleId);
var permissions = PermissionManager.GetAllPermissions();
var rootAlarmPermission = permissions.Where(p => p.Name == "Pages.Alarms").FirstOrDefault();
if (role.Permissions != null && rootAlarmPermission != null)
{
//remove Pages.Alarms from the root permission tree
var alarmRolePermissionSetting = new RolePermissionSetting
{
TenantId = _tenantId,
Name = "Pages.Alarms",
IsGranted = true,
RoleId = roleId
};
role.Permissions.Remove(alarmRolePermissionSetting);
}
}
Hi support team,
WMS Pro 1.0.66166 Standard | API: v12.0.0 | Client: v12.0.0 [20230123] When logged in to WMS Pro, the logo in the top right appears very small in size. The max dimensions for the upload of a custom logo in the settings page is also set very small (139 x 35px, and up to 30KB max). These limits do not align with current times and modern displays, and the appearance of the logo contains a lot of wasted space surrounding it.
Requested action: investigate removing or adjusting the limits so that a logo of a reasonable size may be uploaded and displayed in a manner that makes full use of the available space. • Logo dimensions should allow a maximum image size of at least 400 x 100px, preferably more. • When displaying the logo above the navigation, the webpage should scale the image proportionally to fit the available space.
It seems the change log of V12.1 didn’t mention any change the size limits of logos.
Thanks for your support.