I ran the 'update-database [connect string]' command in Package Manager to create a whole new database so I could compare the columns to my production database. I found I needed to add AuthenticationSource:
ALTER TABLE dbo.AbpUsers ADD AuthenticationSource nvarchar(64) NULL
<cite>bogdan: </cite>
I've made the same conclusion some time ago and have made a wrapper around the ASP.Net Identity.
To use this data you need a custom implementation of IPermissionChecker interface which will be able to handle permissions in the form "Organisation=1234". You can use this permisson either by an attiribute [AbpAuthorize("Organisation=1234")] or by injecting IPermissionChecker and using it directly.
That is exactly what I'm looking for. I see how IPermissionsManager and IPermissionChecker work but where I do set up the claims and integrate the Identity and claims into AbpSession? There must be another class for that?
In my case, the Identity is determined before my app even starts. Our corporate STS puts our identity in a cookie. I guess I'm looking for the Abp version of the ClaimsTransformation - where I have access to the cookies and the database so I can assemble all the claims together.
<cite>hikalkan: </cite> Hi,
IAbpSession only requires getting current UserId. You can get it from any source. Just provide it. Best method is to set userId (as lon integer) as encrypted to a cookie and get it from this cookie on next requests. You can also learn and use Microsoft's ASP.NET Identity Framework for membership management.
Since IAbpSession only defines a getter for UserId, the assumption must be that initializing the value happens in AbpSession??
I implemented AbpSession and now I just need to return a value from UserId. The value I need is in a cookie but HttpContext is not available in AbpSession. You mention providing it from a cookie but how do I get access to the cookies?
Somehow I was inheriting from DbContext. Once I switched to AbpDbContext my repositories were happy.
Not using module-zero. It doesn't support my company org structure.
<cite>ismcagdas: </cite> Hi,
You can create a custom AuthorizeFilter for MVC or WebAPI and check the request here in that. Please see this issue <a class="postlink" href="https://github.com/aspnetboilerplate/aspnetboilerplate/issues/1256">https://github.com/aspnetboilerplate/as ... ssues/1256</a>
I think I followed the instructions but the Log In page still displays. This is what I did:
I implemented a class called MyAuthorizeFilter and derived it from AbpMvcAuthorizeFilter. Then I overrode OnAuthorization to create the ClaimsPrincipal and attach it to the HttpContext.User.
public override void OnAuthorization(AuthorizationContext filterContext)
{
var empid = filterContext.HttpContext.Request.Headers["employeeid"];
if (empid == null) empid = "123456"; // for local testing
ClaimsPrincipal currentPrincipal = new ClaimsPrincipal(
new ClaimsIdentity(
new List<Claim>
{
new Claim(ClaimTypes.NameIdentifier, empid),
new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", empid)
}, "wsso"
)
);
Thread.CurrentPrincipal = currentPrincipal;
filterContext.HttpContext.User = currentPrincipal;
base.OnAuthorization(filterContext);
}
Then I added my class to the GlobalFilters by overriding the PostInitialize of MyProjectWebModule, per instructions.
public override void PostInitialize()
{
GlobalFilters.Filters.Remove(GlobalFilters.Filters.Single(f => f.Instance is AbpMvcAuthorizeFilter));
GlobalFilters.Filters.Add(IocManager.Resolve<MyAuthorizeFilter>());
base.PostInitialize();
}
In the debugger, I see all the code get executed. Why isn't this enough to prevent the Log in page from appearing?
Oh yes, I do have the same employeeid in the Abp Users. The user properties User name: 123456 Full name: pnw Email address: <a href="mailto:[email protected]">[email protected]</a> IsActive: Yes Password: "1"
Then, when I try to log in, using Log in page and 123456/1 an error dialog appears "Empty or invalid anti forgery header token". What's that??
It is still a mystery.
I don't know how to get AbpZero to realize that I'm already authenticated and look for my employee id in the Headers (every single web server in my intranet is behind WSSO so it is not possible to be unauthenticated prior to AbpZero taking over.)
var empid = filterContext.HttpContext.Request.Headers["employeeid"];
Then, how to bypass the Login page and tie my empid to whatever necessary records in the Abp tables. (e.g. Does my empid need to be in AbpUsers? If so, does it go in UserName field? What about the password field, which is superfluous in my case.)
Since I don't need AbpZero for Authentication, it still would be nice to take advantage Authorization features. But maybe that too much to hope for.
By userIddo you mean the PK of AbpUsers (ID)? Before I change the schema, I tried to test it first. I created a new user by logging in as Admin and going to the Users tab of the UI.
I then looked in AbpUsers and see that this new user has ID = 3.
I tried "3" in
new Claim(ClaimTypes.NameIdentifier, "3")
but the Login page still displays and while the MyMvcAuthorizeFilter is in place, I cannot login with Admin or the new account via the Login page. It throws "Empty or invalid anti forgery header token".
I've tried three claims
new Claim(ClaimTypes.Name, "3"),
new Claim(ClaimTypes.NameIdentifier, "3"),
new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "3")
I hope I interpreted your suggestion correctly!
I added [DisableAbpAntiForgeryTokenValidation] to the abstract base class
[DisableAbpAntiForgeryTokenValidation]
public abstract class MyControllerBase : AbpController
Without doing anything else, I verify that the usual login page comes up and I can still log in as admin/123qwe
Now I uncomment the PostInitialize() filters to remove and add filters. The definition of MyMvcAuthorizeFilter is still the same as shown above.
public override void PostInitialize()
{
GlobalFilters.Filters.Remove(GlobalFilters.Filters.Single(f => f.Instance is AbpMvcAuthorizeFilter));
GlobalFilters.Filters.Add(IocManager.Resolve<MyMvcAuthorizeFilter>());
base.PostInitialize();
}
Now when I run, the login page still comes up and I can log in as admin\123qwe. The home page starts to render, but an Abp error dialog "An error has occurred!" pops up. Then I notice that the upper right user badge shows {{vm.getShownUserName()}} instead of '.\admin' and view isn't getting rendered.
This is really frustrating. All I want to do is programmatically log in so that the Log in page doesn't appear. Should I just rip AbpZero out of my solution and just do plain old claims based authentication and authorization?
<cite>hikalkan: </cite> I assume that you are using ABP v1.0.
Can you try to add this into your module's PreInitialize:
Configuration.ReplaceService<IPermissionChecker, PermissionsChecker>(DependencyLifeStyle..Transient);
Be sure that the PermissionsChecker is your class (since abp.zero has same class name). To be sure, rename your class to CustomPermissionsChecker or something you more like.
I am using ABP 1.0. I renamed my checker to MyPermissionChecker.
When I try to add that line of code to my MyApplicationModule.PreInitialize()
using Abp.Authorization;
using Abp.Dependency;
...
Configuration.ReplaceService<IPermissionChecker, MyPermissionsChecker>(DependencyLifeStyle.Transient);
Visual Studio says "<span style="color:#FF0040">CS0308: This non-generic method 'IAbpStartupConfiguration.ReplaceService(Type,Action)' cannot be used with type arguments</span>."