React to Security change where instead of 401 Unauthorized, 403 Forbidden is going to be returned for authenticated users when trying to access unauthorized resource.

2015-05-26 14:54:55 -07:00 · 2015-05-26 14:54:55 -07:00 · 33cc8b06c9
parent 94a2b00d9a
commit 33cc8b06c9
5 changed files with 38 additions and 8 deletions
--- a/src/MusicStore/Controllers/HomeController.cs
+++ b/src/MusicStore/Controllers/HomeController.cs
@ -54,6 +54,11 @@ namespace MusicStore.Controllers
            return View("~/Views/Shared/StatusCodePage.cshtml");
        }

+        public IActionResult AccessDenied()
+        {
+            return View("~/Views/Shared/AccessDenied.cshtml");
+        }
+
        private async Task<List<Album>> GetTopSellingAlbumsAsync(int count)
        {
            // Group the order details by album and return
--- a/src/MusicStore/Startup.cs
+++ b/src/MusicStore/Startup.cs
@ -3,6 +3,7 @@ using Microsoft.AspNet.Authorization;
 using Microsoft.AspNet.Builder;
 using Microsoft.AspNet.Diagnostics;
 using Microsoft.AspNet.Diagnostics.Entity;
+using Microsoft.AspNet.Http;
 using Microsoft.AspNet.Identity.EntityFramework;
 using Microsoft.Data.Entity;
 using Microsoft.Framework.Caching.Memory;
@ -59,6 +60,11 @@ namespace MusicStore
                    .AddEntityFrameworkStores<MusicStoreContext>()
                    .AddDefaultTokenProviders();

+            services.ConfigureCookieAuthentication(options =>
+            {
+                options.AccessDeniedPath = new PathString("/Home/AccessDenied");
+            });
+
            services.ConfigureFacebookAuthentication(options =>
            {
                options.AppId = "550624398330273";
--- a/src/MusicStore/Views/Shared/AccessDenied.cshtml
+++ b/src/MusicStore/Views/Shared/AccessDenied.cshtml
@ -0,0 +1,5 @@
+@{
+    ViewBag.Title = "Access denied due to insufficient permissions";
+}
+
+<h1 class="text-danger">Access denied due to insufficient permissions.</h1>
--- a/test/E2ETests/Implementation/Validator.cs
+++ b/test/E2ETests/Implementation/Validator.cs
@ -142,13 +142,26 @@ namespace E2ETests
        {
            _logger.LogInformation("Trying to access StoreManager that needs ManageStore claim with the current user : {email}", email ?? "Anonymous");
            var response = await _httpClient.GetAsync("Admin/StoreManager/");
-            await ThrowIfResponseStatusNotOk(response);
-            var responseContent = await response.Content.ReadAsStringAsync();
-            ValidateLayoutPage(responseContent);
-            Assert.Contains("<title>Log in – ASP.NET MVC Music Store</title>", responseContent, StringComparison.OrdinalIgnoreCase);
-            Assert.Contains("<h4>Use a local account to log in.</h4>", responseContent, StringComparison.OrdinalIgnoreCase);
-            Assert.Equal<string>(_deploymentResult.ApplicationBaseUri + PrefixBaseAddress("Account/Login?ReturnUrl=%2F{0}%2FAdmin%2FStoreManager%2F"), response.RequestMessage.RequestUri.AbsoluteUri);
-            _logger.LogInformation("Redirected to login page as expected.");
+
+            if (email == null)
+            {
+                await ThrowIfResponseStatusNotOk(response);
+                var responseContent = await response.Content.ReadAsStringAsync();
+                ValidateLayoutPage(responseContent);
+
+                Assert.Contains("<title>Log in – ASP.NET MVC Music Store</title>", responseContent, StringComparison.OrdinalIgnoreCase);
+                Assert.Contains("<h4>Use a local account to log in.</h4>", responseContent, StringComparison.OrdinalIgnoreCase);
+                Assert.Equal<string>(_deploymentResult.ApplicationBaseUri + PrefixBaseAddress("Account/Login?ReturnUrl=%2F{0}%2FAdmin%2FStoreManager%2F"), response.RequestMessage.RequestUri.AbsoluteUri);
+                _logger.LogInformation("Redirected to login page as expected.");
+            }
+            else
+            {
+                Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+                var responseContent = await response.Content.ReadAsStringAsync();
+                ValidateLayoutPage(responseContent);
+
+                Assert.Contains("<title>Access denied due to insufficient permissions – ASP.NET MVC Music Store</title>", responseContent, StringComparison.OrdinalIgnoreCase);
+            }
        }

        public async Task RegisterUserWithNonMatchingPasswords()
--- a/test/E2ETests/SmokeTests.cs
+++ b/test/E2ETests/SmokeTests.cs
@ -202,7 +202,8 @@ namespace E2ETests
                    await validator.SignInWithInvalidPassword(generatedEmail, "Password~1");
                    await validator.SignInWithUser(generatedEmail, "Password~2");

-                    // Making a request to a protected resource that this user does not have access to - should automatically redirect to login page again
+                    // Making a request to a protected resource that this user does not have access to - should
+                    // automatically redirect to the configured access denied page
                    await validator.AccessStoreWithoutPermissions(generatedEmail);

                    // Logout from this user session - This should take back to the home page