yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0a4878d2a329487510272774edd8ae3cc365477f
Umbraco-CMS/src/Umbraco.Web/Security/WebAuthExtensions.cs

75 lines
2.8 KiB
C#
Raw Normal View History

Normalize cr/lf/tab
2017-07-20 11:21:28 +02:00
using System.Net.Http;
Cleans up the usages of auth cookies. OWIN is in charge of auth cookies but because we have Webforms, WebApi, MVC and OWIN, they all like to deal with cookies differently. OWIN should still be solely in charge of the auth cookies, so the auth extensions are cleaned up, the renewal now works by queuing the renewal and we have custom middleware detect if a force renewal has been queued and we renew the auth cookie there. Have obsoleted a few methods that should not be used that write auth tickets directly (this is purely for backwards compat with webforms). All of these changes now ensure that the auth cookie is renewed consistently between Webforms, WebApi, MVC and OWIN. Some changes also include ensuring that OWIN is used to sign out.
2015-11-19 18:12:21 +01:00
using System.Security.Claims;
using System.Security.Principal;
using System.ServiceModel.Channels;
using System.Threading;
using System.Web;
using AutoMapper;
using Umbraco.Core.Models.Membership;
using Umbraco.Core.Security;
using Umbraco.Web.WebApi;
namespace Umbraco.Web.Security
{
internal static class WebAuthExtensions
{
/// <summary>
/// This will set a an authenticated IPrincipal to the current request given the IUser object
/// </summary>
/// <param name="request"></param>
/// <param name="user"></param>
/// <returns></returns>
internal static IPrincipal SetPrincipalForRequest(this HttpRequestMessage request, IUser user)
{
var principal = new ClaimsPrincipal(
new UmbracoBackOfficeIdentity(
new ClaimsIdentity(),
Mapper.Map<UserData>(user)));
//It is actually not good enough to set this on the current app Context and the thread, it also needs
Normalize cr/lf/tab
2017-07-20 11:21:28 +02:00
// to be set explicitly on the HttpContext.Current !! This is a strange web api thing that is actually
Cleans up the usages of auth cookies. OWIN is in charge of auth cookies but because we have Webforms, WebApi, MVC and OWIN, they all like to deal with cookies differently. OWIN should still be solely in charge of the auth cookies, so the auth extensions are cleaned up, the renewal now works by queuing the renewal and we have custom middleware detect if a force renewal has been queued and we renew the auth cookie there. Have obsoleted a few methods that should not be used that write auth tickets directly (this is purely for backwards compat with webforms). All of these changes now ensure that the auth cookie is renewed consistently between Webforms, WebApi, MVC and OWIN. Some changes also include ensuring that OWIN is used to sign out.
2015-11-19 18:12:21 +01:00
// an underlying fault of asp.net not propogating the User correctly.
if (HttpContext.Current != null)
{
HttpContext.Current.User = principal;
}
var http = request.TryGetHttpContext();
if (http)
{
http.Result.User = principal;
}
Thread.CurrentPrincipal = principal;
//For WebAPI
request.SetUserPrincipal(principal);
return principal;
}
/// <summary>
/// This will set a an authenticated IPrincipal to the current request given the IUser object
/// </summary>
/// <param name="httpContext"></param>
Fixes setting auth cookie during install, removes some try/catch/swallow with some error messaging, converts some String -> string and == false updates.
2015-11-26 13:07:22 +01:00
/// <param name="userData"></param>
Cleans up the usages of auth cookies. OWIN is in charge of auth cookies but because we have Webforms, WebApi, MVC and OWIN, they all like to deal with cookies differently. OWIN should still be solely in charge of the auth cookies, so the auth extensions are cleaned up, the renewal now works by queuing the renewal and we have custom middleware detect if a force renewal has been queued and we renew the auth cookie there. Have obsoleted a few methods that should not be used that write auth tickets directly (this is purely for backwards compat with webforms). All of these changes now ensure that the auth cookie is renewed consistently between Webforms, WebApi, MVC and OWIN. Some changes also include ensuring that OWIN is used to sign out.
2015-11-19 18:12:21 +01:00
/// <returns></returns>
Fixes setting auth cookie during install, removes some try/catch/swallow with some error messaging, converts some String -> string and == false updates.
2015-11-26 13:07:22 +01:00
internal static IPrincipal SetPrincipalForRequest(this HttpContextBase httpContext, UserData userData)
Cleans up the usages of auth cookies. OWIN is in charge of auth cookies but because we have Webforms, WebApi, MVC and OWIN, they all like to deal with cookies differently. OWIN should still be solely in charge of the auth cookies, so the auth extensions are cleaned up, the renewal now works by queuing the renewal and we have custom middleware detect if a force renewal has been queued and we renew the auth cookie there. Have obsoleted a few methods that should not be used that write auth tickets directly (this is purely for backwards compat with webforms). All of these changes now ensure that the auth cookie is renewed consistently between Webforms, WebApi, MVC and OWIN. Some changes also include ensuring that OWIN is used to sign out.
2015-11-19 18:12:21 +01:00
{
var principal = new ClaimsPrincipal(
new UmbracoBackOfficeIdentity(
new ClaimsIdentity(),
Fixes setting auth cookie during install, removes some try/catch/swallow with some error messaging, converts some String -> string and == false updates.
2015-11-26 13:07:22 +01:00
userData));
Cleans up the usages of auth cookies. OWIN is in charge of auth cookies but because we have Webforms, WebApi, MVC and OWIN, they all like to deal with cookies differently. OWIN should still be solely in charge of the auth cookies, so the auth extensions are cleaned up, the renewal now works by queuing the renewal and we have custom middleware detect if a force renewal has been queued and we renew the auth cookie there. Have obsoleted a few methods that should not be used that write auth tickets directly (this is purely for backwards compat with webforms). All of these changes now ensure that the auth cookie is renewed consistently between Webforms, WebApi, MVC and OWIN. Some changes also include ensuring that OWIN is used to sign out.
2015-11-19 18:12:21 +01:00
//It is actually not good enough to set this on the current app Context and the thread, it also needs
Normalize cr/lf/tab
2017-07-20 11:21:28 +02:00
// to be set explicitly on the HttpContext.Current !! This is a strange web api thing that is actually
Cleans up the usages of auth cookies. OWIN is in charge of auth cookies but because we have Webforms, WebApi, MVC and OWIN, they all like to deal with cookies differently. OWIN should still be solely in charge of the auth cookies, so the auth extensions are cleaned up, the renewal now works by queuing the renewal and we have custom middleware detect if a force renewal has been queued and we renew the auth cookie there. Have obsoleted a few methods that should not be used that write auth tickets directly (this is purely for backwards compat with webforms). All of these changes now ensure that the auth cookie is renewed consistently between Webforms, WebApi, MVC and OWIN. Some changes also include ensuring that OWIN is used to sign out.
2015-11-19 18:12:21 +01:00
// an underlying fault of asp.net not propogating the User correctly.
if (HttpContext.Current != null)
{
HttpContext.Current.User = principal;
}
httpContext.User = principal;
Thread.CurrentPrincipal = principal;
return principal;
}
}
Normalize cr/lf/tab
2017-07-20 11:21:28 +02:00
}
Reference in New Issue Copy Permalink