Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Infinite redirect when authenticating against a page the user doesn’t have access to #8

Open
Infarinato opened this issue Dec 5, 2016 · 2 comments
Assignees

Comments

@Infarinato
Copy link

This is something I’ve come across and solved, and I’m posting for the benefit of people that might face the same issue (…and also because some of the Sitecore gurus watching this thread might have better solutions).

Basically, if you successfully authenticate against AD FS, but don’t have specific access to the secured page you’ve requested (because you don’t have the required [AD FS-mapped] Sitecore role), you’re stuck in an infinite loop.

So all I did is adding one extra check at the very end of point no. 8 of the SitecoreFederatedLogin/sitecoreOwinFederation/pipelines/HttpRequest/AuthenticationChecker.cs algorithm, which redirects the user to some “Access denied” page (N.B. This is by no means production-ready code!):

            // 8 all identities available
            // check if identity matches.
            // if not: redirect. Otherwise: return
            else if(!String.IsNullOrEmpty(key) && Context.IsLoggedIn && federatedUser != null)
            {
                var user = Context.User;

                // compare identities
                // if not equal, , there is a cookie mismatch: 
                //      remove tokens, 
                //      logout sitecore user and 
                //      redirect to loginpage.
                if (!user.Name.Equals(String.Format("{0}\\{1}", Context.Domain.Name, federatedUser.Identity.Name)))
                {
                    LogoutAndRedirectToLogoutPage();
                }

                // If the requested page is not accessible by the user,
                // redirect to Access Denied page
                if (!this.CanRead(HttpContext.Current.Request.Url.AbsolutePath))
                {
                    // TODO: return 403 - is it even possible?
                    WebUtil.Redirect(AccessDeniedPage, false);
                }
            }

where AccessDeniedPage is some suitable error page (say, "/accessdenied") and CanRead is simply (code below is not bullet-proof!)

    private bool CanRead(string pagePath)
    {
        var item = Context.Database.GetItem(WebsiteRoot + pagePath);

        return item != null && item.Access.CanRead();
    }

WebsiteRoot being the root of your (micro)site, e.g. "sitecore/content/home".

@BasLijten
Copy link
Owner

Pablo,

thanks! Is it by anymeans possible to submit a pull request? I'll make sure to include it in the master branch, then.

regards,
Bas

@Infarinato
Copy link
Author

…Assuming I knew how to do that, Bas! ;-)

The thing is: although I’m still very much in “PoC mode”, I’ve started refactoring things quite heavily in preparation for the move to our main code base, so it’s probably not too easy to merge the changes back in. :-/

I’d be more than happy to send you my whole solution, though, for you to pick whatever you might find useful…

Thanks,

Paolo

@BasLijten BasLijten self-assigned this Feb 14, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants