Geek Answers Handbook

Check authorization in the SignalR attribute

I have some services on ServiceStack and use SignalR in this project.

And now I would like to protect the hub connection (access only for authenticated users), but I use ServiceStack platform authentication .. (not asp.net authentication) and ServiceStack sessions (write AuthUserId ih this session and authentication flag).

So, when a user tries to connect to a hub, authentication needs to be verified ...

(yes, I can request cookies from the hub (for example, the OnConnected method), but SignalR authenticates in the authorization attribute - and I have to do this in this class (not in the hub)

( http://www.asp.net/signalr/overview/signalr-20/security/hub-authorization )

So I am creating a class

[AttributeUsage(AttributeTargets.Class, Inherited = false, AllowMultiple = false)] public class AuthorizeMyAttribute : AuthorizeAttribute { protected override bool UserAuthorized(System.Security.Principal.IPrincipal user) { //... how can i request Cookies? / or may be can access for ServiceStack session... // and return true or false } }

What can I do for this? Thanks!

+6
source share
2 answers

AuthorizeAttribute has two more virtual methods:

  • AuthorizeHubConnection(HubDescriptor hubDescriptor, IRequest request)
  • AuthorizeHubMethodInvocation(IHubIncomingInvokerContext hubIncomingInvokerContext, bool appliesToMethod)

http://msdn.microsoft.com/en-us/library/microsoft.aspnet.signalr.authorizeattribute(v=vs.118).aspx

Standard implementations of both methods call UserAuthorized with an IPrincipal request.

AuthorizeHubConnection is IRequest directly to IRequest .

In AuthorizeHubMethodInvocation you can access the IRequest object from IHubIncomingInvokerContext as follows: hubIncomingInvokerContext.Hub.Context.Request .

+6
source

I was still trying with this for a while trying to get ServiceStack.Web.IRequest from SignalR.IRequest so that I could use the ServiceStack functions to request a session to see if the user was authenticated. In the end, I gave up and received cookies from SignalR. I hope the following code snippet helps someone else inherit this.

 public class AuthorizeAttributeEx : AuthorizeAttribute { public override bool AuthorizeHubConnection(HubDescriptor hubDescriptor, IRequest request) { return IsUserAuthorized(request); } public override bool AuthorizeHubMethodInvocation(IHubIncomingInvokerContext hubIncomingInvokerContext, bool appliesToMethod) { return IsUserAuthorized(hubIncomingInvokerContext.Hub.Context.Request); } protected bool IsUserAuthorized(IRequest thisRequest) { try { // Within the hub itself we can get the request directly from the context. //Microsoft.AspNet.SignalR.IRequest myRequest = this.Context.Request; // Unfortunately this is a signalR IRequest, not a ServiceStack IRequest, but we can still use it to get the cookies. bool perm = thisRequest.Cookies["ss-opt"].Value == "perm"; string sessionID = perm ? thisRequest.Cookies["ss-pid"].Value : thisRequest.Cookies["ss-id"].Value; var sessionKey = SessionFeature.GetSessionKey(sessionID); CustomUserSession session = HostContext.Cache.Get<CustomUserSession>(sessionKey); return session.IsAuthenticated; } catch (Exception ex) { // probably not auth'd so no cookies, session etc. } return false; } }
+1
source

More articles:


All Articles