Skip to main content

Custom AuthorizationHandler for SignalR Hubs

How to implement IAuthorizationRequirement for SignalR in Asp.Net Core v5.0

Been battling this for a couple of days, and eventually ended up raising an issue on Asp.Net Core gitHub to find the answer.

Wanting to do some custom authorization on a SignalR Hub when the client makes a connection (Hub is created) and when an endpoint (Hub method) is called: 

[Authorize(Policy = "ServiceRequirement")]
public class ExampleHub : Hub
{
[Authorize(Policy = "EndpointRequirement")]
public Task Register()
{
return Task.CompletedTask;
}
}
view raw ExampleHub.cs hosted with ❤ by GitHub

I was assuming I could use the same Policy for both class & method attributes, but it ain't so - not because you can't, because you need the signatures to be different.

Method implementation has a resource type of HubInnovationContext:

public class EndpointRequirement : IAuthorizationRequirement
{
}
public class EndpointAuthorizationHandler : AuthorizationHandler<EndpointRequirement, HubInvocationContext>, IAuthorizationRequirement
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, EndpointRequirement requirement,
HubInvocationContext resource)
{
context.Succeed(requirement);
return Task.CompletedTask;
}
}
view raw EndpointAuthorizationHandler.cs hosted with ❤ by GitHub

I assumed class implementation would have a resource type of HubConnectionContext - client connects etc... This isn't the case, it's infact of type DefaultHttpContext. For me I don't even need that, it can be removed completely from the inheritence signature and override implementation.

public class ServiceRequirement : IAuthorizationRequirement
{
}
public class ServiceAuthorizationHandler : AuthorizationHandler<ServiceRequirement>, IAuthorizationRequirement
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, ServiceRequirement requirement)
{
context.Succeed(requirement);
return Task.CompletedTask;
}
}
view raw ServiceAuthorizationHandler.cs hosted with ❤ by GitHub
Only other thing to note, and this could be a biggy, is the ordering of the statements in the Startup class:

public class Startup
{
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
app.UseDeveloperExceptionPage();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints => endpoints.MapHub<ExampleHub>("/Example"));
}
public void ConfigureServices(IServiceCollection services)
{
services.AddSignalR(options =>
{
options.EnableDetailedErrors = true;
});
services.AddAuthentication(NegotiateDefaults.AuthenticationScheme)
.AddNegotiate();
services.AddAuthorization(options =>
{
options.FallbackPolicy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser()
.Build();
options.AddPolicy(nameof(ServiceRequirement), policy => policy.Requirements.Add(new ServiceRequirement()));
options.AddPolicy(nameof(EndpointRequirement), policy => policy.Requirements.Add(new EndpointRequirement()));
});
services.AddSingleton<IUserIdProvider, NameUserIdProvider>();
services.AddSingleton<IAuthorizationRequirement, EndpointAuthorizationHandler>();
services.AddSingleton<IAuthorizationRequirement, ServiceAuthorizationHandler>();
}
}
view raw Startup.cs hosted with ❤ by GitHub

Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

Implementing a busy indicator using a visual overlay in MVVM

This is a technique we use at work to lock the UI whilst some long running process is happening - preventing the user clicking on stuff whilst it's retrieving or rendering data. Now we could have done this by launching a child dialog window but that feels rather out of date and clumsy, we wanted a more modern pattern similar to the way <div> overlays are done on the web. Imagine we have the following simple WPF app and when 'Click' is pressed a busy waiting overlay is shown for the duration entered into the text box. What I'm interested in here is not the actual UI element of the busy indicator but how I go about getting this to show & hide from when using MVVM. The actual UI elements are the standard Busy Indicator coming from the WPF Toolkit : The XAML behind this window is very simple, the important part is the ViewHost. As you can see the ViewHost uses a ContentPresenter element which is bound to the view model, IMainViewModel, it contains 3 child v...
Post a Comment
Read more

Showing a message box from a ViewModel in MVVM

I was doing a code review with a client last week for a WPF app using MVVM and they asked ' How can I show a message from the ViewModel? '. What follows is how I would (and have) solved the problem in the past. When I hear the words ' show a message... ' I instantly think you mean show a transient modal message box that requires the user input before continuing ' with something else ' - once the user has interacted with the message box it will disappear. The following solution only applies to this scenario. The first solution is the easiest but is very wrong from a separation perspective. It violates the ideas behind the Model-View-Controller pattern because it places View concerns inside the ViewModel - the ViewModel now knows about the type of the View and specifically it knows how to show a message box window: The second approach addresses this concern by introducing the idea of messaging\events between the ViewModel and the View. In the example ...
5 comments
Read more

WPF tips & tricks: Dispatcher thread performance

Not blogged for an age, and I received an email last week which provoked me back to life. It was a job spec for a WPF contract where they want help sorting out the performance of their app especially around grids and tabular data. I thought I'd shared some tips & tricks I've picked up along the way, these aren't probably going to solve any issues you might be having directly, but they might point you in the right direction when trying to find and resolve performance issues with a WPF app. First off, performance is something you shouldn't try and improve without evidence, and this means having evidence proving you've improved the performance - before & after metrics for example. Without this you're basically pissing into the wind, which can be fun from a developer point of view but bad for a project :) So, what do I mean by ' Dispatcher thread performance '? The 'dispatcher thread' or the 'UI thread' is probably the most ...
Post a Comment
Read more