Comments (11)
What sort of response action? Does it need to be run even for failed requests?
Most response actions take place in OnSendingHeaders (unless you're buffering or there is no response body).
from security.
Yes, I'm buffering the response and I need to write the buffer back to the network stream even if there is a failure (whatever is in the buffer at that point).
from security.
If there is a failure I don't think you should write out the buffer, you should let the failed request handling take over instead. That said, you would still need to put the original response stream back in so the error handler could write to it.
I'll take a look at the object model and see if we can call Teardown in a finally block.
from security.
Yes, that's a good point. I need to put the original stream back in. BTW, had I not buffered, the response produced thus far would have gone out isn't it? Is it not correct to write the buffer back? Sure, the error handler should respond back but any pointers on how to go about with the response produced till that point. Just discard?
from security.
Yes, I would just discard the response in an error case. The error handling logic can produce better results if the response body hasn't been sent yet, and a partial response body isn't useful to anyone anyways.
from security.
There could be a problem in putting TeardownAsync
in a finally block in AuthenticationMiddleware
. TeardownAsync
also calls ApplyResponseAsync
, which in turn calls ApplyResponseGrantAsync
and ApplyResponseChallengeAsync
. When there is an exception, not sure if it is a good idea to send a challenge or grant. So, as part of this, you may want to consider separating the teardown part and the response handling part and ensure only the teardown part is called even if there is an exception.
from security.
Yeah, I was considering how to deal with that case. One option is to pass in a flag to these APIs indicating if this was a success or failed response. They could then choose if they want to do any work. Your example of wanting to replace the response body is one of the few where I think it makes sense to do work during an unhandled error.
from security.
Ah, here's an idea. TeardownAsync calls both ApplyResponseAsync and TeardownCoreAsync. I could skip ApplyResponseAsync in error cases and just run TeardownCoreAsync, which you could override to put the stream back (if it didn't happen inside of ApplyResponseAsync).
from security.
Yes, that will work. I do not think anyone would be needing to send challenge or grant in case of an exception and hence there may not be a need to pass the flag and let the derived classes decide to do anything about it. I think this approach will be better, for this does not disturb the existing setup and only ensures TeardownCoreAsync
runs even if there is an exception, which is exactly what I want :). Thanks much.
from security.
from security.
Related problem: https://katanaproject.codeplex.com/workitem/360
Exceptions thrown in the ApplyResponse code path get cached and re-thrown durring OnSendingHeaders, breaking error handling scenarios like ErrorPage or ErrorHandler.
from security.
Related Issues (20)
- About policy in Multiple Schemes 403 problem HOT 2
- AVRO serialization error - Could not find any matching known type for 'Newtonsoft.Json.Linq.JToken' using c# HOT 3
- How to Validate AccessToken in WebAPI core 2.0 getting from IdentityServer3 HOT 1
- Multiple refresh for authentication on server HOT 33
- Oauth MicrosoftAccount Token Request Issue HOT 6
- OAuth redirect_uri using http instead of https on Azure App Service Linux HOT 9
- Is there a way to Decrypt encrypted SAML token?? HOT 9
- Set redirect from authorization handler HOT 5
- JWT payload "unique_name" not mapped correctly HOT 2
- .
- HttpContext.SignInAsync sets null to Identity claims data HOT 3
- Handling incomplete remote signouts HOT 15
- .net core api authentication using ws-federation HOT 7
- AuthenticationProperties object is not passed to ChallengeAsync / ForbidAsync HOT 11
- [Net Core 2.0] AccessDeniedPath ignored in cookie authentication HOT 1
- Docker Swarm + nginx + WS-Federation: multiple redirection issue HOT 33
- SSO for Microsoft Outlook using auth0 HOT 6
- Redirect URI is ignored HOT 2
- Wctx parameter getting overridden, breaking functionality HOT 8
- ASP.NET Core OpenId Authentication in Container with TLS Termination in WAF HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security.