Hangfire: IDashboardAuthorizationFilter with .Net Core
Hi,
I'm playing with Hangfire and .NET core and everything seems ok (well done).
I'd like to know how to protect the dashboard for authenticated users.
I'm using IdentityServer with OpenId for the authentication and I'm trying to implement the logic into the my IDashboardAuthorizationFilter.
Unfortunately I didn't find a way to get the HttpContext or the current User.
How can I check if the current user is logged or not into my IDashboardAuthorizationFilter?
Thanks
imperugo
All 21 comments
I'm using a similar configuration (IdSrv v2). I simply add an AuthorizationFilter[] like:
var authorizationFilters = new IAuthorizationFilter[]
{
new AuthorizationFilter
{
Roles = "MyAuthorizedRole1;MyAuthorizedRole2"
},
};
app.UseHangfireDashboard("/path",
new Hangfire.DashboardOptions()
{
AuthorizationFilters = authorizationFilters
}
and then add those roles to the users that need it in the identityservr admin page (bt I believe what's really matter are the "Roles" of your Principal)
marcoCasamento
on 14 Jul 2016
Hi @marcoCasamento
the problem here is that AuthorizationFilter doesn't exist and the IAuthorizationFilter is deprecated. The new one IDashboardAuthorizationFilter doesn't expose the User into the context so I can't check it (otherwise I don't have roles but claims)
imperugo
on 14 Jul 2016
I've just added extension methods, please see the referenced commit. Meanwhile you can cast the context to AspNetCoreDashboardContext class to get the HttpContext property.
class MyAuthorizationFilter : IDashboardAuthorizationFilter
{
public bool Authorize(DashboardContext context)
{
var httpContext = ((AspNetCoreDashboardContext) context).HttpContext;
return false;
}
}
odinserj
on 15 Jul 2016
It works like this:
``` c#
internal class HangfireAuthorizationFilter : IDashboardAuthorizationFilter
{
private readonly string[] _roles;
public HangfireAuthorizationFilter(params string[] roles)
{
_roles = roles;
}
public bool Authorize(DashboardContext context)
{
var httpContext = ((AspNetCoreDashboardContext)context).HttpContext;
var result = _roles.Aggregate(false, (current, role) => current || httpContext.User.IsInRole(role));
return result;
}
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
app.UseHangfireDashboard(options:new DashboardOptions
{
Authorization = new[]
{
new HangfireAuthorizationFilter("admin")
}
});
}
```
kroniak
on 21 Jul 2016
Or you can use the GetHttpContext extension method as well:
public bool Authorize(DashboardContext context)
{
var httpContext = context.GetHttpContext();
// ...
@odinserj where is this extension method?
kroniak
on 22 Jul 2016
Ah, it's in the Hangfire.Dashboard namespace, ReSharper pampered me
odinserj
on 22 Jul 2016
@odinserj which package? I dont see this extension in Dashboard namespace and my Resharper doesnt suggest me.
kroniak
on 22 Jul 2016
Hangfire.AspNetCore 1.6.0, in the AspNetCoreDashboardContextExtensions class.
odinserj
on 22 Jul 2016
@odinserj 袝谐芯 薪械褌 褌邪屑 )) 胁芯褌 褋泻褉懈薪褕芯褌
kroniak
on 22 Jul 2016
Hm, it was included only to the Hangfire.Core project, and not to Hangfire.Core.NetStandard. So it exists in net45, but doesn't exist on netstandard1.3. @kroniak, thanks for persistence!
odinserj
on 22 Jul 2016
Fixed in b579546773d8ae57affc8a435954555ab1f23289.
odinserj
on 22 Jul 2016
How should be in Hangfire.Core v1.6.2?
How can I get httpContext?
knopa
on 9 Aug 2016
@knopa 袛邪, 芯薪 褌邪屑 械褋褌褜
kroniak
on 9 Aug 2016
啸芯褌褜 褋褌褉械谢褜薪懈 薪芯 薪械褌 褝泻褋褌械薪褕懈薪邪 写谢褟 DashboardContext
knopa
on 9 Aug 2016
@knopa oy, sorry. It is in only in the NETCore project.
kroniak
on 9 Aug 2016
@kroniak Any plan for Hangfire.Core?
knopa
on 9 Aug 2016
@knopa this is to @odinserj
kroniak
on 9 Aug 2016
@knopa, the DashboardContextExtensions was mistakenly named OwinDashboardContextExtensions (please see your screenshot). It has the GetOwinEnvironment method:
ASP.NET/OWIN applications
using Microsoft.Owin; // From the Microsoft.Owin package
public bool Authorize(DashboardContext context)
{
var owinContext = new OwinContext(context.GetOwinEnvironment());
// ...
}
ASP.NET Core applications
public bool Authorize(DashboardContext context)
{
var httpContext = context.GetHttpContext();
// ...
}
Now it's time to update the documentation :smile:
odinserj
on 1 Sep 2016
@odinserj
Thanks, it works with owinContext.Request.User.IsInRole
knopa
on 1 Sep 2016
The authenticated user is also avilable via the Authentication property :
owinContext.Authentication.User.IsInRole("...")
fredgate
on 9 Sep 2016
Related issues
nsnail
路
3Comments
fb5000
路
3Comments
dgaspar
路
4Comments
osmanrahimi
路
3Comments
dealproc
路
3Comments
Most helpful comment
@knopa, the
DashboardContextExtensionswas mistakenly namedOwinDashboardContextExtensions(please see your screenshot). It has theGetOwinEnvironmentmethod:ASP.NET/OWIN applications
ASP.NET Core applications
Now it's time to update the documentation :smile: