Monday, April 9, 2018

Custom Attribute ValidateApplicationPermission 403 Access Denied Leak and MVC filters

This is always the case when we write some custom filter without being understanding the sequence which we should be using.

One classic example is to handle custom Unauthorized Access for application permissions at Controller Action level. Say if it user has authorization of application but some of the permission is not allowed and still it executes controller-action then it is a serious issue.

[Authorize]
SomeController
{
      [ValidateApplicationPermission]
      SomeAction
    {

    }
}

Problem Definition: 

ValidateApplicationPermission results into 403 access denied leak. It captures access denied and tries to redirect however it is redirecting with executing existing action filter which it should not suppose to be.

For. Eg
Using something like this, here we are trying to use filterContext with HttpContext
filterContext.HttpContext.Server.TransferRequest(Entities.Constants.Entities.Content.Something.Home._403.Path
                            .GetSitecoreItemUrlPath());  

Solution

Use filterContext with its Result, obey filters and its context.
filterContext.Result = new RedirectResult(Entities.Constants.Entities.Content.Something.Home._403.Path.GetSitecoreItemUrlPath());


Implementation Code Base

Wednesday, April 4, 2018

Awesome-ness of AppInsight Analytics and Failure Preview

The Microsoft Azure AppInsight has made so much easy for us to trace the request execution sequence for any exception traces. You can actually see how the request has been executed for given exception. This way it is very easy to troubleshoot and fine actual root cause of the problem.

Check out for following stuff in Azure AppInsight

  • Failure (Preview)- New feature within AppInsight
  • Operation Id- Locate operation id for any specific exception
  • Open up AppInsight Anaytics query analyzer to view the sequence trace leading to an exception.

 Failure (Preview) Blade

  • Lookup for Count(Failed) vs total request
  • Top 3 Response Codes
  • Top 3 Exception Types
  • Last 24 hours or custom date filter. Slide through graph date statistics. Awesome-ness
  • Operations vs Dependencies vs Exceptions tabs
  • Nevertheless View in Analytics 

Suggested- Click on one of the exception to view Operation ID and from this operation id you get all trails and missing piece of an issue.




End to End transactions