3

here was my ajax call:

$J.ajax({
    type: 'POST',
    url: "/ajax/getCharts",
    data: JSON.stringify(cids),
    dataType: 'json',
    asynch: false
})

this worked ... until yesterday
we are using Microsoft.AspNet.Identity;
and yesterday I added in more user roles expanding upon the defaults such as "admin", "user" etc.

Now I am getting this err back in my ajax.fail header:

X-Responded-JSON: {"status":401,"headers":{"location":"http://localhost:56970/Account/Login?ReturnUrl=%2Fajax%2FgetCharts"}}

which kind of makes sense - if the call is failing authentication
note:
in my ajaxController I had previously annotated it as such (which worked):

[Authorize(Roles = "User")]
public class ajaxController : BaseController

and now I expanded it include my new custom user roles such that:

[Authorize(Roles = "Superuser, Poweruser, User")]
public class ajaxController : BaseController

and that didnt work
also i added this in RegisterRoutes:

        var settings = new FriendlyUrlSettings();
        settings.AutoRedirectMode = RedirectMode.Off;
        routes.EnableFriendlyUrls(settings);

as suggested by:
ASP.NET Calling WebMethod with jQuery AJAX "401 (Unauthorized)"

but it didnt work

and this page made no sense to me:
jquery $.ajax call results in 401 unauthorized response when in Chrome or Firefox, but works in IE

what am i missing here?

toy
  • 422
  • 1
  • 7
  • 19
  • Completely spitballing here, but should it maybe be [ "Superuser", "Poweruser", "User" ] instead? – Taplar Aug 03 '17 at 06:00

1 Answers1

2

The issue i could understand is when a user tries to login say i just sent a request for login.. at this time i am not logged in means i dont have any role currently and you have put an authorize filter to ajax controller with allowing some roles

now to remove this issue put allowannonymus attribute only to your Login action inside ajax controller

like

  [AllowAnonymous]
public async Task<ActionResult> Login()
{
}

p.s :- and dont forget to put it in post action and to the register action if you have one

RAHUL S R
  • 1,569
  • 1
  • 11
  • 20
  • pls clarify - i dont have an ajax login() function so im not sure what yr referring to – toy Aug 03 '17 at 06:21
  • @toy that ajax login function is calling some server side actionmethod right?? put allow annonymus o that – RAHUL S R Aug 03 '17 at 06:37
  • oh i see what you mean - youre just putting a generic name in there ok but will this affect security? i mean - will some random person be able to call my ajax function wtihout loggin in? – toy Aug 03 '17 at 06:43
  • 1
    @toy thats why you have to put in the specific actions where you want anyone to acces instead of the whole controller when you put it over the action the attribute will be overridden for only that action the rest will work same – RAHUL S R Aug 03 '17 at 06:46