0

I took over a project is ASP.NET, C# and React which is not too well documented. In Visual Studio (Professional 2017)'s debug mode, I initially keep getting a bunch of errors which I ignore by clicking Continue a couple of times. The Output within Visual Studio reads:

An exception of type 'System.Web.Http.HttpResponseException' occurred in myProject.API.dll but was not handled in user code Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details.

The corresponding code is probably myProject.BSTB.API\Filters\UserAuthenticationFilter.cs:

namespace myProject.API.Filters
{
    public class UserAuthenticationFilter : ActionFilterAttribute
    {
        // ... some other code 
        public override void OnActionExecuting(HttpActionContext actionContext)
        {
            var name = HttpContext.Current.User.Identity.Name;
            ServiceLocator sl = new ServiceLocator();
            User user = null;
            try { user = sl.User.GetUserByName(name); } catch (Exception ex) { throw; }

            if (user == null)
            {
                throw new HttpResponseException(
                   new HttpResponseMessage(HttpStatusCode.Unauthorized) {
                       ReasonPhrase = "Unauthorize request: User not valid: " + name});
                     } 
                     HttpContext.Current.Items.Add(Common.CURRENT_CONTEXT_USER, user);
            base.OnActionExecuting(actionContext);
        }
    }
}

I was told:

Since the system uses NTLM authentication and credentials are not sent on the first call to the server, the server sends an error response, and the credentials are sent with the second request. Thus it is expected that the server will have user == null towards the beginning, and spit out a lot of HTTP errors, this is the desired behaviour.

Edit: I believe that we are actually rather using Kerberos and we actually performing an authorization rather than an authentication, see e.g. Authentication versus Authorization.

Interestingly, other developers cannot reproduce this issue, so it might have to do something with the way I set up Visual Studio.

Clearly it is a waste of time that I have to click several times on the Continue button each time when I start running the code in Visual Studio. How should I adjust the code that this error does not show up any more? Is there maybe just a configuration in Visual Studio or some additional code I should add?

Edit

The user comes from an additional service my.Service\UserService.cs which reads 

namespace myProject.Service
{
    public class UserService
    {
        private projectContext _db;
        internal UserService(projectContext db)
        {
            _db = db;
        }

        public User GetUserByName(string name)
        {
            return _db.Users.SingleOrDefault(x => x.UserName == name);
        }
B--rian
  • 5,578
  • 10
  • 38
  • 89
  • You don't need to write your own *authentication* filter when you use Windows authentication - which btw uses Kerberos, not NTLM. The user is *already* authenticated by the client. By the time you call `Identity.Name` the authentication phase is already over. Why do you use this code at all? What does `GetUserByName` do? Are you looking for *authorization* perhaps? – Panagiotis Kanavos Sep 09 '19 at 12:05
  • 1
    Why did you write this filter in the first place? What are you trying to do with it? Almost all ASP.NET tutorials no matter the stack show how to use Windows authentication. *Authentication* means finding out who the user is, not whether he/she has permission to use the application. This is *authorization*, which is also covered in most tutorials. – Panagiotis Kanavos Sep 09 '19 at 12:09
  • @PanagiotisKanavos: I have no clue, why this filter was written, I am new to ASP.net and C# and React (I know some C++, some ReactNative, python, pearl ... though). I just took over the project, I am only trying to fix front end bugs.:-/ PS: I added some more code on where the username comes from. – B--rian Sep 09 '19 at 12:12
  • 1
    Well, it's badly written. That `try { user = sl.User.GetUserByName(name); } catch (Exception ex) { throw; }` is no different than a plain `user = sl.User.GetUserByName(name);` since it just rethrows the exception. The `HttpStatusCode.Unauthorized` response is appropriate whether authentication or authorization fails so yes, it's needed. On the other hand, if the code used ASP.NET's infrastructure properly the response would be automatic. – Panagiotis Kanavos Sep 09 '19 at 12:14
  • @PanagiotisKanavos: I guess you are right, and it is about authorization. I mean, I am asked for my Windows password (which is not stored inside the `myProject` DB), but I am only allowed to access the application if my user-ID is stored inside the myProject DB. -- What exactly do you suggest as clean-up? – B--rian Sep 09 '19 at 12:22

0 Answers0