-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Null effective policy causing exception. #7809
Comments
My configured roles and premissions are:
|
I just logged an issue in AspNet/MVC but it is related to PolicyServer.Local so I would appreciate any input you migh have. cc @leastprivilege @brockallen |
Thanks for reporting this issue. @javiercn, can you please look into this? |
@HaoK As he's the expert in this area. @grantmcdade I can't repro this. Can you provide a minimal repro project that showcases the issue? Thanks. |
thanks @javiercn. I have already spent the last two days trying to do exactly that but as you found out it's not an easy problem to reproduce. I don't have this setup to debug this and since I'm no expert I don't know what might be causing the problem. I will continue to try and reproduce this in a smaller Project. |
How do you get a null effective policy? |
Startup.cs is a good place to start |
This bug might be the same issue with a repro: aspnet/Security#1764 |
Ok so the issue appears to be when AuthorizeFilter is created with a null effective policy, Combine does not allow passing in a null policy, GetEffectivePolicy should be checking for null policy and combining with a empty policy rather than passing in null. |
Ok so the workaround is to turn off AllowCombiningAuthorizeFilters in mvcOptions |
@HaoK Can taking it from here? |
Sure |
fyi @blowdart @ajcvickers |
Thanks for looking into this so quickly. I have created the project to help with reproduction of the issue. https://github.com/grantmcdade/CTG.Web It is basically the original project with as much as possible stripped out. If you try to view "Account -> Details" while already logged in then the exception occurs. |
@grantmcdade Thanks for the repor. @HaoK Can you take a look to ensure your fix covers @grantmcdade issue? |
Yep its definitely the same issue, so policy server uses a custom IAuthorizationPolicyProvider, so this is going to hit everyone who uses policy server + 2.1 :( |
@grantmcdade have you confirmed that the workaround works for you as well? Turning off the combination behavior should avoid hitting this code path.
|
I am using
|
Yes, @HaoK I can confirm that it does work.
Edit: Referring to the workaround of setting
mvcOptions.AllowCombiningAuthorizeFilters = false
|
Moved this out to 2.2, as the workaround is pretty cheap and this doesn't meet the bar for a patch. |
Workaround to avoid 'Null effective policy causing exception' (on logout) aspnet/Mvc#7809
Fixed via #8068 |
Authorization Policy Exception
Using PolicyServer.Local causes the exception but I can't reprodure the exception in a test project.
Functional impact
The page fails to load. It seems to happen wherever the [Authorize] attribute is present. I have a global AuthorizeFilter as well for a default policy of require authenticated user.
Minimal repro steps
Browse to any page with the [Authorize] attribute (Test project works though)
Expected result
No exception.
Actual result
Exception is thrown.
Further technical details
[Check this line of core]
Mvc/src/Microsoft.AspNetCore.Mvc.Core/Authorization/AuthorizeFilter.cs
Line 143 in 330b74f
Does anyone have any idea what might be causing this? I'm using ASP.NET Core 2.1 release candidate.
My package references are as follows:
My OS is Windows 10 and I'm using IIS Express as web server.
The text was updated successfully, but these errors were encountered: