Hello,
When I attempt to use redirectUrl:
http://localhost:5000/Login?redirectUrl=%2Frfe-view-edit%2F6%2Fapproval
It still redirects to the start page. When authenticated:
http://localhost:5000/rfe-view-edit/6/approval
Loads the page correctly. I'm using 2.65.7
What did I miss?
We can't reproduce such a problem. Redirecting occurs as expected. You can try debugging the Login method of the AccountController class. It ends with:
if (!string.IsNullOrEmpty(userName) && !string.IsNullOrEmpty(password))
{
var result = await signInManager.PasswordSignInAsync(userName, password, false, false);
if (result.Succeeded)
{
return Redirect($"~/{redirectUrl}");
}
}
The code return Redirect($"~/{redirectUrl}"); performs the redirect after login.
I created a new application as a test and have the same issue. I am using "Active Directory" for security.
That's probably the cause. Try replacing the meta\login.json file with the one attached. It should include the steps required to propagate redirectUrl to the login action.
login.json.zip (814 Bytes)
That worked and indeed it was missing the redirect action.
Thanks for your help!
I'm having the same issue, tried to replace the provided login.json but still not working.
There is another problem, this code was evaluated with a security tool named Fortify and it detects the code as vulnerable since it exposes a Open Redirect flaw.
Maybe you can add custom code when the Login form is created to check if the redirecturl is valid in order to avoid unwanted redirects outside the webpage, something like this:
[HttpPost]
public async Task<IActionResult> Login(string userName, string password, string redirectUrl)
{
if (env.EnvironmentName == "Development" && userName == "admin" && password == "admin")
{
var claims = new List<Claim>()
{
new Claim(ClaimTypes.Name, "admin"),
new Claim(ClaimTypes.Email, "admin")
};
await signInManager.SignInWithClaimsAsync(new ApplicationUser { UserName = userName, Email = userName }, isPersistent: false, claims);
return Redirect($"~/{redirectUrl}");
}
if (!string.IsNullOrEmpty(userName) && !string.IsNullOrEmpty(password))
{
var result = await signInManager.PasswordSignInAsync(userName, password, false, false);
if (result.Succeeded)
{
return RedirectIfValid(redirectUrl);
}
}
return RedirectWithError("Invalid user or password", redirectUrl);
}
Adding this function:
private IActionResult RedirectIfValid(string redirectUrl)
{
// This validates URL from URL parameters
Regex validateExpression = new Regex(@"[^a-zA-Z0-9\-]");
if (validateExpression.Matches(redirectUrl).Count()==0)
return Redirect($"~/{redirectUrl}");
else
return RedirectWithError("Invalid redirection", redirectUrl);
}
BR.
Hi @igomezh,
Have you tried using Windows security instead of Active Directory? It works with Active Directory as well (it was added later than Active Directory security type in Radzen). It doesn't have a Login page at all and uses the current Windows user credentials.
If you want to keep using the Active Directory security and want to apply customizations use the code generation ignore list to avoid getting your code overwritten by Radzen.