FluentSecurity: RequireRolePolicyViolationHandler does not get called

Question

I have a ASP.NET MVC page with FluentSecurity. I have it set up using Ninject according to this article. I have a DenyAnonymousAccessPolicyViolationHandler that works well. I added a RequireRolePolicyViolationHandler.

In my setup, I have

configuration.For<SettingsController>().RequireRole(CMSRoles.Admin);

If I navigate to the SettingsController with a user without the required role, the RequireRolePolicyViolationHandler does not get called. Instead I am redirected to the LogOn page as defined in web.config.

Am I missing something? According to the FluentSecurity documentation it should work.

EDIT: I have a custom RoleProvider registered and I use it with FluentSecurity:

configuration.GetAuthenticationStatusFrom(() => HttpContext.Current.User.Identity.IsAuthenticated);
configuration.GetRolesFrom(() => Roles.GetRolesForUser(HttpContext.Current.User.Identity.Name));

EDIT: I created a minimal sample app: https://dl.dropboxusercontent.com/u/73642/MvcApplication1.zip. If you go to /Logged that you are redirected to the login page so the DenyAnonymousAccessPolicyViolationHandler works. You can login with any username and password you want. The go to Settings and you see that you are redirected to the login page instead of RequireRolePolicyViolationHandler beeing executed.

Answer 1

Here's how I have it set up, hope this helps:

In App_Start/NinjectWebCommon.cs I bind the policy handlers:

kernel.Bind<IPolicyViolationHandler>().To<DenyAnonymousAccessPolicyViolationHandler>();
kernel.Bind<IPolicyViolationHandler>().To<RequireRolePolicyViolationHandler>();

I also configure Fluent Security like this (using Ninject Service Locator):

var locator = new NinjectServiceLocator(kernel);
ServiceLocator.SetLocatorProvider(() => locator);

SecurityConfigurator.Configure(
            configuration =>
            {
                configuration.GetAuthenticationStatusFrom(() => HttpContext.Current.User.Identity.IsAuthenticated);
                configuration.GetRolesFrom(SecurityHelpers.UserRoles);

                //HomeController and other configurations
                configuration.For<HomeController>().Ignore();

                configuration.ResolveServicesUsing(ServiceLocator.Current.GetAllInstances);
             }
             );
GlobalFilters.Filters.Add(new HandleSecurityAttribute(), 0);

Then for each policy, I have an implementation of IPolicyViolationHandler

public class RequireRolePolicyViolationHandler : IPolicyViolationHandler
{
    public ActionResult Handle(PolicyViolationException exception)
    {
        //Make sure you're redirecting to the desired page here. You should put a stop here to debug it and see if it's being hit. 
        return new HttpUnauthorizedResult(exception.Message);
    }
}

I have a working solution using Custom Membership/Role Providers and Fluent Security. I posted what I think is the core configuration. Hope this helps.

EDIT: Added how to get roles.

public static class SecurityHelpers
{
    public static IEnumerable<object> UserRoles()
    {
        var currentUser = HttpContext.Current.User.Identity.Name;
        var roles = Roles.Providers["MemberAccountRoleProvider"]; //Custom Role Provider Name
        return currentUser != null ? roles.GetRolesForUser(currentUser).Cast<object>().ToArray() : null;

    }
}

EDIT 2: I looked at your code and it's working fine. Add this to your code so that you can redirect to where you want. Right now you're just returning an Http results:

public class RequireRolePolicyViolationHandler : IPolicyViolationHandler
{
    public ActionResult Handle(PolicyViolationException exception)
    {
        //return new HttpUnauthorizedResult(exception.Message);
        return
            new RedirectToRouteResult(
                new RouteValueDictionary(new { action = "Test", controller = "Account"})); //Created a view for testing
    }
}

When I try to get the settings page I'm hitting the RequireRolePolicyViolationHandler.