Search code examples
asp.net-mvcmvc-mini-profiler

MiniProfiler is bypassing my Authorization filter

I have mini-profiler working, but now I am trying to restrict access by setting functions as described under "Profiler Security" at http://miniprofiler.com/

MiniProfiler.Settings.Results_Authorize = IsUserAllowedToSeeMiniProfilerUI;
MiniProfiler.Settings.Results_List_Authorize = IsUserAllowedToSeeMiniProfilerUI;

My IsUserAllowedToSeeMiniProfilerUI function needs to look at the results of the ClaimsPrincipal, which is modified by a custom globally registered Authorization filter.

When I watch the calls, the primary request is authorized as expected, and IsUserAllowedToSeeMiniProfilerUI returns true. However, the http request that retrieves the profiler results (~/mini-profiler-resources/results or ~/mini-profiler-resources/results-index) bypasses my global authorization filter, so the ClaimsPrincipal isn't correctly modified for that request, and IsUserAllowedToSeeMiniProfilerUI incorrectly returns false due to that.

I register mini-profiler's filter as GlobalFilters.Filters.Add(new ProfilingActionFilter()), and also have the handler registered in the web.config as 

<system.webServer>
<handlers>
  <add name="MiniProfiler" path="mini-profiler-resources/*" verb="*"
       type="System.Web.Routing.UrlRoutingModule" 
       resourceType="Unspecified" preCondition="integratedMode" />
<!-- ... -->      
</handlers>

My custom authorization filter is registered in the Global.asax by adding it as GlobalFilters.Filters.Add(new MyAuthorizationFilter())

Why is mini-profiler bypassing my authorization filter?

Solution

  • GlobalFilters is centric to the MVC framework. So by default the globally registered authorization filters will only take effect for requests handled by the mvc framework - not for all http requests.

    MiniProfiler implements its client-side results in a single class MiniProfilerHandler that implements both IRouteHandler and IHttpHandler. (The default profiler provider WebRequestProfilerProvider ensures that the routes for MiniProfilerHandler are registered. The web.config registration of UrlRoutingModule ensures that the mini profiler urls are actually routed.)

    Thus mini profiler handles the profiler results http requests directly as an http handler that is located by routing - outside of the normal MVC request flow.

    So it is necessary to handle any custom authorization logic in the e.g. IsUserAllowedToSeeMiniProfilerUI method taking into account that any authorization filters (or other action filters for that matter) are not guaranteed to have run. Note however, that it appears that Results_Authorize is also invoked at some stage once profiling is started, so you also must handle the case where your filters have run.

    See also: Understanding the MVC Application Execution Process