0

I have a webapi service in/under DNN V7 (IIS/10 on Win10 Dev box). It works fine but i have one scenario i wanted check the response i get with expected basic auth responses since i don't seem to be able to find this answer elsewhere.

Controller method is marked with these attributes (which validates using basic auth)

<HttpGet>
<DnnAuthorize(StaticRoles:="TestRole")>

  • Providing valid user credentials in basic auth header for a user with this role returns 200 ok. all good so far.

  • Not providing basic auth header at all, returns 401 not authorised, all good and expected.

  • however, providing basic auth header with say a wrong password or username, returns 500 internal server error.

So is a 500 error correct if the user/pass IS provided BUT wrong? In my head i should be getting 401 not authorised as it has credentials to validate, they were just incorrect. So i wouldn't expect it to blow up with an exception, just return not authorised?

the call stack isn't very revealing

[NullReferenceException: Object reference not set to an instance of an object.]
   System.Web.Http.WebHost.HttpControllerHandler.EndProcessRequest(IAsyncResult result) +113
   System.Web.Http.WebHost.HttpControllerHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +10
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9836613
   System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) +50
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously) +163

Does basic auth (or DotNetNuke's implementation of the of the DnnAuthorize attribute) return a 500 error intentionally for security purposes? Did i get a setting or config the api controller wrong? basically what am i missing here?

Matma
  • 345
  • 4
  • 17

1 Answers1

0

A 500 status code implies that the server messed up and expects the client to retry, as such it is never related to security, and clearly indicates a problem somewhere.

There are two possible sources of issues:

  • Configuration of some other middleware in your application.
  • Validation of username/pass is incorrect, and it is actually passing, but then failing at a later point in your code.
  • DNN's SDK source has a bug in it.

The reason this is a 500 is because your application isn't handling the failure that is being thrown. It is being caused by one of the two sources (or both above) but as a result your application throws the default 500. It's possible to catch this problem and throw a 401 instead, but it is likely better to tracedown the problem.

First step would be to validate that your code in the step actually isn't being executed. It's possible something there is being executed when you expect it to not be (like userId is NULL instead of the right value), and the problem is really somewhere else.

Also, given that V7 is not the latest version, and from searching around there are other SO instances of DNN having issues before V9, I would suggest validating the problem on a later version. And then if it is still an issue posting it on the relevant github issues.

Warren Parad
  • 3,910
  • 1
  • 20
  • 29
  • There is nothing between my application and the web service middle ware wise, i reduced the code to a simple hello world to check. I get the same response from postman when double checking so i don't think its my application. I also checked several other examples and roles, all the same response. I suspect it's DNN 7 as i get the same response from other examples that use basic auth. I cant change to a later version as we are stuck on version 7 for the moment. I will just have to live with it. – Matma Jun 29 '20 at 07:15