[maliming] said: hi
How many roles does your current user have? ABP will add all role names to claims(cookies)
Thanks.
Hi, I have multiple institution and for each institution "Institution Admin" role is there, right now I see approx. 35+ roles are there just for 1 user and in total in role table 120 rows are there.
also, we want to keep abpidentity roles by default as it is required to get permission, roles etc.
ABP Framework version: v8.2
UI Type: React
Database System: EF Core (SQL Server)
Tiered (for MVC) or Auth Server Separated (for Angular): yes
We have recently increased permission for admin user but after adding the permission user started getting error "HTTP Error 400. The size of the request header is too long".
I have raised 1 ticket https://abp.io/support/questions/10056/HTTP-Error-400-The-size-of-the-request-header-is-too-long-after-adding-the-admin-permissions#new-answer, we found the root cause is that cookie size is too big and it is due to claims, we noticed in our application ABP add all the roles present in ABPRoles table when we get contex.ClaimPrincipal.Identifies.FirstOrDefault() in claims, we want to reduce that, can we add roles in claim based of userrole not all role to every user? if yes how?
ABP Framework version: v8.3.4
UI Type: React
Database System: EF Core (SQL Server)
Tiered (for MVC) or Auth Server Separated (for Angular): yes
As per ticket https://abp.io/support/questions/10045/security-vulnerability-for-the-VoloAbpCli-834#new-answer I got the confirmation that I can upgrade with abp to 9.xa for .net 8.
but when I'm trying to upgrade, I'm getting the below error:
Please confirm if I can go by v9 with .net 8.
Thanks,
[maliming] said: hi
Have you restarted the website after changing the Web Config file?
Is there any 400 error in the app logs?
Can you share the full URL?
Thanks.
yes, I restarted, there is no 400 in logs, it's failing as header size is big. Below is the URL.
https://efc.devhealthgrp.com.sg/UAT/eFCApp/api/app/user/user-organization?userName=healthgrp%5Csim0886h
[maliming] said: hi
Try configuring IIS Request Limits in web config like this to increase the allowed query string length:
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/requestlimits/
<?xml version="1.0" encoding="utf-8"?> <configuration> <!-- Any existing configuration you may have --> + <system.webServer> + <security> + <requestFiltering> + <requestLimits maxQueryString="4096" /> + </requestFiltering> + </security> + </system.webServer> </configuration>Could you please share the request URL that returns a 400 error?
Thanks
Hi, I tried to update config, it is still giving the same error. I'm sharing the URL as well, it is when we get permission details.
Thanks
[maliming] said: hi
What is your web server?
IIS, Kestrel or Nginx?
Thanks.
Hi, it's IIS.
Thanks.
ABP Framework version: v8.3.4
UI Type: React
Database System: EF Core (SQL Server)
Tiered (for MVC) or Auth Server Separated (for Angular): yes
We have recently increased permission for admin user but after adding the permission user started getting error "HTTP Error 400. The size of the request header is too long".
How to fix this ?
[maliming] said: hi
but on package creation it is coming
Can you share a test project to show it?
liming.ma@volosoft.com Thanks
Can you please confirm if I go by version 9 and above, will it work with .net 8 ?
Thanks, Priyanka
[maliming] said: hi
Your project doesn't reference the
Volo.Abp.Clipackage.
Can you share how you got the vulnerability details from your project?Thanks.
I have the same query, If I see in nuget package list, Volo.Abp.Cli is not listed but on package creation it is coming so I wanted to confirm if there is any package which is internally using it ?
Thanks
