I having a issue when i click to edit a user with this url in a ASP.NET MVC 3 project:
http://domain.com:8089/User/EditUser/username.surname?IDUser=e11a621p-df11-4687-9903-8bfc33c922cf
If i get another user without the '.' character, it works fine.
The error:
HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
I tried some tips that i find here, like:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
and:
<system.web>
<httpRuntime relaxedUrlToFileSystemMapping="true" />
and this attribute on the edituser action:
[ValidateInput(false)]
But nothing seems to work. This site is hosted on a IIS server, when it was on Windows Azure WebSite, it was working as expected.
Thanks.
If you know for a fact that the edit page is the only page where you use the firstname.lastname url part, you can use the method described in this SO answer:
Prevent static file handler from intercepting filename-like URL
Specifically, in your case, adding the following web.config section should route the request to MVC:
<system.webServer>
...
<handlers>
...
<add
name="userEditPage"
path="User/EditUser/*"
verb="GET"
type="System.Web.Handlers.TransferRequestHandler"
preCondition="integratedMode,runtimeVersionv4.0" />
This will not be sufficient if you use the firstname.lastname in urls outside of the User/EditUser/... path, and is not a general solution. That would be much more complicated because you would need to tell IIS something like the following:
1) if the file exists, serve it (so that your .js files still serve properly)
2) Before any of the other handlers execute for the file extension, run the MVC handler and see if there is a route matching the url. Because what if you have a user of last name html?
3) If the MVC handler does not match any routes for the url, let the other handlers. Because what if you also had an .aspx page in your project?
Lastly, for the general case, you may want to consider the edge case of someone malicious creating a user with first name ../../web and lastname config? Just a thought, but it seems like the best you can hope for is restricting the use of the . in the url to specific paths.
After some headache, i publish it to Azure WebSites again and it works normally, with same web.config file that i was using in local enviroment. So the solution must be on the IIS, then after no more tries, i change the Application Pool to Default App Pool and guess what, it worked.
Related
As title suggested, how can I achieve that in my webform project? Currently, if a url points towards a file, the server will send the response with that file without ever entering Application_BeginRequest. Even the MapPageRoute method does not change this behavior. Is there a simple solution?
You may wish to set this in your web.config:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
So that even static files are processed by ASP.NET.
I'm trying to set up a stripped down web server that passes all URL requests through to a single IHttpHandler, instead of trying to match the URL to the file structure of the server.
I've got the IHttpHandler in there, along with some custom modules, and they're responding as expected when I go directly to my domain, but if I access the site via something like:
http://mysite/some/random/url
I get a 404 file not found error.
I'd assumed removing one of these modules would probably cover it:
<remove name="UrlRoutingModule-4.0" />
<remove name="UrlMappingsModule" />
<remove name="FileAuthorization" />
<remove name="UrlAuthorization" />
But IIS is still trying to match the URLs to the server file structure. I've since removed every module I'm not using and it's still returning 404's.
I have actually done this before, but I can't seem to quite remember or find online quite how I got it working.
I'm now basically out of ideas - anyone?
I added the runAllManagedModulesForAllRequests as per the suggestion from #Alexei Levenkov. While I remember definitely needing to do that, it didn't immediately solve it. After much fiddling about I found that IIS had set:
resourceType="Either"
on the handler. I tested changing it to File, and the problem was fixed for file type URLs, but of course not folder "style" ones. Changing it to:
resourceType="Unspecified"
Fixed the problem for all URLs.
I am using Form Authentication in my MVC3 web app. I have added following in root web.config:
<authentication mode="Forms">
<forms name=".FormsAuth" loginUrl="~/Home/Index" timeout="2880" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
When I launch my app, it redirects to http://localhost:22888/Home/Index?ReturnUrl=%2f instead http://localhost:22888. If I remove line <deny users="?"> then it redirects correctly but then Context.User.Identity.Name gives no value after login.
Please help.
Take a look at Securing your ASP.NET MVC 4 App and the new AllowAnonymous Attribute.
You cannot use routing or web.config files to secure your MVC application (Any Version). The only supported way to secure your MVC application is to apply the Authorize attribute ...
Quote
MVC uses routes and does not map URLs to physical file locations like WebForms, PHP and traditional web servers. Therefore using web.config will definitely open a security hole in your site.
The product team will have a communication if this changes in the future, but for now it is without exception the rule.
Examples:
Start with the default ASP.Net MVC project (internet/intranet).
Edit the web.config adding:
<location path="Home">
<system.web>
<authoirzation>
<deny users="*">
</authoirzation>
</system.web>
</location>
Run the project, by default you will use the Default route /Home/Index and you see content, simply bypassing the web.config with no changes to the default template. Why? Because the ASP.Net pipeline is comparing the URL requested to the location specified in the web.config. However, after the Authorization Event has been executed in the pipeline the routing taking place (Default routing or custom routing) and allows access to the supposedly restricted area.
Additionally, any MVC Redirect() will also by-pass the same security measures as again the routing takes place after the Authorization Pipeline Event.
When I launch my app, it redirects to http://:22888/Home/Index?ReturnUrl=%2f instead http://:22888.
If you are using the default template, authorization stores the returnUrl and redirects back to /Home/Index with the value %2f which is /. You can update the RedirectToAction code in the AccountsController to not append the returnUrl if it is /.
This is correct behavior of the runtime.
You told the engine to deny the access to unauthenticated users and also that the login url is located at ~/Home/Index.
This is why when you navigate to the default url / the engine makes the browser go to the login page and passes the return url, encoded / in this case.
The question is then: what you want to do if the correct behavior bothers you.
I resolved this issue by performing two modifications:
I removed deny users='?' line from web.config file. But then I was getting null in Context.User.Identity.Name
In HttpPost Login method, I was redirecting user after successful authentication using return View("Home"). When I changed it to return RedirectToAction("Home") I got value in Context.User.Identity.Name
Although a little late to the show, if you're still having issues, remember to look down at the sections in your web.config for other authorization rules (correctly or incorrectly set). There are some situations where mis-configurations to a resource at the root or subdirectory could cause endless redirects.
This is a strange one. They always are when I get to this point.
I have an MVC app. It's a single page app so all routes are ajax calls but I don't think this is relevant.
Strangely and all of a sudden one particular page has started giving me a 401 and prompting for creds. Actually it's both pages that are in this MVC Area. It is only doing it in qa no locally so I can't debug. And It only started after last push. None of the other pages are doing this.
So I compared the headers via fiddler for a successful page and the 401 page on the site.
exactly the freakin same except the url.
the actions
the action for 401
public ActionResult Display_Template(ViewModel input)
{
return this.View("Display", new TasksByFieldViewModel());
}
for the 200
public ActionResult AddUpdate_Template(ViewModel input)
{
return View("VendorAddUpdate", new VendorViewModel());
}
The only changes are this and this makes no sense.
From the 401 page, I redirect to an aspx page that has a reportviewer on it. But you have to click a button and then you are window.locationed on over. It can't possibly have anything to do with that.
The second is that I upgraded from sqlserver trial to sqlserver standard on the qa server.
That's all I got. completely befuddled.
Any thoughts would be great.
Thanks,
Raif
EDIT\Fix\Hack:
Ok well this is either confusing or enraging. It's too early to tell.
My MVC Area, the one that is breaking, well it was named "Reports" because, well it was full of reports. After doing some hail mary tests I changed the Area name to Reportsx, now it works like a dream. As I certainly never told any part of the stack to demand credentials if the Area name is Reports I can only assume that there is some IIS setting or MVC setting that says if the url is xxx/Reports then demand creds.
I'm open to alternative views.
If the system at wherever you work is similar to the one where I work, then when you say "in QA" you mean you've put your code on a server for the testers to poke at. Now, when I first started here, I was told to leave certain existing config files as I found them on this server, because changes will introduce things that are specific to my machine and break things. I'm guessing you have a similar policy, and have therefore deployed your new page to a server, but left that server's Web.config alone. However, in Web.config, there's a whole list of sections that look something like this:
<location path="something">
<formsAuthenticationWrapper enabled="false"/>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true"/>
<anonymousAuthentication enabled="false"/>
</authentication>
</security>
</system.webServer>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
where the "something" as the path value in the first line can be a path like "Assets/CSS" or a page like "Login.aspx". You'll notice that there's various settings for auth modes.
Now, if the Web.config on the QA server mentions something called "Reports" and specifies that it requires a particular auth mode, then failure to provide suitable credentials for that mode will result in a 401. Changing the name to "Reportsx" probably just meant that it can no longer find a matching entry, and so fell back to a default mode, which apparently lets people in.
So, try checking the server's Web.config for sections mentioning "something/Reports" and see what auth they require.
I am working on a web application that has several folders and its pages in the web project. There is also a web.config will all the traditional mark up. I needed to create another folder called "customerportal", in this folder I created 3 pages, customerlogin.aspx, customerdefault.aspx and customerhelp.aspx. I also added within that folder 3 folders, images, css and scripts.
Now when I navigate to that folder say http://mysite.com/customerportal/customerlogin.aspx, it works fine. I added a web.config file because now I need to retrict this folder to only the roles for customer and likewise I need to restrict the main app (parent) to the clients role. So no client cant get into the customer portal and no customer portal user can get into the main app pages. So I added the mark up that restricts the roles in the child web.config., this did not work as it told me that
Parser Error Message: It is an error to use a section registered as
allowDefinition='MachineToApplication' beyond application level.
This error can be caused by a virtual directory not being
configured as an application in IIS.
So, I converted the folder into a virtual directory, and then into an application in the iis. Then the error went away but I encountered other problems like things of the main web.config being inherited to the child web.config. So i started investigating and I saw a lot of answers like:
place a <location path="." inheritInChildApplications="false"> before the <system.web> section, I tried this but now I get an error on the <membership> tag. The membership is on a different aspmembership database, so the child has a different connection string etc.. But I am unable to do something like
<membership>
<clear />
or a <membership> <remove name=..>
Its like the membership is still getting inherited somehow. What is the best way to solve this child web.config issues?, what is the best practice to do this kind of setup where the child folder needs its own web.config? It is the first time i do this.
If I understand your problem correctly, can't you just add authorization in the root web.config and give the path "~/customerportal/customerlogin.aspx" and so on? I think because you have a web.config it thinks that directory is it's own application.