This is a strange one. They always are when I get to this point.
I have an MVC app. It's a single page app so all routes are ajax calls but I don't think this is relevant.
Strangely and all of a sudden one particular page has started giving me a 401 and prompting for creds. Actually it's both pages that are in this MVC Area. It is only doing it in qa no locally so I can't debug. And It only started after last push. None of the other pages are doing this.
So I compared the headers via fiddler for a successful page and the 401 page on the site.
exactly the freakin same except the url.
the actions
the action for 401
public ActionResult Display_Template(ViewModel input)
{
return this.View("Display", new TasksByFieldViewModel());
}
for the 200
public ActionResult AddUpdate_Template(ViewModel input)
{
return View("VendorAddUpdate", new VendorViewModel());
}
The only changes are this and this makes no sense.
From the 401 page, I redirect to an aspx page that has a reportviewer on it. But you have to click a button and then you are window.locationed on over. It can't possibly have anything to do with that.
The second is that I upgraded from sqlserver trial to sqlserver standard on the qa server.
That's all I got. completely befuddled.
Any thoughts would be great.
Thanks,
Raif
EDIT\Fix\Hack:
Ok well this is either confusing or enraging. It's too early to tell.
My MVC Area, the one that is breaking, well it was named "Reports" because, well it was full of reports. After doing some hail mary tests I changed the Area name to Reportsx, now it works like a dream. As I certainly never told any part of the stack to demand credentials if the Area name is Reports I can only assume that there is some IIS setting or MVC setting that says if the url is xxx/Reports then demand creds.
I'm open to alternative views.
If the system at wherever you work is similar to the one where I work, then when you say "in QA" you mean you've put your code on a server for the testers to poke at. Now, when I first started here, I was told to leave certain existing config files as I found them on this server, because changes will introduce things that are specific to my machine and break things. I'm guessing you have a similar policy, and have therefore deployed your new page to a server, but left that server's Web.config alone. However, in Web.config, there's a whole list of sections that look something like this:
<location path="something">
<formsAuthenticationWrapper enabled="false"/>
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true"/>
<anonymousAuthentication enabled="false"/>
</authentication>
</security>
</system.webServer>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
where the "something" as the path value in the first line can be a path like "Assets/CSS" or a page like "Login.aspx". You'll notice that there's various settings for auth modes.
Now, if the Web.config on the QA server mentions something called "Reports" and specifies that it requires a particular auth mode, then failure to provide suitable credentials for that mode will result in a 401. Changing the name to "Reportsx" probably just meant that it can no longer find a matching entry, and so fell back to a default mode, which apparently lets people in.
So, try checking the server's Web.config for sections mentioning "something/Reports" and see what auth they require.
Related
I having a issue when i click to edit a user with this url in a ASP.NET MVC 3 project:
http://domain.com:8089/User/EditUser/username.surname?IDUser=e11a621p-df11-4687-9903-8bfc33c922cf
If i get another user without the '.' character, it works fine.
The error:
HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
I tried some tips that i find here, like:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
and:
<system.web>
<httpRuntime relaxedUrlToFileSystemMapping="true" />
and this attribute on the edituser action:
[ValidateInput(false)]
But nothing seems to work. This site is hosted on a IIS server, when it was on Windows Azure WebSite, it was working as expected.
Thanks.
If you know for a fact that the edit page is the only page where you use the firstname.lastname url part, you can use the method described in this SO answer:
Prevent static file handler from intercepting filename-like URL
Specifically, in your case, adding the following web.config section should route the request to MVC:
<system.webServer>
...
<handlers>
...
<add
name="userEditPage"
path="User/EditUser/*"
verb="GET"
type="System.Web.Handlers.TransferRequestHandler"
preCondition="integratedMode,runtimeVersionv4.0" />
This will not be sufficient if you use the firstname.lastname in urls outside of the User/EditUser/... path, and is not a general solution. That would be much more complicated because you would need to tell IIS something like the following:
1) if the file exists, serve it (so that your .js files still serve properly)
2) Before any of the other handlers execute for the file extension, run the MVC handler and see if there is a route matching the url. Because what if you have a user of last name html?
3) If the MVC handler does not match any routes for the url, let the other handlers. Because what if you also had an .aspx page in your project?
Lastly, for the general case, you may want to consider the edge case of someone malicious creating a user with first name ../../web and lastname config? Just a thought, but it seems like the best you can hope for is restricting the use of the . in the url to specific paths.
After some headache, i publish it to Azure WebSites again and it works normally, with same web.config file that i was using in local enviroment. So the solution must be on the IIS, then after no more tries, i change the Application Pool to Default App Pool and guess what, it worked.
I am using Form Authentication in my MVC3 web app. I have added following in root web.config:
<authentication mode="Forms">
<forms name=".FormsAuth" loginUrl="~/Home/Index" timeout="2880" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
When I launch my app, it redirects to http://localhost:22888/Home/Index?ReturnUrl=%2f instead http://localhost:22888. If I remove line <deny users="?"> then it redirects correctly but then Context.User.Identity.Name gives no value after login.
Please help.
Take a look at Securing your ASP.NET MVC 4 App and the new AllowAnonymous Attribute.
You cannot use routing or web.config files to secure your MVC application (Any Version). The only supported way to secure your MVC application is to apply the Authorize attribute ...
Quote
MVC uses routes and does not map URLs to physical file locations like WebForms, PHP and traditional web servers. Therefore using web.config will definitely open a security hole in your site.
The product team will have a communication if this changes in the future, but for now it is without exception the rule.
Examples:
Start with the default ASP.Net MVC project (internet/intranet).
Edit the web.config adding:
<location path="Home">
<system.web>
<authoirzation>
<deny users="*">
</authoirzation>
</system.web>
</location>
Run the project, by default you will use the Default route /Home/Index and you see content, simply bypassing the web.config with no changes to the default template. Why? Because the ASP.Net pipeline is comparing the URL requested to the location specified in the web.config. However, after the Authorization Event has been executed in the pipeline the routing taking place (Default routing or custom routing) and allows access to the supposedly restricted area.
Additionally, any MVC Redirect() will also by-pass the same security measures as again the routing takes place after the Authorization Pipeline Event.
When I launch my app, it redirects to http://:22888/Home/Index?ReturnUrl=%2f instead http://:22888.
If you are using the default template, authorization stores the returnUrl and redirects back to /Home/Index with the value %2f which is /. You can update the RedirectToAction code in the AccountsController to not append the returnUrl if it is /.
This is correct behavior of the runtime.
You told the engine to deny the access to unauthenticated users and also that the login url is located at ~/Home/Index.
This is why when you navigate to the default url / the engine makes the browser go to the login page and passes the return url, encoded / in this case.
The question is then: what you want to do if the correct behavior bothers you.
I resolved this issue by performing two modifications:
I removed deny users='?' line from web.config file. But then I was getting null in Context.User.Identity.Name
In HttpPost Login method, I was redirecting user after successful authentication using return View("Home"). When I changed it to return RedirectToAction("Home") I got value in Context.User.Identity.Name
Although a little late to the show, if you're still having issues, remember to look down at the sections in your web.config for other authorization rules (correctly or incorrectly set). There are some situations where mis-configurations to a resource at the root or subdirectory could cause endless redirects.
I added this in my webconfig file but its not redirecting. It shows the aspx error as it is with the Stack Trace and all:-
<customErrors mode="RemoteOnly" defaultRedirect="myhomepage.aspx"/>
What could be wrong? Please help me out.
I think you need the values as mode="On" so that it shows up the custom errors. This will allow custom errors for remote clients as well as localhost (while you debug) and it is not the case for RemoteOnly which ignores the localhost.
More details refer here
The way you've got it set up at the moment is that it will show that page for any users that are not on the same computer that IIS is running on. If you're testing it from localhost then it won't work (unless as V4Vendetta suggested you set the Mode to On).
RemoteOnly means.. Remote Only. In other words, you see the YSOD (Yellow Screen Of Death) when you view the page with the error if you are browsing from the same computer as the program is executing on.
If you view it from a different computer, then you will see your custom error page.
If you want to see the custom error even when browsing locally, then use mode="On".
If you are still not seeing the custom error message, even if browsing remotely, it probably means you did not add it to the correct section of the web.config. It should be in
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="myhomepage.aspx"/>
</system.web>
</configuration>
when I try to access the ASP.NET Configuration page from Visual Studio 2008, I fail . I get an error :
"An error was encountered. Please return to the previous page and try again.".
This is the message I get after clicking on Help : "Tool Has Timed Out . As a security measure, the Web Site Administration Tool times out after a period of inactivity. Changes to machine.config or web.config may also result in the tool needing to be restarted. To continue configuring your web site, restart the tool."
how can I solve this ?
Set the default browser within Visual Studio to internal browser, and attempt to re-launch the tool. This worked for me.
It's likely the is an error in your web.config file - try making sure the xml is valid, all tags are closed that sort of thing.
You might want to check the Event log for possibly more information on the actual underlying error
Edit your Web.config file and add this:
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
Here is my issue. I have an ASPX web site and I have code in there to redirect from the login page with the call to "FormsAuthentication.RedirectFromLoginPage(username, false);" This sends the user from the root website folder to 'website/Admin/'. I have a 'default.aspx' page in 'website/Admin/' and the call to redirect works on a previous version of the website we have running currently, but the one that I am updating on a separate test server is not working. It gives me the error "Directory Listing Denied. This Virtual Directory does not allow contents to be listed." I have this in the config file:
<authorization>
<allow users="*" />
</authorization>
under the "authentication" option and...
<location path="Admin">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
for the location of Admin.
Also, there is no difference in the code between the web.config, Login.aspx, or the default.aspx files on the current server and the one on the test server, so I am confused as to why the redirect will not work on both. It even works in the Visual Studio server environment, for which the code is also identical.
Any suggestions and help is appreciated.
Directory Listing Denied is an IIS error, stating that directory browsing on the server isn't allowed. If you see this, it means when browsing to Website/Admin, the server isn't finding any expected default documents and is then trying to show you the file directory through the browser (expected behavior). IIS is set to not allow this in your case (which is a good thing).
Can you contact the server admins and ask them to verify the default documents for the website, and add Default.aspx to the list? If not, at least find out what the default file names are in the site setup, and name your root page based on that.
I think by default IIS uses Default.htm and maybe one other. Even when registering asp.net with IIS, I don't believe Default.aspx is added. It has to be done manually.