i have a website made in asp.net 4.0 running in azure webrole.
i am using simple forms authentication and allow unautheticated GET requests to various pages , scripts and styles .
The problem is i have implemented a custom handler for extention ".kl" which actually is serving images based on the code with this extention. so suppose the output for 1.kl and 2.kl would be different.
i need to allow unauthenticated requests to this handler.
how should i do it?
this is the tag in my webconfig
<authentication mode="Forms">
<forms loginUrl="~/UserPages/UserLogin.aspx" timeout="2880" name=".ASPXF2KAUTH" protection="All" path="/" defaultUrl="~/CodeGeneratorPages/SC_WC_CodeGen.aspx">
</forms>
</authentication>
It is purely ASP.NET question, and the solution is one and the same for Azure and on-premis deployment.
You need to decide a single "folder" for where your handler will serve. For example it could be "/dynamic-images" or whatever. And make sure that all references/links you are generating are pointing at this folder ("~/dynamic-images/1.kl").
And now you need to add a location element in your configuration. Note that location is an immediate child of configuration (do not put it inside system.web):
<location path="dynamic-images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
There is no other way (that I know) to achieve your goal.
also one more solution to this quest that i figuredout by myself
is that allow UnAuthenticated access by default to the root directory of the website then deny access to all the folders and child path.. that way any handler would be allowed to be accessed by any anynomous user where as all the child paths wont be allowed.
Related
Whenever I add a domain tag to the web.config Forms section it makes my menus disappear from my application.
<authentication mode="Forms">
<forms name="appname" loginUrl="login.aspx" domain="localhost" />
</authentication>
Has anyone experienced this before?
This prevents all requests under this application from passing unless you authenticate. For aspx pages this is fine and dandy, but for the webresource requests AJAX controls needs this is a problem, because IIS does not return the scripts/stylesheets, but the error page.
So, add a location element to provide access to the needed handlers:
<configuration>
...
<location path="Telerik.Web.UI.WebResource.axd">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
...
</configuration>
Or, turn on the CDN so webresources are used as rarely as possible:
http://www.telerik.bg/help/aspnet-ajax/scriptmanager-cdn-support.html and http://www.telerik.bg/help/aspnet-ajax/stylesheetmanager-cdn-support.html. The MS AJAX scripts, however, will still be taken from webresource, I think. Take a look at the requests in the browers and let the needed ones pass.
I'd like to set my web.config file to redirect to login.cshtml if a cookie is not set. How can I do this? What I have at the moment is exhibiting some behaviour I don't understand, also. I have :
<?xml version="1.0" encoding="utf-8" ?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.cshtml" name=".ASPXFORMSAUTH">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
What is happening is the user is being redirected to
"Account/Login ReturnUrl=%2fdefault.cshtml"
So the default.cshtml is being rendered, with a weird login page placed centrally within it? It's probably to do with the structure of my program, but I don't really understand what is being called that could render this weird HTML?
the loginUrl should be the path that would take you to the Login view, as if you were trying to navigate to it via a web browser. Which, if I had it to guess, would be something like mywebsite.com/Account/Login. So the corresponding code in web.config would be
<forms loginUrl="~/Account/Login" name=".ASPXFORMSAUTH">
</forms>
This would be based on default routes and so forth. If your site has modified routes and/or view engine overrides in place, you may experience different behavior.
I think the issue here is that you are referencing "Login.cshtml" in the loginURL, which is a view. In MVC you don't route a user to a view (that is selected in the controller). You have to point the user to the path/Controller/Action. As mentioned in the other post here, that is usually "~/Account/Login" if you use the standard project template (the tilde indicating the application root).
I am currently working with my asp.net project. I use web.config settings to allow and deny services !
It works totaly fine ! Now I got some query ( just for knowledge) that if I use deny and allow authentication both what will happen ?
My code seems like that
<system.web>
<authorization>
<deny users="user_name" />
<allow users="user_name" />
</authorization>
</system.web>
Thanks in advance !
Authorization elements are evaluated in the order they are given in the configuration file.
In your example, the user would be denied, as the deny entry is earlier in the list than the allow entry.
Note that your question is referring to ASP.NET URL Authorization Behaviour (i.e. the settings defined in system.web\authorization). The behaviour of IIS URL Authorization is quite different. See the "Differences Table" here.
I built a web app a while back that is miss behaving out of the blue. Page.User.Identity.Name returns the machine name ie phil_toshiba/phil instead of the username i set when the user logs in through the log in form (should be an email address):
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(tb_email.Text, true);
I dont know why it has only just started doing it but it doesn't do it on the live site just the local project i need to work with to update some features. the live and local are in sync (code is exactly the same) only difference is the live site is compiled and using iis.
EDIT this is the authentication tag in my web.config file:
<authentication mode="Forms" >
<forms loginUrl="Default.aspx" name=".ASPXFORMSAUTH" defaultUrl="Sections.aspx">
</forms>
</authentication>
Check your web.config, it should be set to use Forms authentication not Windows:
<system.web>
<authentication mode="Forms"/>
</system.web>
I'm learning ASP.NET MVC3 and I'm now examining the user handling.
My first problem would be (I know there is a lot about this subject in other threads, I just fail to find a good one with MVC3) that I want the login page to redirect me where I came from, or where I was redirected from.
In php perhaps I would add this url to the querystring, maybe.
But I need a way to do this somehow automatically, and this is a so common design pattern I was wondering if there is a "built in" way to do this.
What would be the cleanest, or preferred way to do this?
Also when I'm redirecting to a login page which would be the best way for checking and storing the url which I'm redirected from? I would check for the referrer in the request object and spit it out in the url as "?redirect=protected.html" but I'm not even sure how to properly do this.
Any advice on this subject would be appreciated.
MVC works the same way as ASP.NET.
If you use Forms Authentication a lot of those questions will be answered for you.
In your Web Config find the line that says authentication="Windows" and then change that to Forms
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" />
</authentication>
MVC 3 will actually give you the Account/LogOn route as part of the MVC 3 template project (check your models and see if you have one called AccountModel).
Then you just add Authorization to deny all users to your site:
<authorization>
<deny users="?"/>
</authorization>
by default this will send any person coming to your site off to your login.
So after you have validated that there login credentials are correct you set the AuthCookie the same as ASP.NET:
FormsAuthentication.SetAuthCookie(userName, false);
Form this you can the redirect to where ever you want.
to redirect back to where you came from use:
FormsAuthentication.RedirectFromLoginPage(userName, false);
Not forgetting the other useful statement of:
FormsAuthentication.SignOut();
Without Authentication the site wont let you access anywhere until you are logged in, so the CSS will stop working.
The locations I have added to make sure this doesnt happen are as follows:
<location path="Content">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="Scripts">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
In asp.net it is a ?returnUrl=...
(1) Make sure you have something like
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
in your root web.config.
(2) In your Controller you want to protect, add [Authorize] attribute above it.
Please create new project and select the Internet Application template rather than Empty one and you will get sample of the simple login process as well as changing password.
Note: Please read this as well: http://www.asp.net/mvc/tutorials/preventing-open-redirection-attacks
The sample shows after logging in process, it make sure the returnUrl is a local url by the Url.IsLocalUrl() helper to protect from Open Redirection Attack.
Update:
The best way is to implement your own custom login process after you really know the standard process for example instead of using the URL to track where the user come from, you can set a new cookie to store the returnUrl with httponly cookie and delete it just before redirect to previous page.
Another common practice is to use roles. You may specific a directory/controller for specific group of user called Role by adding the permitted role like this as an attribute above the controller:
[Authorize(Roles = "Admin")]
See this visual studio administration tool to create sample users and roles with built-in web interface.
You may also want to use sitemap to arrange your pages and menu link with show/hide menu based on current user role. Use this mvcsitemap to add security trimming features in ASP.NET MVC sitemap.
In some cases there happens to be a custom authentication instead of standard forms based (common case for enterprise level applications).
In this case I would recommend manually managing returnUrl parameter in the querystring. Login page reads this URL and redirects back after successful authentication.