I'm working on an ASP.Net MVC application. I want to deny access to all users who are unauthenticated or not in an AD group. Only this AD group should have access. The exception to this is the "You Shall Not Pass!" page. Anyone can access that.
In the project root, I have this in my web.config (the rest of the file is trimmed for brevity):
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<customErrors mode="On">
<error statusCode="401" redirect="/ui/Other/YouShallNotPass.html" />
</customErrors>
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
<authentication mode="Windows" />
<authorization>
<allow roles="allowedrole"/>
<deny users="*"/>
</authorization>
</system.web>
<system.webServer>
<httpErrors>
<remove statusCode="401" />
<error statusCode="401"
subStatusCode="2"
responseMode="ExecuteURL"
path="/ui/Other/YouShallNotPass.html" />
</httpErrors>
</system.webServer>
</configuration>
I have a second web.config sitting next to ui/Other/YouShallNotPass.html. I expect this to allow anyone to access this page, authenticated or otherwise:
<configuration>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</configuration>
I'm able to test this by setting the AD group to one that doesn't exist. I'm not part of the non-existent group, so I should expect to see the YouShallNotPass.html page.
It's not working as expected. I'm getting the following error in my browser:
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server.
If I request YouShallNotPass.html directly, I can access it after being prompted for a user/pass.
What am I doing incorrectly? Why won't it serve the 401 page when the user isn't authorized?
Check out this question because it explains why your solution won't work.
So once you move to annotate all your secure controller actions with [Authorize] you can add a custom ExceptionFilter
like this
public class HandleUnauthorizedAttribute : HandleErrorAttribute
{
public override void OnException(ExceptionContext filterContext)
{
base.OnException(filterContext);
if (filterContext.Exception.GetType() != typeof (SecurityException)) return;
var controllerName = (string) filterContext.RouteData.Values["controller"];
var actionName = (string) filterContext.RouteData.Values["action"];
var model = new HandleErrorInfo(filterContext.Exception, controllerName, actionName);
filterContext.Result = new ViewResult
{
ViewName = "Unauthorized",
ViewData = new ViewDataDictionary<HandleErrorInfo>(model),
TempData = filterContext.Controller.TempData
};
filterContext.ExceptionHandled = true;
filterContext.HttpContext.Response.Clear();
filterContext.HttpContext.Response.StatusCode = 403;
filterContext.HttpContext.Response.TrySkipIisCustomErrors = true;
}
}
Then wiring it up here
public class FilterConfig
{
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new HandleUnauthorizedAttribute());
}
}
Managed to work around this by adding the following to my global.asax:
protected void Application_EndRequest(object sender, EventArgs e)
{
if (Response.StatusCode != 401)
return;
Response.ClearContent();
Response.WriteFile("~/ui/Other/YouShallNotPass.html");
Response.ContentType = "text/html";
}
I would have preferred using the web.config to do this, though.
Related
I am encountering an infinite redirect loop between login.microsoftonline.com and my application. My project is implementing authentication and authorization in an Asp.net 4.8 web forms project. I am able to add authentication using the default Owin startup file and then require authentication in the web config file. The below works correctly for requiring a user to sign in before being able to access pages/AuthRequired
StartupAuth.CS
public partial class Startup
{
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
private static string authority = ConfigurationManager.AppSettings["ida:Authority"];
private static string clientSecret = ConfigurationManager.AppSettings["AppRegistrationSecret-Local"];
public void ConfigureAuth(IAppBuilder app)
{
//for debugging
//IdentityModelEventSource.ShowPII = true;
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
ClientSecret = clientSecret,
RedirectUri = postLogoutRedirectUri,
//This allows multitenant
//https://github.com/Azure-Samples/guidance-identity-management-for-multitenant-apps/blob/master/docs/03-authentication.md
TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false
},
Notifications = new OpenIdConnectAuthenticationNotifications()
{
AuthenticationFailed = (context) =>
{
return Task.FromResult(0);
}
}
}
);
// This makes any middleware defined above this line run before the Authorization rule is applied in web.config
app.UseStageMarker(PipelineStage.Authenticate);
}
}
Web.Config
<configuration>
...
<system.web>
<authentication mode="None" />
</system.web>
<location path="Pages/AuthRequired">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
</modules>
</system.webServer>
...
</configuration>
I need to add authorization so that only users with the admin role will be able to access Pages/AuthRequired. I have done that by updating the web config:
<configuration>
...
<system.web>
<authentication mode="None" />
</system.web>
<location path="Pages/AuthRequired">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
</modules>
</system.webServer>
...
</configuration>
Adding authorization to the authenticated page works correctly if the user has that role, but if a user who doesn't have the role tries to access the page they are redirected back to login.microsoftonline.com and then back to the application in an infinite loop.
I can see that Owin UseOpenIdConnectAuthentication is returning a 302 response on unauthorized and that is causing the loop.
How can I change it so that instead of redirecting unauthorized (but authenticated) users to login.microsoftonline.com, that user should be directed to an app page that displays a 401 error?
Please check if below work around helps:
Its usually possible that if forms authentication is enabled, you will be redirected to the login page when status code is 401.
As a workaround try Adding the below to global.asax in the application end request and you can create own unauthorized page if needed and redirect to that.
if (this.Response.StatusCode == 302&& this.Response.StatusCode == 401
&& this.Response.RedirectLocation.ToLower().Contains("login.aspx"))
{
this.Response.StatusCode = 401;
//or Response.Redirect("Unauthorized.aspx");
}
You can also check this > Redirect unauthorised user to message page in ASP .Net. (microsoft.com)
Other references
Prevent redirect to login on status code 401 (Unauthorized)
(microsoft.com)
asp.net - In-place handling (no redirect) of 401 unauthorized? -
Stack Overflow
ASP.NET URL Authorization doesn't appear to interoperate well with OIDC (i.e. Azure AD).
First remove the URL Authorization from your Web.config:
<configuration>
...
<system.web>
<authentication mode="None" />
</system.web>
<location path="Pages/AuthRequired">
<system.web>
-- <authorization>
-- <allow roles="Admin" />
-- <deny users="*" />
-- </authorization>
</system.web>
</location>
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
</modules>
</system.webServer>
...
</configuration>
Optionally make authenticated required for all pages globally:
<system.web>
<deny users="?" />
</system.web>
You can override this behaviour with <Allow users="?" /> for specific pages i.e. logins/logouts/erorr pages/etc.
Second add authorization logic to your AuthRequired.aspx page:
public partial class AuthRequired {
protected void Page_Load(object sender, EventArgs e)
{
Authorization.AuthorizeAuthRequiredPage();
...
}
}
public static class Authorization
{
public static void AuthorizeAuthRequiredPage()
{
if (!Authorized(HttpContext.User))
{
Redirect("/Anauthorized.aspx");
}
}
private static bool Authorized(User user) => { ... }
}
I have the following:
Web.config
<system.web>
<authentication mode="None" />
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<customErrors mode="On" defaultRedirect="~/Error/ShowError">
<error redirect="~/Error/ShowError/400" statusCode="400" />
<error redirect="~/Error/ShowError/401" statusCode="401" />
<error redirect="~/Error/ShowError/403" statusCode="403" />
<error redirect="~/Error/ShowError/404" statusCode="404" />
</customErrors>
</system.web>
ErrorController
[AllowAnonymous]
public class ErrorController : Controller
{
public ViewResult ShowError(int id)
{
Response.StatusCode = id;
switch (id)
{
case 400:
return View("~/Views/Error/400.cshtml");
case 401:
return View("~/Views/Error/401.cshtml");
case 403:
return View("~/Views/Error/403.cshtml");
case 404:
return View("~/Views/Error/404.cshtml");
default:
return View("~/Views/Error/404.cshtml");
}
}
}
FilterConfig
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
//filters.Add(new HandleErrorAttribute());
}
Locally everything works fine, I get a custom error page and am happy, however as soon as I deploy the site to my web server, I no longer get my custom error messages and only the generic:
Do I need to add anything specific for the IIS configuration in my online environment?
I've compared the local Web.config with the deployed Web.config and there isn't anything different (that I can see).
Your error is overwritten by IIS custom error.
Try:
Response.TrySkipIisCustomErrors = true
how to set up smart-card authorization in web form
i can read ATR of smart card...
try {
m_iCard.Connect( DropDownList1.SelectedItem.Text, SHARE.Shared, PROTOCOL.T0orT1);
try {
// Get the ATR of the card
byte[] atrValue = m_iCard.GetAttribute(SCARD_ATTR_VALUE.ATR_STRING);
} catch {
}
} catch {
}
But further from that no idea.
Do you have the authentication process in place? If not, you can access the link below, it has a tutorial for that:
http://securitythroughabsurdity.com/2007/04/implementing-smartcardauthenticationmod.html
Once the users were authenticated by the SM, you can authorize them:
http://securitythroughabsurdity.com/2007/04/implementing-authorization-in-aspnet.html
You can see on this link the full tutorial:
http://securitythroughabsurdity.com/2007/04/implementing-smartcard-authentication.html
Edited - it’s possible to implement authorization on the following forms:
Declarative
using System.Security.Permissions;
...
[PrincipalPermission(SecurityAction.Demand, Role="Administrator"),
PrincipalPermission(SecurityAction.Demand, Role="Auditors")]
public void DoSomethingImportant()
{
...
}
Imperative
using System.Security.Permissions;
...
public void DoSomethingImportant()
{
PrincipalPermission permCheck = new PrincipalPermission(Nothing, "Administrators");
permCheck.Demand();
}
IPrincipal.IsInRole() Check
if (myPrincipal.IsInRole("Administrators")
{
...
}
Web.Config - Specify access permissions to files and/or folders in the web.config
<configuration>
<system.web>
...
</system.web>
<location path="Admin">
<system.web>
<authorization>
<allow roles="Administrator" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Reports">
<system.web>
<authorization>
<allow roles="Auditor" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
I'm having problem with our login procedure.
Some customers complain that they can't login. I can see in our logs that their login is successful and that they are redirected from the login page to the member area. But there somehow the login isn't detected and they are bounced back to the login page.
I've asked customers to check if cookies are supported (http://www.html-kit.com/tools/cookietester/) but problem remains even if this test returns true.
This is how I've implemented the login procedure (simplyfied):
protected void Login(string email, string password)
{
FormsAuthentication.SignOut();
Guid clientId = /* Validate login by checking email and password, if fails display error otherwise get client id */
FormsAuthentication.SetAuthCookie(clientId.ToString(), true);
HttpContext.Current.Response.Redirect("~/Members.aspx");
}
On the member page I check for authentication by in Page_Load function:
public static void IsAuthenticated()
{
if (!HttpContext.Current.User.Identity.IsAuthenticated)
{
HttpContext.Current.Response.Redirect("~/Login.aspx", true);
}
}
Maybe I'm using FormsAuthentication completely wrong?
I've asked this before but still haven't been able to figure this out, I'd appreciate any help.
From my Web.Config:
<system.web>
<compilation debug="false">
<assemblies>
...
</assemblies>
</compilation>
<authentication mode="Forms"/>
<sessionState mode="InProc" cookieless="false" timeout="180"/>
<customErrors mode="On"/>
<httpHandlers>
...
</httpHandlers>
<httpModules>
...
</httpModules> </system.web>
public static void IsAuthenticated()
{
if (!HttpContext.Current.User.Identity.IsAuthenticated)
{
HttpContext.Current.Response.Redirect("~/Login.aspx", true);
}
}
is not necessary when you use forms authentication.
When you specify the forms authentication in the web.config (in which you also specify the login page)
<authentication mode="Forms">
<forms loginUrl="/Authorization/Login" timeout="60" />
</authentication>
and you deny all non-athenticated users access
<authorization>
<deny users="?" />
</authorization>
you don't have to check the authentication of a user yourself, the framework takes care of that.
I would place the FormsAuthentication.SignOut(); code behind a 'logout' link
Seperate the call of SignOut() and SetAuthCookie() in different methods. You may call FormsAuthentication.SignOut(); when the Login page loads first time - simply just do away from calling SignOut() on Login page. And Call
FormsAuthentication.SetAuthCookie(clientId.ToString(), true); after authentication is successful.
Normally you would use FormsAuthentication.Authenticate together with some membership provider, but this should work, and it actually does in my machine.
Are you removing the FormsAuthentication from your registered HTTP modules? Normally, this is in the machine wide web.config:
<configuration>
<system.web>
<httpModules>
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
</httpModules>
</system.web>
</configuration>
If you put a <clear /> inside that same section of your own web.config, you're effectively removing that module.
My tested Web.config is pretty clean, it only has <authentication mode="Forms"/> configured.
I am having difficulties implementing a custom ASP.NET RoleProvider.
First off, let me show you the relevant settings in my web.config file:
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
name="FormsAuthentication"
path="Default.aspx"
timeout="20"/>
</authentication>
<membership defaultProvider="MembershipProvider">
<providers>
<clear />
<add name="MembershipProvider"
type="CompanyName.Security.MembershipProvider" />
</providers>
</membership>
<roleManager defaultProvider="RoleProvider"
enabled="true">
<providers>
<clear />
<add name="RoleProvider"
type="CompanyName.Security.RoleProvider" />
</providers>
</roleManager>
</system.web>
<location path="Employees.aspx">
<system.web>
<authorization>
<deny users="?"/>
<allow roles="Employees"/>
</authorization>
</system.web>
</location>
</configuration>
Here's the code for the login button's event handler:
if (Membership.ValidateUser(tbxUsername.Text, tbxPassword.Text))
Response.Redirect("./Employees.aspx");
else
{
tbxUsername.Text = string.Empty;
tbxPassword.Text = string.Empty;
tbxUsername.Focus();
lblLogin.Visible = true;
}
Side Note based on FormsAuthentication.RedirectFromLoginPage() suggestion:
[It has been suggested that I use FormsAuthentication.RedirectFromLoginPage() instead of Response.Redirect(). Eventually, I'd like to redirect the user to a different page based on his/her role. I don't know how FormsAuthentication.RedirectFromLoginPage() would allow me to do this as it does not accept a redirection url as a parameter. In addition, it is my understanding that I could call FormsAuthentication.SetAuthCookie() prior to Response.Redirect() in order to create the authentication cookie that FormsAuthentication.RedirectFromLoginPage() creates. Please let me know if my thought process here is wrong.]
After stepping through the source, I can see that Membership.ValidateUser() is executing the ValidateUser() function of my custom MembershipProvider class. However, when a valid user logs in, and is redirected to Employees.aspx, the user is returned to Login.aspx**?ReturnUrl=%2fEmployees.aspx**. I assume that this is because although the user authenticates, s/he is failing authorization to the Employees.aspx resource.
With that assumption, I created breakpoints on every function in my custom RoleProvider class to see where things run amuck. Not one of them breaks execution when I debug. Most of the code in my RoleProvider throws NotYetImplementetExceptions, but I would still expect to hit the breakpoints (and would then implement those required functions). Here are two dumbed-down functions I have implemented:
public override string[] GetRolesForUser(string username)
{
return new string[1] {"Employees"};
}
public override bool IsUserInRole(string username, string roleName)
{
return true;
}
I assume that since the RoleProvider code never executes, that something must be wrong with my web.config.
I've searched for an answer to this for the past two days and have tried various changes without success. Does anyone see where I'm going wrong?
Thanks in advance!
After authenticating the user using Membership.ValidateUser, you should call FormsAuthentication.RedirectFromLoginPage rather than Response.Redirect to create the forms authentication ticket.
See the MSDN documentation for Membership.ValidateUser for an example.
EDIT
Or if you want to redirect to a specific page, call FormsAuthentication.SetAuthCookie to create the forms authentication ticket before calling Response.Redirect.
It redirects authenticated users to default.aspx
Actually it redirects back to the page that was originally requested, which is not necessarily default.aspx
EDIT 2
Also there is a problem with your configuration:
The path attribute should not point to a specific page (Default.aspx in your case), but the root directory of the site. The default is "/" because most browsers are case-sensitive and so won't send the cookie if there is a case mismatch.
<forms loginUrl="Login.aspx"
name="FormsAuthentication"
path="/"
timeout="20"/>
Check if user is in role:
If (Roles.IsUserInRole("Employees"))
{
}
or try if it works without role checking:
<allow users="*"/>
maybe helps configuration change:
<location path="Employees.aspx">
<system.web>
<authorization>
<allow roles="Employees"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
I changed the path value (see below) from "Default.aspx" to "/" and now the breakpoints in the custom RoleProvider are being hit!
Does not work:
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
name="FormsAuthentication"
path="Default.aspx"
timeout="20"/>
</authentication>
Works:
<authentication mode="Forms">
<forms loginUrl="Login.aspx"
name="FormsAuthentication"
path="/"
timeout="20"/>
</authentication>