I have a new MVC application which integrates into a larger pre-existing intranet site.
In production, authentication details will be passed from the existing intranet site. But in development I need a local forms login control to create the authentication.
This means I need a way to hide any of the local login pages when the solution is deployed to production server. I was trying to use Debugger.IsAttached to redirect away from any login page
public class AccountController : Controller
{
public ActionResult LogOn()
{
if (!System.Diagnostics.Debugger.IsAttached)
RedirectToAction("NotFound");
return View();
}
}
It turns out this doesn't work. For some reason which is a mystery to me, the login page is still served when navigating to /Account/LogOn.
Can I fix this? Is there a better way?
If you have a separate Web.config for both production and development, you can restrict access to this action in the Web.config of the production-environment:
<configuration>
<location path="/Account/LogOn">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
Just out of curiousity, are you aware of the "Authorize" attribute?
http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx
You mention that your application is part of a larger application that I assume deals with the security (authentication), right ?
If so, in development, you could have a different/specific web.config for your needs.
<authentication mode="Forms">
<forms loginUrl="~/MyDevelopment/LogIn"/> //Just for dev
</authentication>
Also,
Instead of the Debugger.IsAttached, I suggest you use the compiler's directive
#if !DEBUG
RedirectToAction("NotFound");
#endif
Related
I have a website that uses ASP.NET forms authentication using .Net 4.0 on IIS 7. I have secured the site using a third party single-sign on provider (jasig CAS), and it all works well.
The default documents list in IIS has Default.aspx at the very top.
The default page of the website is Default.aspx and it is opened to the public with the below snippet from my web.config, again this works as expected when I navigate directly to the page.
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
The problem that I'm having is that when I navigate to the root of my website ie www.mydomain.com rather than www.mydomain.com/default.aspx I am redirected to the forms authentication page.
Surely this is the same page, and is subject to the same authorization rules?
I am stuck on this, and do not know where to turn.
There is a similar question in Stack Overflow:
Allowing anonymous access to default page
In Global.asax, place the following code in Application_BeginRequest method:
if (Request.AppRelativeCurrentExecutionFilePath == "~/")
HttpContext.Current.RewritePath("default.aspx");
I ended up using this code (the same as above), but it had to go in the OnBeginRequest method in the CasAuthenticationModule
if (Request.AppRelativeCurrentExecutionFilePath == "~/")
HttpContext.Current.RewritePath("default.aspx");
I am a beginner with C# and Asp.net. I will try to explain this as best I can. I work at a university that allows access to a lot of different sites, payroll, hr, databases...etc. through a central authentication unit. You login on a subdomain of the site and based on your account, you have access to whatever is allowed to you.
I am working with a small department that wants a video on their website, but they want employees to have to login first, in order to see that video.
Can anyone recommend on how to achieve this, I am kind of dead in the water here. Any help is appreciated. Is there a way I can use asp.net to check if they are logged in? Or is this beyond my hands.
To deny access to a specific page say: video.aspx, you can use location element in your web.config. This will always deny access to users who are not logged in and will redirect them to your default login page configured.
<configuration>
<location path="root/video.aspx"> //Specify your correct Path to Video Page
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
However, if you want authentication on whole of a section of website, which will be a separate folder in VisualStudion, make sure in the root of this separate folder, you place a web.config with below entry. Only thing that your code to validate user in login page will be using the Central authentication standards.
<system.web>
<authentication mode="Forms">
<forms loginUrl="login.aspx" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
You can refer this URL for a very basic startup: http://www.codeproject.com/Articles/13872/Form-authentication-and-authorization-in-ASP-NET
I Have an ASP.net application where I have a page named foo.aspx where some secured data is placed.
I want to denny the access to this page to users not logged in, and this login Username and Password must set by me in web.config or somewhere else.
But I have a problem that there is already a Admin Panel which is restricted to normal users
by Username , Password I have set in web.config using authentication mode set to forms.
Now how can I restrict foo.aspx page as authentication code can't duplicate and also want separate log in page.
In web.config, you could define elements (after system.web closure) where you set a specific configuration for a specific zone/page of your app.
Eg:
<configuration>
<system.web>
....
</system.web>
<location path="Foo.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
There, you may set a different authorization mode than the one in use by your app.
With the above example, your page won't be protected by the standard authorization mode configured globally, but you have the choiche to protect your page in a custom way, directly in the page itself.
At the top of your foo.aspx page you have
if(login == false)
send them to login page;
This will make sure that they are logged in before they can even access the foo page.
The best way to achieve this is to have two different asp.net applications. You can still configure your IIS to have your Foo application in another folder / subdomain.
You can, however, try to develop your own AuthenticationModule which will need to have a list of urls protected by Admin-authent and a list of urls protected by Foo-authent, each one with its specific Login page and a default login-pwd pair or a table of users. Here's a tutorial for developing custom Authent module : http://www.codeproject.com/Articles/5353/Custom-Authentication-provider-by-implementing-IHt
Good Luck
You can add your page foo.aspx to a folder and you can protect this folder by adding a new web.config file
for example ,
Folder
-foo.aspx
-web.config
in new web.config file
<?xml version="1.0" encoding="utf-8"?><configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
<location path="CreateArticle">
<system.web>
<authorization>
<deny roles="banned"/>
<deny users="?"/>
</authorization>
</system.web>
The code above works fine but when I ban myself, It automatically redirects to the login page. I don't want this, If a person is banned I want it to redirect to a banned page. is this possible in MVC?
It sounds like you are using the built in asp.net membership/roles provider. This is the design of the system.
You can code around this yourself. Here's an example of this:
.net Membership deny login
The code in this sample was with web forms in mind not MVC so you will need to adapt it but it should get you down the right path.
well you can check inside your controller if the user is banned and make a proper decision
if (User.IsInRole("Banned"))
{
// do something here
}
I have an ASP.NET 2.0 web application(C#) where I wanted to enable Single Sign On. I want only certain users to have access to all the pages, but others to only see a few pages. What changes do I need to make to my Web.config file, and what code would I need in my code-behind for the pages?
Thank you
Fortunately, ASP.NET was built with this exact kind of scenario in mind.
A quick example here would be the following project structure:
LoginPage.aspx
Default.aspx
web.config
/Protected
MembersOnlyPage.aspx
web.config
If I have understood you correctly, you can simply drop a 'web.config' file into the 'Protected' folder shown above. That web.config file should look like:
<system.web>
<authorization>
<allow users ="Bob, Jane, Mary" />
</authorization>
</system.web>
Read up on the <allow> and <deny> elements of <authorization>, because you can also use the 'roles' attribute instead of 'users' to specify groups of users who should have access, or be denied access.
You'll then need to modify the root web.config file to "turn on" forms authentication. Add something like:
<authentication mode="Forms" >
<forms loginUrl="LoginPage.aspx" name=".ASPNETAUTH" protection="All" path="~/" timeout="20">
</forms>
</authentication>
... to your <system.web> element.
Now, all you have to do is wire up your LoginPage.aspx to log the user in. You can use the standard ASP.NET Login control for this purpose, and if you want to use your own database for authentication/authorisation, you can intercept the login control's events to do whatever you need to.
For the quickest, most basic solution, check out the following video:
http://www.asp.net/learn/videos/video-45.aspx
Hope this helps
/Richard