IIS 7.5: Setting 'app pool user' as the anonymous user programmatically - web-config

I have an web app in IIS 7.5 with its own AppPool using .net 4.
I want to use the feature of having anonymous access as the app pool identity - which is easily configured in a GUI via the inetmgr snapin.
Is there any way do this programmatically, for instance through web.config?
I've looked around and it appears that the anonymousAuthentication element does the trick, but it does not explain how to specify the app pool user in any significant way. I've tried setting my anon user to 'IIS APPPOOL/[AppPoolName]' as seems to be suggested here, with no success.
Any suggestions to how this is supposed to be configured?

Taking a closer look at that link: http://www.iis.net/ConfigReference/system.webServer/security/authentication/anonymousAuthentication
'If you leave this value blank (that is, username=""), Anonymous authentication uses the application pool identity to authenticate anonymous users'

For the lazy (me)
<system.webServer>
<security>
<authentication>
<anonymousAuthentication userName="" />
</authentication>
</security>
</system.webServer>

Muluken anonymous pool to examination any kinds of question to my followers . So try to give answer if you are good in participation

Related

How to add profiles via the FHIR REST api (HAPI)

I've looked at the documentation for creating profiles for FHIR, and I've used Forge to create some xml that I believe is valid to describe a profile. I can't find in the documentation where it actually states what request I need to make to the RESTful api to actually add a new profile.
Any ideas?
You can of course just "store" your profiles on a FHIR server by POSTing them to a FHIR endpoint, but you probably mean: can I actively let instances be validated against the StructureDefinition?
There are two ways, both of which require a bit of experimentation to see which public servers support them:
Any FHIR instance may declare it adheres to a StructureDefinition, by adding the canononical url (StructureDefinition.url) to the instances meta.profile as shown below. Servers may pick this up on a POST and validate the instance against the stated profile:
<Patient>
<id value="44Q3"/>
<meta>
<profile value="http://example.org/StructureDefinition/PatientNL"/>
</meta>
</Patient>
Actively ask a server to validate your instance using the $validate FHIR operation (see http://hl7.org/fhir/resource-operations.html#validate)

Adding URL Excemption for Keycloak

I'm new to Keycloak so I apologize if this is an easy question.
I have to have my entire website hidden behind Keycloak, except for one or two urls. These endpoints are necessary for our rest server, so stuff like "/rest/service/status" should not be challenged.
What is the best way to accomplish this?
You can add security exemption for the URL using web.xml or spring-security.xml like
<security:http pattern = "/YOUR_URL/**" security = "none"/>

Redirect attribute of actionforward does not work in struts portlet bridge based portlet (JSR-168)

I did a lot of researching on the matter but cannot seem to find the answer to my question, so I hope you guys can help me out.
We have a struts 1.2.7 web app that we converted to a JSR-168 portlet using the Apache Struts Portlet Bridge.
This is all working very well except for one thing: the actionforwards that specify a redirect do not actually redirect to the specified action. These redirects DO work when running the app as a normal struts web app. Hence, we have a double submit problem in the portlet variant.
We make use of action chaining that ends with an action forwarding to a tile definition. For example:
<action path="/CreateIdmAccountSubmit" validate="true" input="catalog.createaccount.page" type="com.konakart.actions.login.CreateIdmAccountSubmitAction" name="CreateIdmAccountForm">
<forward name="FillRegistrationData" path="/FillRegistrationData.do" redirect="true"/>
</action>
<action path="/FillRegistrationData" validate="false" type="com.konakart.actions.registration.FillRegistrationDataAction" name="FillRegistrationDataForm">
<forward name="FillRegistrationDataPage" path="/FillRegistrationDataPage.do" redirect="false"/>
</action>
<action path="/FillRegistrationDataPage" forward="order.registrationdata.page"/> (tiles-def)
In this example the action /CreateIdmAccountSubmit processes a submitted form (POST) and creates an account in the db. After successfull creation the user is redirected to another action (/FillRegistrationData) which inits an order object and, on its turn, forwards to the orderregistration page which layout is defined in the tiles-defs.xml.
As I said this all works very well, form a functional perspective, but when a user hits f5 on the rendered order-registration-page the action /CreateIdmAccountSubmit is again invoked causing the account to be created double. As I said also this is not happening when running the app as a normal web app. Here, the mechanism works perfectly :)
I think that the problem is being caused by the fact that the redirect is done in the wrong phase but i am really not sure as why this does not work :)
Based on what I read I tried the fowllowing things to fix the redirect problem:
* specified the action that does the form submit as "actionUrl" in struts-portlet-config.xml (hoping that redirect is done in wrong phase?)
* replaced the normal html tag library by the struts-portlet variant (hoping that a valid url actionUrl was produced by my html:form that in some way made the redirect possible?)
These two steps did not seem to help and I am lost at how to accomplish a simple redirect in the portlet so that we can prevent the double submit problem.
Hope you guys can help me out!
I found the answer: the mechanism is dependent on the portal implementation. We use Liferay which does not work with redirects by default.
However, you can switch this on by declaring an element in liferay-portlet.xml called
<action-url-redirect>true</action-url-redirect>
This fixed the problem for us!

forms authentication persistent across multiple servers

I have an MVC 2.0 application that requires a persistent login(if chosen) using forms authentication which is load balanced between two servers.
my webconfig(on both servers) looks like so:
<authentication mode="Forms">
<forms name="MA_AuthCookie" loginUrl="~/Account/LogOn" timeout="86400" protection="All" path="/" slidingExpiration="false"/>
</authentication>
<machineKey validationKey="*************180C6E1FD3E9338B78ACD83CA0A99F27B985AF97871BDBA43E1426DB8FA82F811779BFB779D1E90EB9BCCDE71D3F0458392736B17D3"
decryptionKey="*****************D72F47EF06B1F594CAAF1BEA311555A9D8E8"
validation="SHA1"
decryption="AES" />
timeout is set for 60 days and i am using the following script to set the cookie on login.
FormsAuthentication.SetAuthCookie(userName, true);
All works great or so it seems across both servers until i come back an hour or so later with no activity and my auth cookie is gone. I am not sure this has something to do with the worker process on either load balanced server for the application because i can go directly to one of the servers, login and my login is persisted as it should be. Also, through my findings the fact that i am setting a machine validation key is supposed to get around the issue and recreation of keys when the worker process runs. There must be something i am missing. If anyone can point me in the right direction it would be very appreciated.
Thanks,
Billy
Looks like i failed to realize the obvious. Although it seemed as though the login would persist when closing the browser down sometimes and sometimes not the setting to expire cookies at the end of the session was checked on my firefox browser. All is good after making that change.

Is it possible to suppress the IE standard login dialog when Windows Authentication is enabled?

i have a web application with Windows Authentication enabled. In my web.config I restrict the access with the following code:
<authorization>
<allow users="rba\eigg"/>
<deny users="*"/>
</authorization>
When I call the application in a browser, the IE's standard login dialog pops up. If I close it by 'Cancel' I get the HTTP 401 (Access is denied) error page as expected.
Is there a way to suppress the login dialog so that the user gets the 401 error page directly?
Thanks!
Rocko
At risk of sounding terse, let me just say: No. ;-)
It is an intrisic function of any browser when presented with a challenge/response type of auth.
Fiddling with this in any way would be a security risk and is not possible.
Just the way it is.
Cheers.