I have two level authentification, first the user enters their nt/password and it is validated by LDAP and afterward I have a custom role provider that make sure the user has access to said page.
That being said, in my web.config I have:
<authentication mode="Forms">
<forms loginUrl="~/Account.mvc/LogOn" timeout="2880"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<membership defaultProvider="ADMembershipProvider">
<providers>
<add connectionStringName="ADConnString"
name="ADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
attributeMapUsername="sAMAccountName"
enableSearchMethods="false"
applicationName="ProgramName"/>
</providers>
</membership>
<roleManager enabled="true" defaultProvider="CustomRoleProvider">
<providers>
<clear />
<add name="CustomRoleProvider"
applicationName="ProgramName"
type="ProgramName.Providers.CustomRoleProvider"
attributeMapUsername="sAMAccountName"
/>
</providers>
</roleManager>
Now, If I try to use the language button while in the login form, it calls an action that is unavailable since the user still isn't LDAP-Authenticated. My question is:
Can I avoid the membership check for specific action like I can for role check using the [Authorize] Attribute?
I tried using:
<location path="~/Home.mvc/ChangeCulture">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
And this doesn't work. The action ChangeCulture is never called.
This answer:
ASP.NET MVC Forms authentication and unauthenticated controller actions
shows how to do it for roles, any idea for membership+roles?
Thanks.
Related
i am using awstats for my IIS7.5
I try to use forms authenrication, but it only work on the directory only( http://XXXX.com/awstats/wwwroot/cgi-bin/ ).
However, I can go to http://XXXX.com/awstats/wwwroot/cgi-bin/awstats.pl?config=testsite directly without login.
I want people to to execute this (awstats.pl?config=testsite) before login.
I don't want to create a local domain for the users becasue I will have many user to using awstats in different subfoler.
The web.config in the /awstats
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms name="SIPE_ASPXAUTH" loginUrl="~/Login.aspx" protection="All" path="/" timeout="20">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<system.webServer>
<handlers>
<add name="Perl" path="*.pl" verb="GET,HEAD,POST" modules="CgiModule" scriptProcessor="C:\Perl64\bin\perl.exe "%s" %s" resourceType="Unspecified" requireAccess="Script" preCondition="bitness64" />
</handlers>
<httpErrors errorMode="Detailed" />
</system.webServer>
</configuration>
I'm having problem with an assignment on asp.net. I would like to ask, is there any way in which i can prevent any users (including authenticated users) from accessing newly created web forms unless I specified the access rights to the page in the web config?
i tried using
<deny users="*">
but it denies all users from accessing any pages, even those which i have already specified access rights, for example:
<location path="home.aspx">
Here is a good article to look at, the example is on MS Support
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this
application except for those that you have not explicitly
specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated
user access to the ThePageThatUnauthenticatedUsersCanVisit.aspx
page only. It is located in the same folder
as this configuration file. -->
<location path="ThePageThatUnauthenticatedUsersCanVisit.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated
user access to all of the files that are stored
in the TheDirectoryThatUnauthenticatedUsersCanVisit folder. -->
<location path="TheDirectoryThatUnauthenticatedUsersCanVisit">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
This should help you:
<location path="FolderName/pagename.aspx">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
We are adding a couple pages to our application that don't need to be locked down behind a login. How would I open up two pages to be publicly accessible.
Here is my Web.config:
<authentication mode="Forms">
<forms name=".ORGANIZATION" loginUrl="Default.aspx" protection="All" timeout="120"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
We want page1.aspx and page2.aspx to be public. How would I allow that?
You would add a location in the web.config to exempt them:
<configuration>
<!-- The rest of your web.config -->
<system.web>
<authentication mode="Forms">
<forms name=".ORGANIZATION" loginUrl="Default.aspx" protection="All" timeout="120"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
<location path="page1.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="page2.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
In an authenticated website, you can use the Location element in web.config to specify that a page can be accessed anonymously.
In this web.config section anyone can get to the RecoverPassword page without being authenticated, but no one can access pages in the Admin folder without being authenticated.
<configuration>
<location path="RecoverPassword.aspx"> // specify file \ only specify one --
<location path="Admin" > // specify folder / either file or folder
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="UserLogin.aspx" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
First let me say that I did see this article:
How to remove AspxAutoDetectCookieSupport
However it seems like it fixes the url issue, but not the 302 AspxAutoDetectCookieSupport issue.
I've also read just about every other article on the web about this issue.
I could really use some help here.
This is my web.config
<sessionState mode="InProc" cookieless="false" timeout="6600" />
<membership defaultProvider="MySqlMembershipProvider">
<providers>
<clear />
<add connectionStringName="SimpleTickConnection" applicationName="TheaterSales" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="15" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" name="MySqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</membership>
<anonymousIdentification enabled="true" cookieless="AutoDetect" cookieProtection="All" cookieRequireSSL="false" cookieSlidingExpiration="true" />
To replicate the issue:
http://web-sniffer.net/
and use your url
alt text http://img28.imageshack.us/img28/8615/issue.gif
Ok, I researched on: anonymousIdentification
I removed
cookieless="AutoDetect"
And now the object moved error went away
Where can I get a list of all the configuration properties for the Membership provider that can be added to the web.config, i.e.
<membership defaultProvider="MembershipProvider">
<providers>
<clear/>
<add name="MembershipProvider" type="Providers.MembershipProvider, Providers" description="membership provider" passwordFormat="Hashed"/>
</providers>
</membership>
Here: http://msdn.microsoft.com/en-us/library/1b9hw62f.aspx