MVC 2 Area Authentication Not Working - asp.net-mvc-2

Using MVC 2, if I setup my root web.config with forms authentication (there is no locations section), and I go to a page outside an area (off of the root), I get redirected to the login page as one would expect. However, if I go to a page in an area, I don't get redirected as expected. Do I need an additional web.config somewhere in the area or do I possibly have something mis-configured?
Also, I have been sure to clear all cookies and start from a new session and browser just in case something was holding over from a previous login.
I really did not want to have to maintain locations or multiple web.config files since the whole site needs authentication.
If it helps, I am using Visual Studio 2010 and started with a MVC 2 template.
Warning: I have only had 2 cups of coffee this morning so it could be a short circuit between the chair and the keyboard...
Thanks,
--Patrick

Web.config authorization should not be used with an MVC application. Instead, apply the [Authorize] attribute to the controllers you wish to protect. If all of your controllers site-wide need authorization, consider having a BaseController with an [Authorize] attribute and having all of your controllers site-wide subclass the BaseController.

Related

Is it possible to create a MVC application that navigates like Facebook?

Facebook seems to have a single page where the content changes based on user interaction.
For example: If I click on somebody's post, the url changes to the user's profile/posts/.
Now I'm sure this is possible to implement on MVC.
Can somebody help me get started?
Perhaps some reference/sameple/tutorial (I believe this will heavily involve configuring the routings).
Sure, that's called Custom Routing. You can set up custom routing in the routeconfig.cs file in your project (for pre-MVC4, routing is in Gloabal.asax). Then you just use an Actionlink Helper to build your links.
Read More: http://www.codeproject.com/Articles/641783/Customizing-Routes-in-ASP-NET-MVC

CQ5.6 - CUG enabling for protecting pages breaks other components

We have implemented login functionality like geometrixx site in our existing website(with close to 700+ pages).
We want to show protected pages only to logged in user, every user who is registered gets assigned a group/ CUG lets say "listed users".
now in page hierarchy I have products page and under product page I have 8 products pages.somewhere On homepage I have a nav bar component which fetches all product children pages and shows a left nav bar with 8 entries.
If I enable CUG in a way that only "listed users" should have access to 2 out of 8 product pages, any access to direct links are redirected to login page. Which is fine.
But the nav bar component which earlier used to show all 8 product pages now shows only 6 pages.
The main idea behind putting pages behind login is lead generation.So if non logged in users dont see the link itself where would they click to get redirected to login page and subsequently feel like registering with our site.
Requirement is that my existing nav bar should continue showing 8 links and on click of 2 protected page links, he should get login/ register option.
We are using most of things Out of the Box.
any pointers helping in how do we achieve this would be great help ? PS: i have given a nav bar as one such component affected in existing site like this there could be many more components fetching their content from site hierarchy and stand chance to get broken in such case.
There are two entities involved, JCR and Sling.By default any un-authenticated request is associated with a user called Anonymous, the JCR sessions will have ACL's associated with anonymous.
In JCR, if a user does not have access to nodes, that session will not see those nodes.We access the JCR via Sling ,by default if you don't have permission the request will result in a 404 error(because for underlying JCR session the resource does not exist). Sling can be explicitly instructed to request for authentication for specific paths.
The combination of these concepts are leveraged to create the CUG functionality. Sling is instructed to force for authentication for CUG enabled pages. The JCR is instructed to show these nodes only for users who have access.
When you directly request the product pages without login, it is sling that is redirecting you to login page. When your navigation component is looping over nodes to create the menu for anonymous users JCR is only showing it 6 pages as the other two are out of reach for anonymous.
The only* way to work around this is to make the Navigation component configurable. Instead of node iteration, the content author will have to configure the the url and page title so that the links show up for everyone.
You can ignore the session associated with the request and use a custom JCR session that has access to all the product pages, but that would be disregarding the ACLs and you don't want to do that .
The nav bar can pick up all child pages as per page structure. That should not restrict the page title display on the nav bar.
As for the pages the access can be controlled by template level page properties by adding the 'listed users' group over there. In the jsp you can give an initial check for the user if they are a member of 'listed users' else redirect to login page
Hope that helps
Thanks for all your suggestions
Below is how we ended up doing it.
- Protect the page you want to enable CUG with proper CUG.
- Hide the page in nav.
- Create a redirect page in same hierarchy with same title as the one you wanted to protect.redirect it to your protected page.

Spring 3 MVC multi page form with session attributes, cannot go back

I wrote relatively simple web app in Spring MVC. I have following multipage forms:
Fill in
Check preview and eventually go back to 1. by form button or back button in your browser
Confirm
I used annotation #SessionAttributes and everything goes well, besides of going back to edit form after preview.
Then I have an information that document has expired in browser and I have to renew my POST request hence creating new objects. I resolved this problem by creating another method which loads view with form and loads there information from session, but still I can't use 'back button' in my browser. I would like to avoid javascript in this problem. Any ideas?
EDIT: I can see when session is active header is always set to 'no cache no store', maybe there is a way to configure Spring Session to enable cache and store? I searched but didn't find anything helpful.

struts 2 TokenInterceptor Form Tokens

In my web application, I am using Cookie Based session, and thus that session is being shared among all browser tabs, Is there a way to restrict user to have access of application in one tab at a time with the use of tokens(Token Interceptor)? Opening up in a new tab will invalidate the previous tab pages (i.e all application jsp pages including login page)
In short this is not possible and only solution which come to my mind is force user to use a single instance of your application by writing URLs on the fly use a sessionID.
I am not sure why you need this and what exactly is your use case.If i am correct there is such feature in spring security which help us to keep only one instance per logged in user and all you need to set a property in your spring-security xml file like
<session-management>
<concurrency-control max-sessions="1" />
</session-management>
For details refer to these threads
how-to-differ-sessions-in-browser-tabs
allow-only-one-session-per-user

How to redirect user in bootstrap after confirmation in Zend Framework?

I'm just new to Zend Framework. Currently what I'm trying to do is when user access my website
they will first see a select box with two language such as english and germany to choose.
Only when they make a selection, the browser will redirect them to the index controller of that specific language page.
So my question is how to make a select box in bootstrap file or any kind of possible ways to do that and how to redirect user after that? Any solution will be much appreciated!
Don't ever use bootstrap file (and I'm talking about both Bootstrap.php and index.php) for this kind of operations. First, it just won't work the way you ask; second, you'll mess your app's structure big time.
Instead you may use one of the following approaches:
1) add some predispatch hook that will check whether the choice has already been made by checking the user's cookies. If it is, proceed with request as usual (probably setting some Zend_Registry lang variable to be used later), if not, redirect for the language choosing page; the latter should store the choice made in cookies.
2) implement a simple rule in your Router/mod_rewrite: when the requested URL contains 'the language part' (http://example.com/lang/xx/... or just http://example.com/xx/...), it automatically uses this part so set the lang param. If not, the request is automatically redirected to the language choosing page. The latter, in turn, leads the user to a language-specific page, where all the links are made language-specific.
The latter approach is inferior, in my opinion, as user will have to use a language-tuned gateway all the time. But you don't have to store this info in cookies.
You could make a plugin that use the preDispatch event to look if the language has been chosen (e.g stored in cookie or session) and redirect to the landing page if not.
Look here zend framework plug-in - predispatch()
and the ZF's action plugin documentation.
That's what I do to force login in my app.
Now in your position what I would really do would be detecting the language of the user with a fallback to English and a switch widget somewhere in your navbar.