I have created a repository and checked the Anonymous check box. However when I try to access it the repository link directly with no login, I was redirected to the login page. Anyone can help on this? Many thanks.
I have the same issue. After seeing no answers to your question I fired up the source code and started debugging. My conclusion is this is not supported.
The action methods are decorated with WebAuthorize, a custom attribute that inherits from the usual AuthorizeAttribute.
Unfortunately, the base AuthorizeAttribute returns an HttpUnauthorizedResult for anonymous users and so it doesn't appear to be able to use this software without being logged in. Which regretfully is kind of pointless as I want anonymous access and don't want user account registration to be enabled or required.
Short of changing the source code, this doesn't seem to be possible. Back to the drawing board...
Related
I have a Plone-4.3-based site which provides access to another site as well: Whenever someone logs in to my site, (s)he can click on special hyperlinks and proceed to that other site without the need to enter a password there (some kind of simple SSO, based on a ReST interface).
Now I have the need to logout the user from that other site whenever (s)he logs out from my own site, e.g. by sending a special request which is of course not the topic of this question (perhaps it still needs to be implemented, because session expiration used to be good enough.)
How would I accomplish this, to be precise: Where would I hook in that secondary logout code? Is there some kind of logout hook, or should I modify some logout.[c]py view? I couldn't find no event nor category mentioned in the Event types section here.
There is the Products.PlonePAS.events.UserLoggedOutEvent for such purposes.
As an example, it is explained at the Events Section of the Plone Addon Developer Guide
Just discovered FluentSecurity. Looks very interesting.
My Web Application is written in MVC3, C# and Razor.
I am worried about the URLs being tampered with. So on top of checking for authenticated users, correct roles, I also need to ensure that the user is not trying to tamper with the URL to view data that he/she has no access to.
ie He/She owns #10, so
Order/10
is fine,but not:
Order/100
With the standard [Authorize] one could write a custom authorisation class that inherits from the Authorize class which thens check the ID which is okish... and works.So if ID is owned by user then return true. How would this be implemented in the FluentSecurity environment?
Many thanks.
I can't tell you how to implement it but I can point you in the right direction.
What you need is a custom policy. You can then set up a security context modifyer to provide you with the querystring/route data you need.
Custom policies are covered here:
https://github.com/kristofferahl/FluentSecurity/wiki/Custom-policies
Security contexts are covered here:
https://github.com/kristofferahl/FluentSecurity/wiki/SecurityContext
I am wanting to know when is the earliest point I can load additional user specific data like permissions into a session object right after login. I am using the membership provider but the data to be loaded is from a custom table. Session start is too late and I have tried the master page.
I'm also wondering where to put that logic to load the additional data.
I know it would be right after the user is authenticated but where? Global, login page, master page, default page etc.
Any advice would be great.
The earliest is obviously right after the user is authenticated. In other words, you should do it immediately your database call to confirm user credentials is successful.
The exact point it's difficult to tell without seeing your code. You may have user authentication logic on your login page (not a good architecture but it's quite common to see this) or you may have the logic on a business layer or a data access layer. You didn't show a piece of code as to tell you where makes more sense for you to have it but it's definitely within the login page or a call to another class made from the login page.
It is definitely not MasterPage or Global.asax
I'm thinking of creating a diagnostics page for an ASP.NET app, which would be mostly intended for admin use to get more information about the application for diagnosing problems.
Examples of the info the page might have :
System.Environment.MachineName (might be useful in web farm scenarios)
System.Environment.Version
Environment.UserName
database name
current user's session ID
Some of the info on this page might be sensitive from a security perspective.
If you've done this sort of page before, what sort of security did you put on access to this page ? .
EDIT :
I should add - occasionally it might be useful to see this page whilst logged in as a specific (i.e. real) end user. e.g. say a problem can only be reproduced when logged in as a particular user. Being able to see the diagnostics page for that user might be useful. e.g. knowing the current session ID might be helpful for debugging.
EDIT 2 :
I'm starting to think that this diagnostics page should in fact be two different pages. One to display stuff which is the same for all users (e.g. database name, CLR version), and another for stuff which can vary by session (e.g. browser info, session ID).
Then you could lock down security more for the first page.
Yes, I've added this sort of page before (and found it useful). The security was pretty simple: the page contained a password form. The server-side code checked this password against a configured value and, if correct, displayed the real content and set a value in the user's session to say that they've been authenticated as a developer, so that they're not prompted again next time.
I suppose there was also a little security by obscurity, since the URL of the page wasn't published anywhere.
I was also careful not to reveal anything really sensitive on the page. For example, it allowed viewing our application config values, but masked out anything with "password" in it - hey, if we really want to see the password we can open a remote desktop session to the server.
There's also a couple of other ways you could do this:
If your web application has user authentication, restrict access to this page by checking that the user is flagged as an administrator or belongs to some kind of admin role.
Use a simple if (Request.IsLocal) ... type check, though the downside of this is that you still have to connect to the server and browse the website locally - which might not always be possible. However, this does still have the benefit of being able to easily view key system settings.
Personally, I've used a combination of both methods where a local request always allows access, and non-local requests require an admin user - eg. if (!Request.IsLocal && !IsAdminUser()) throw new SecurityException().
Also, I'm in agreement with Evgeny - be careful not to reveal anything really sensitive on this page (such as application connection strings or passwords).
use forms authentication and setup a user or two with access to that page. that way you can change passwords and revoke access once the site is deployed.
It sounds like you want a robust solution for your error page. I would take a look at open source projects like Elmah (http://code.google.com/p/elmah/) for a good example of a robust error page which includes configurable security. To give you an idea, here is a post on configuring Elmah which takes you through setting up the security. The security I have tested allows me to use my domain credentials to login.
I'm trying to figure out where the login functionality is that interacts with the UserLogin function of the AspNetMembershipProvider section, there's no references to where the login functionality exists. I know this is the function to intact with the data, I just need to find where in the source code the login is so I can customize the login (eg. redirect on login based on user roles, personalized message, etc)
Any ideas?
Nevermind, found it, just a bit blind. Login.aspx.cs had it, it was just in the private members section and I was looking in the event handlers section.