I'm new to stackoverflow so please bear with me. I haven't found a direct answer to my question.
I am using an MVC web application developed by a third party. There is a particular controller for which I would like to secure viewing of one the items to certain users.
So, for example, the URL a user may hit is:
.../#/MyViews/1
Generally that is fine for all (Windows) authenticated users to see all the MyViews items. However, there may be a few that I would only like one or two users/groups to be able to view. The third party may support that functionality in the future but they don't right now.
I was hoping that IIS authorization would help me out by altering the web.config but I can't get it to work.
I thought I might be able to do something like:
<location path="#/MyViews/234">
<allow users="domain\username" />
</location>
but it doesn't seem to work. It may just be that I can't do it, but I hate having to wait for the third party to provide the functionality.
Am I misunderstanding the capability of the "location" functionality?
Any other potential options to resolve this?
The web.config location settings are meant exclusively for file-based authentication. The values that you put there correspond to physical directories and files on the web server, not to URLs.
MVC does not serve files, it serves resources from controller action methods programmatically. Therefore the web server (via web.config) has no way to override its security. The AuthorizeAttribute is the only sure way to secure an MVC application because it involves locking down the resource (controller action) rather than securing by URL, which would fail if there is an alternate route that can access the same controller action.
The only option you have if you don't have the source code and have no way to plug in your own code is to hope that the 3rd party put some option into the software to configure the security to the level that you need, which would probably involve a custom AuthorizeAttribute subclass that has some settings that can be configured in a configuration file or through a control panel.
Related
I have a base web site (Asp.net WebForms application) running under ie.
http://localhost:90/
Then I created a new (this time Asp.net MVC) application and added it under
http://localhost:90/mvc/
but not just as a simple virtual folder, but as an application folder by defining a different application pool to run it, compared to the parent application.
Since browsers can't know that there are two different application basically on the same domain it would work like:
user accesses http://localhost:90/
parent app redirects the user to forms authentication screen
user successfully logs in
parent web adds an authentication cookie
user accesses http://localhost:90/mvc
browser attaches the same cookie from parent app
Is it possible that I authenticate the user based on this same cookie? I would configure my MVC application to login redirect to parent app to have a shared authentication screen. But I'd like to know who authenticated and work from that point on.
I've read something about sharing the same system.web/machineKey values to provide this kind of functionality, but I would like some real world examples.
I'm aware that these two applications will not be able to share Session state and that's not a problem, because I don't want them to. All I want is a kind of single login (SSO/SSS)
Is this possible? How?
Important
I've read other questions/answers about this, but they are either asking about cross-domain/cross-server etc. This one is on the same IIS web site.
I found it myself.
This is the article on MSDN that talks exactly about this scenario. I decided to keep this question anyway for anyone that would be chasing the same information some time later.
MSDN: Forms Authentication Across Applications
In brief
You have to configure machine keys in web.config of both applications so they match hence they'll be able to decode data that the other party generated. And that's the whole trick. MSDN article explains this in great detail including how to generate those keys.
If in case anyone is still not able to share the keys use
compatibilityMode="Framework20SP1"
<machineKey validationKey="same key all over"
decryptionKey="same key all over"
validation="SHA1" decryption="AES"
compatibilityMode="Framework20SP1"/>
Our customer has a requirement to extend the functionality of their existing large government project. It is an ASP.NET 3.5 (recently upgraded from 2.0) project.
The existing solution is quite a behemoth that is almost unmaintainable so they have decided that they want to provide the new functionality by hosting it on another website that is shown within the existing website.
As to how this is best to be done I'm not quite sure right now and if there is any security issues preventing it or that need to be considered.
Essentially the user would log on to the existing web site as normal and when cliicking on a certain link the page would load as normal with some kind of frame or control that has within it the contents of the page from the other site. IE. They do not want to simply redirect to the other site they want to show it embedded within the current one such that the existing menus etc are still available.
I believe if information needed to be passed to the embedded page it would be done using query strings as I'm not sure if there is even another way to accomplish this.
Can anyone give me some pointers on where to start at looking to implement this or any potential pitfalls I should be aware of.
Thanks
if the 2 sites are hosted from the same network (low latency between them) you could use state server for session management. that way, when you authenticate on one site, you will also be authenticated on the other, and share user state across them.
its pretty simple, in your web config of each web server you'd point to the state server (which could be located on one of the web servers)
<configuration>
<system.web>
<sessionState mode="StateServer"
stateConnectionString="192.168.1.103:42424"
/>
</system.web>
</configuration>
http://en.csharp-online.net/ASP.NET_State_Management%E2%80%94Storing_Session_State_out_of_Process
create a virtual directory under the primary domain. If your domain is www.mydomain.com then create a virtual directory www.mydomain.com/site and port the new website application under /site virtual directory. This was linking should become very much relavant. With this the virtual-directory application will also retain all domain cookies set by primary domain.
I would suggest to make the second website look exactly like the first one or at least use the same MasterPage, so you can redirect from one site to another without any visual difference.
If your site needs authentication, consider that you would need to do something to prevent the user to log in twice, an option could be to send an encrypted token to the second site.
All of this if you are forced to have a second site, if not just use a virtual directory
You could use something like UFrame. I've used it a couple of times and seems to do quite a good job with it...
"goodness of UpdatePanel and IFRAME combined"
http://www.codeproject.com/KB/aspnet/uframe.aspx
I would use an iFrame to embed that website in within your existing application. Just set the "src" attribute and pass in any query string parameters the other site needs to render correctly.
You can still pass in sensitive data in the query string, however it would make sure to encrypt it before sending it in.
I know it is not the most elegant solution, but it gets the job done. And from the description of the existing app, it doesn't seem like your customer cares for "elegance" :)
Hope this helps
I am having trouble with forms authentication. The root web.config is setup to deny access to all non authenticated users with a structure like:
Controllers
Folder - Webforms
Folder1 - Webforms
Model
Public Folder - Webforms with web.config to allow public access
Views
web.config with deny
I need to have the home controller public as well, but if I leave the authorize attribute off the root web.config will still block access to the views folder. I want to avoid doing something like below I can avoid it.
Controllers
Webforms
-Folder
-Folder2
-web.config with deny unauthorized users
Views
web.config with public access
Does anyone have any thoughts to make the first directory structure work?
I'm having trouble seeing what the config sections actually look like. Can you edit the post and drop those sections into a Code Sample block (the button with binary in the text editor toolbar).
Is the goal to lock down everything that's WebForms and make the MVC driven bits public?
(Would have just put this in a comment, but I don't have the rep points to leave comments yet.)
[Edit]
For sake of offering something useful, but acknowledging I still don't know the end goal for which bits you want to lock down, on the MVC side, is it feasible for you to use the security attributes within your Controllers? For example, instead of trying to lock actions (or entire controllers) down in the web.config, you can add the [Authorize(Roles="YourRoles")] to the specific actions or to the top of the controller. Pros and cons to this approach, but I like it as I don't have to mess around with the config file much which is something I simply don't enjoy. This is of course assuming you're using the standard ASP.NET membership provider, but even if you've rolled your own, you should be able to accomplish the task in a similar manner with some additional effort. Just a thought...
Does anyone know a web based editor for the web.config? I want to offer the possibility of changing and adding settings through a nice web interface.
Update: I am aware of the security issues but still i want to make it possible. The application is an internal app which is not available for outside. I configure authorization within web.config and want be able to administer the users who are able to access the app. Furthermore I have some app settings which i want to be updateable. E.g. mailserver, Connectionstring, etc..
I tend to agree with GregD on this point... Exposing the web.config is not a good idea at all. If you really want the user to be able to configure some settings, provide an interface for it, which allows the user to set the values as per requirement. Check out the built-in ASP.NET website administration tool if you need an example.
There is a good reason why the web.config is not readable from the internet. Don't do it.
Edited to add
What is it that you wish to accomplish by opening up the web.config? The web.config is where you store database connection strings, turn debug off/on, show error messages locally or remotely, etc., etc. Opening up your web.config to "editing" via a web interface, is really asking for someone to hack it, thus gaining full access to your application.
I agree you probably shouldn't do this.... but in going against the grain since we are all adults here...
It is possible to modify the web.config if your website is running in full trust mode. If you're hosted on GoDaddy for example then you are probably out of luck.
That being said you could leverage an admin page I wrote for BlogEngine which will allow you to edit any file you have granted the AppPool service permission to edit. You would probably want to remake this into a user control and then add it to a protected url address and/or folder.
I have an application that uses Forms Authentication to authenticate one type of user. There is a section in this application that needs to be authenticated for another type of user using a different table in the database. The problem happens if the second type of user's session times out, she is taken to the login page defined in the Forms Authentication section of the main Web.Config instead of the login page for the second type of user. I am looking for solutions to this problem. One idea is to create an application in IIS for the section and create a Web.Config for the folder and add another Forms Authentication section. In my experiments, it seems this doesn't work. Am I missing something obvious? Any insights?
IIRC, the authentication works per folder. So you should be able to do it if all of the pages that require the 2nd type of authentication live in a specific sub-folder with it's own config.
Not 100% sure on this, though, so if someone more knowledgeable can contradict me I'll just delete the response.
You may need to double check me on the syntax, but the top level web.config can have any number of tags.
<location>...</location>
Inside you can specify separate config parameters for whatever folder/file you want. Look here for a reference.
EDIT: Apoligies, I neglected to format the code properly
You cannot have an <authentication> section inside of a <location> tag, so you must have the subfolder set up as an IIS (and ASP.NET) application of it's own. So, you should be able to run the subsection on it's own.
I think 500.19 is the "can't read or parse web.config" error - does it have details? You may need to turn on remote errors (or check Event Viewer) to see them. If you're still having issues, post a snippet of web.config.
As an aside - I've never been a fan of nested apps, and would probably prefer having your normal Login.aspx page handle it either with as a MemberOf or perhaps redirecting to a SpecialUserLogin.aspx or something. Nested apps are a PITA to setup and test, IME (for instance - I don't think you can even get it working under Cassini - though you can do 2 separate projects for it, and combine when you deploy).
Yes you can. The Web.config files have a tree-like inheriting arhitecture with override capabilities. Meaning you can modify the settings inside a sub-folder by placing a web.config file there and specifying different configuration settings.
The way I understand this problem, you have two solutions and the first is to look at Roles and the whole Provider Model would be a great place to start. Otherwise, the best bet would be to separate the application into two parts, breaking out the second user type area and then including it back into the main project via a Virtual Directory. Just remember that Virtual Directories inherit their permissions from the parent directories web.config, so you will need to use the <Location>tags to remove authentication for the virtual directory and then within the virtual directories web.config define your new forms authentication. This works well if you need Windows Authentication (NTLM) under Forms Authentication.