I work on an Ektron CMS solution where our site implements a membership-based access model. There are certain resources that we publish that require a purchased membership to access, others you just need to register on the site, and some are free.
We use Ektron's Aliasing extensively, which is essentially URL rewriting. So, we have resources like /about/ that map to /default.aspx?id=1234, which is available to the public, but we also have resources like /surveys/ that map to /default.aspx?id=3456 that are restricted.
How would I implement the granular access to these resources using Forms Authentication depending on the resource that is requested?
Thanks in advance.
You can wrap that url mapper, with a 'pre-mapper' that will forward unauthenticated users to different urls in case the target url is restricted.
Related
I am on Umbraco version 7.5.1, asp.net 4.6.1.
I have one Umbraco application hosting two web sites (one anonymous and the other secure using Forms).
I have specified this in the UmbracoSettings.Config but its good for the entire site
<error404>//PageNotFound[1]</error404>
Is there a way to instruct Umbraco to use the 404 anonymous Doc type for anonymous site and use the secure 404 document type for the secure site?
If the two websites are on different language then you can use this approach here https://our.umbraco.org/documentation/reference/config/umbracosettings/#errors
If you don´t have different languages on the site, then you could perhaps look at this package https://our.umbraco.org/projects/backoffice-extensions/umbraco-page-not-found-manager/ where you can set the 404 page from the context menu.
note: the umbraco-page-not-found-manager application only works for users that are member of userType Alias of admin. So you may have to download the code, revise it to your custom security needs.
I'm new to stackoverflow so please bear with me. I haven't found a direct answer to my question.
I am using an MVC web application developed by a third party. There is a particular controller for which I would like to secure viewing of one the items to certain users.
So, for example, the URL a user may hit is:
.../#/MyViews/1
Generally that is fine for all (Windows) authenticated users to see all the MyViews items. However, there may be a few that I would only like one or two users/groups to be able to view. The third party may support that functionality in the future but they don't right now.
I was hoping that IIS authorization would help me out by altering the web.config but I can't get it to work.
I thought I might be able to do something like:
<location path="#/MyViews/234">
<allow users="domain\username" />
</location>
but it doesn't seem to work. It may just be that I can't do it, but I hate having to wait for the third party to provide the functionality.
Am I misunderstanding the capability of the "location" functionality?
Any other potential options to resolve this?
The web.config location settings are meant exclusively for file-based authentication. The values that you put there correspond to physical directories and files on the web server, not to URLs.
MVC does not serve files, it serves resources from controller action methods programmatically. Therefore the web server (via web.config) has no way to override its security. The AuthorizeAttribute is the only sure way to secure an MVC application because it involves locking down the resource (controller action) rather than securing by URL, which would fail if there is an alternate route that can access the same controller action.
The only option you have if you don't have the source code and have no way to plug in your own code is to hope that the 3rd party put some option into the software to configure the security to the level that you need, which would probably involve a custom AuthorizeAttribute subclass that has some settings that can be configured in a configuration file or through a control panel.
We have a ASP.NET MVC4 WebAPI Portal RIA (a mouthful, I know). The Portal UI is implemented using extjs and static html (ie no views), and all dynamic behavior is driven via RESTful JSON service end points implemented via the System.Web.Http.ApiController. Currently, the website is deployed in production as a single site with two site bindings (ie two different URLs) in IIS: one URL is internal and provides access to the full portal, the other is HTTPS and is intended to provide external authorized users access to the RESTful JSON API portion of the site. Effectively, this means that while the internal URL allows full access to the site, ideally, the external URL should:
Only allow respond to JSON requests
Not allow access to the default page (eg index.htm)
What is the best way to accomplish this goal in IIS or otherwise? Is there a better alternative to the shared site with multiple site binding configuration we are currently using? Any insight would be deeply appreciated.
Probably the easiest solution (from all those that involve coding your own solution) would be to implement an HTTP Module that intercepts all calls and do all the filtering logic in your code based on the domain name or IP.
Here is a very simple example of how you can do that: Using ASP.NET HTTP Modules to restrict access by IP address
I am not aware of any way to accomplish your task purely by changing a configuration.
Is it possible pass an value(object type) with cookies between asp.net mvc3 applications? explain with example.
Provided both the MVC applications are from the same domain; yes. When you create the cookie, you should allow it to be accessed by the sub domain. This is not an MVC specific restriction, but a general web restriction.
Your browser will prevent pages from different domains from accessing each other’s cookies.
Alos the browser will prevent you from creating cookies for other domains. For example, your application lives in domaina.com and you are trying to create a cookie domainb.com will not work.
There are hacks and mods around these restrictions but they are generally not recommended.
I recommend you use a plugin/library such as https://github.com/carhartl/jquery-cookie to get the task done. There are many examples on how to use the plugin at the above url.
Cheers
I have many pages in web application, i want display some pages to all including anonymous user and some pages should be protected from anonymous user can it is possible through authentication and authorization.. if it is possible then please tell me how......
There is built in functionality in ASP.NET for this. See ASP.NET Authorization on MSDN for an introduction.
You can specify what roles are allowed to access different pages/paths. With a membership and role provider you get a built in handling of users and roles. If you are in a corporate environment you probably want to integrate with Windows authentication, otherwise there is a good SqlMembership provider that handles all the user storage in the database in a secure way.
If you want to keep away from building an authentication system into your application you're best bet is to look at putting the pages that need protection into a separate directory on the webserver, then using : http://httpd.apache.org/docs/2.0/howto/auth.html to protect them.
This of course assumes you're using apache.
It is no longer recommended to use the .htaccess files.