I have an application that uses its own authorization to determine if a user has access to pages. I want to display a more friendly "access denied" page in the event that access denied. In the MasterPage...
if (!authorize)
{
throw new UnauthorizedAccessException(); //error occurs here, looks like I'm not allowed to use this class
}
In the web.config
<customErrors mode="Off" defaultRedirect="~/ErrorPages/ErrorPage.aspx">
<error statusCode="403" redirect="AccessDeniedPage.aspx" />
</customErrors>I get the error below.
It appears that I get the error just as a result of just trying to instantiate/use the UnauthorizedAccessException() class. I'd like to do it this way, is there a way to use this?
/**************************************************************************************************************************
Attempted to perform an unauthorized operation.
Exception Details: System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
*************************************************************************************************************************/
As Fredrik says, you are throwing an error, so you get an error. If you want to just instantiate the exception don't use throw.
UnauthorizedAccessException uae = new UnauthorizedAccessException("some message");
But again, this just creates an exception; soon as you throw it, you will get the message you are already getting.
Why not just redirect? Response.Redirect("~/AccessDeniedPage.aspx", False);
If you really wanted to use the exception, you could continue to throw the exception as you are but also handle the exception in the Application_Error event of the Global.asax file. In the Application_Error event, test if the exception is an UnauthorizedAccessException, and if so, redirect the user to AccessDeniedPage.aspx. Basic use of Application_Error: MSDN
Well, you are throwing an UnauthorizedAccessException. If there is no try-catch that catches it, the code will crash there. I think that the exception that you see, is your exception.
Related
I have a .NET WebAPI app working locally on my dev machine's IIS, but if I deploy it on a server, there I get the error
HTTP Error 503. The service is unavailable.
whenever I try to access the API. At the same moment, the AppPool stops (yes, it has started correctly and runs correctly until I make an API call) and I get the error in event viewer:
A process serving application pool 'MyNewTestAppPool' suffered a fatal communication error with the Windows Process Activation Service.
The controller I call is a really complicated one:
public class ExampleController : ApiController
{
[HttpGet]
public bool GetTrue()
{
return true;
}
}
so this cannot be an issue with a stack overflow caused by endless loop inside my code. I fear that it is an endless loop inside the authentication and authorization chain.
The main change to another app that deployed correctly on the same server is that this app should have most controllers require authentication against local AD, with a single controller that doesn't - while the other apps either always require authentication, or never.
To achieve this hybrid mode, I did the following:
in Web.config, I added <authentication mode="Windows" />
in IIS, I enabled both Anonymous Authentication and Windows Authentication
in Global.asax.cs, I added the AuthorizeAttribute to all controllers: GlobalConfiguration.Configuration.Filters.Add(new System.Web.Http.AuthorizeAttribute());
the single function that should be accessible without authentication has got the [AllowAnonymous] attribute set.
Not sure what's happening there, does someone know what happens or how to debug this?
Ensure \IIS_IUSRS (IIS 7.x) has read access to the app folder. Ensure the app pool identity you are using is in the IIS_IUSRS group (ex. IIS APPPOOL\DefaultAppPool)
Here is a video summary of my problem http://screencast.com/t/v6th4BuRLhV
I am trying to add bindings programmatically to IIS with this code:
public void AddBindings(string sitename, string hostname)
{
ServerManager serverMgr = new ServerManager();
Site mySite = serverMgr.Sites[sitename];
mySite.Bindings.Add("*:80:" + hostname, "http");
mySite.ServerAutoStart = true;
serverMgr.CommitChanges();
}
And I get this error:
Filename: redirection.config
Error: Cannot read configuration file due to insufficient permissions
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Filename: redirection.config
Error: Cannot read configuration file due to insufficient permissions
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
I have addressed the permissions on redirection.config (both IUSR and IIS_IUSRS have permissions)
As well as the errors on web.config as suggested here http://www.codeproject.com/Questions/348972/Error-Cannot-read-configuration-file-due-to-insuff
But it still doesn't work.
ANSWER
Websites don't run under the IIS group. Whoever owns the app pool is the user and this is the user that needs permission. Or put that user in the IIS_IUSRS group.
Figure out what account your application pool is running as. Then you need to give that account access to the entire %SystemRoot%\System32\inetsrv\config folder. It wasn't enough for me to give access to just %SystemRoot%\System32\inetsrv\config\redirection.config
in my case "run as administrator" solved the problem
We're using the Jasig .NET CAS Client to interface with our organization's CAS SSO server.
However, we've noticed that in ASP.NET MVC 3 (and I would assume this affects ASP.NET WebForms as well) applications, when users log out, we see the following error in our error log:
System.Web.HttpRequestValidationException (0x80004005):
A potentially dangerous Request.Form value was detected from the client
(logoutRequest="<samlp:LogoutRequest...").
at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection)
at System.Web.HttpRequest.get_Form()
at System.Web.HttpRequest.FillInParamsCollection()
at System.Web.HttpRequest.GetParams()
at DotNetCasClient.Utils.RequestEvaluator.GetRequestIsCasSingleSignOut() in C:\Projects\Jasig\CAS\dotnet-client\trunk\DotNetCasClient\Utils\RequestEvaluator.cs:line 292
at DotNetCasClient.CasAuthenticationModule.OnBeginRequest(Object sender, EventArgs e) in C:\Projects\Jasig\CAS\dotnet-client\trunk\DotNetCasClient\CasAuthenticationModule.cs:line 93
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
I don't believe this is an error message users are receiving -- it seems to only be seen by the server. As far as the users are concerned, log out is successful.
Is there any way I can get ASP.NET MVC to stop trying to validate these types of requests? I know I can disable request validation completely, but that's out of the question. The site with a hyphen has a good question on this, but not really an acceptable answer:
add the following setting to the web.config:
<httpRuntime requestValidationMode="2.0" />
After setting this value, U can disable request validation by setting validateRequest="false"
So, is there any way to disable ASP.NET validation for this request without turning it off completely?
Edit: This is also tricky to debug because this request is coming from the CAS server, NOT from the user's browser. I think this is the CAS server attempting to notify all running applications that the user has signed out (single sign out). So we're only receiving this error in production, not when testing locally.
The dotnetcas client gets access to the request before it gets to an MVC controller action, so it is not possible to simply set the validation attribute on an MVC controller or action.
The target of this request seems to be the last URL that was validated, so it is not possible to disable validation for a specific path in your application by using this method either: http://erikbra.wordpress.com/2012/04/17/wif-saml-token-post-and-requestvalidationmode2-0/
From what I see you have a couple of options:
Disable this validation:
<system.web>
<httpRuntime requestValidationMode="2.0" />
</system.web>
or
.Net 4.5 allows you to access a request before it goes through validation. If you have access to this you can re-compile the client from source, fixing the relevant issue.
I am not familar with Jasig .NET CAS but ASP.NET MVC allows you to disable request validation at the page level.
Add the following attribute to your controller action:
[ValidateInput(false)]
We have a simple piece of code here that recently stopped working and I have tried many 'things' to try and resolve the error.
The code
Application outLook = new Application(); :)
The error
Retrieving the COM class factory for component with CLSID
{0006F03A-0000-0000-C000-000000000046} failed due to the following
error: 80070005. Description: An unhandled exception occurred during
the execution of the current web request. Please review the stack
trace for more information about the error and where it originated in
the code.
Exception Details: System.UnauthorizedAccessException: Retrieving the
COM class factory for component with CLSID
{0006F03A-0000-0000-C000-000000000046} failed due to the following
error: 80070005.
ASP.NET is not authorized to access the requested resource. Consider
granting access rights to the resource to the ASP.NET request
identity. ASP.NET has a base process identity (typically
{MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if
the application is not impersonating. If the application is
impersonating via , the identity will be
the anonymous user (typically IUSR_MACHINENAME) or the authenticated
request user.
To grant ASP.NET access to a file, right-click the file in Explorer,
choose "Properties" and select the Security tab. Click "Add" to add
the appropriate user or group. Highlight the ASP.NET account, and
check the boxes for the desired access.
Now whilst the error is quite obvious I cannot resolve it.
The application is a .net 2.0 web application and the server is windows 2008 r2 standard using IIS 7.0
Thanks
Using Client appliactions on a server is always going to be problematic - there are other ways to access mailboxes.
That said, this might help:
http://technoblogy.net/retrieving-the-com-class-factory-for-component-with-clsid-00024500-0000-0000-c000-000000000046-failed-due-to-the-following-error-80040154/
An ASP.NET 2.0 web application has been compiled with PDB symbols, deployed to a server running IIS 6.
In the web.config, user impersonation is enabled:
<identity impersonate="true" />
When an Exception is thrown, the stack trace is missing line numbers, making it very difficult to determine exactly where the exception is emanating from. eg.
System.NullReferenceException: Object
reference not set to an instance of an
object. at
MyApp.ReportingServices.WebForm.DA.AmoRepository.GetDimensions(String
perspective)
The login being used to access the website has no special rights or group membership on the server.
I managed to get a detailed stack dump for the exception by assigning the 'Debug Programs' user right to the particular login.
Once the exception was diagnosed I removed that user from that assignment.