When using a gridview and not logged into a asp.net website, the java scrpit does not appear to work.
If I am logged in as a user, any pages with gridviews work fine.
The only error I'm getting when checking the javascript with Firebug is
'ReferenceError: DES_ValOnSubmit is not defined.'
This is a reference to a Peter Blum javascript function, but have no idea why it would fail for anonymous users, and it does for logged in users.
Thanks for any help.
I'm not sure what your authentication scheme might be, but if you are using the authorization tags in the web.config file, you might need to make an explicit exception for your javascript if you are denying the anonymous user to sections of your web site. Something like this:
<location path="MyScriptFolder/MyPeterBlumJS.js">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
You can also just set the path to "MyScriptFolder" to allow all users access to your javascript as needed.
Related
I've got an ASP.NET MVC 4 application that I run under the site level of an IIS web site.
So the dir structure looks like this:
\IIS
\Site
\bin
\Content
\Views
The MVC 4 app uses Forms Authentication via Username and Password, but I have a requirement to lock down the full site and turn off anonymous authentication at the IIS level.
The goal of this requirement is to allow users only to land on a home page and logon page. The problem is if I turn off anonymous authentication then users can't even get to home or login.
Another thing we want to prevent a user from being able to go to /Content/Scripts/MyScript.js in their browser.
I'm using bundling so those file are there and don't get used by me besides when I bundle things up.
Is this even possible since IIS and MVC 4 auth are at completely different level? If it is possible what options do I have?
Chris Pratts answer is correct. You can successfully turn of anonymous authentication and let MVC4 handle all of that for you.
Make sure in your web.config you have the following
<modules runAllManagedModulesForAllRequests="true"></modules>
In your system.webserver section.
Another thing you can do is make use of the locations tags in IIS to prevent user access to different parts of the site.
For example, you could put this in your web.config
<location>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
This ensures that only authenticated users can access the site. You can then further refine this.
<location path="External">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Basically, now any request to /External will be allowed for all users (regardless of authentication). You will probably want to put all your scripts in here that you need unauthenticated users to access.
If there was a specific directory you didn't want anyone to access, you could do something like
<location path="/Content/Scripts">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
Now any access to that location will be prevented by default in IIS. Give that a try, it should satisfy your requirement to have the scripts available for bundling, but not accessible if someone browses directly to it.
I only halfway got what I wanted, but here is what I ended up doing. I have anonymous authentication enabled at the site level and used Forms authentication for specific controllers. This was how I originally had it so nothing changed here.
Since I am using bundles the users never really need to look at the .js so I used Request Filtering by file extension so block any .js and even .css I don't want exposed.
This works because the bundling doesn't make http requests to those files and the bundles themselves don't have the normal JavaScript and CSS file extensions.
You don't handle this at the IIS-level. You simply allow Anonymous Auth and then add [Authorize] to every controller. Then only on your home and login actions add the attribute [AllowAnonymous].
As to the second part of your question, you can't really stop this. MVC bundles on the fly, so it needs the actual files to be there. If they're never referenced, though, they're black holes: the user would have no way of knowing what file to request, so it's kind of security by obscurity.
I have added a web application to an existing site. The existing site uses basic authentication over https, but the new web application is running in a subfolder where I disabled basic authentication and enabled anonymous authentication (which is disabled for the rest of the site).
So a straight html page works as expected, you can access it without credentials. You can even see it yourself here: https://csssreg.fhcrc.org/physicianSurvey/faq.html
But I placed the new application's aspx page in this folder and I get the 401.2, as you can see here: https://csssreg.fhcrc.org/physicianSurvey/physicianPathologySurvey.aspx
I've been wracking my brain and straining my fingers googling this issue, but nothing solid has turned up. Does anyone have any suggestions as to how I can allow anonymous access to the aspx page? Any help would be greatly appreciated.
This:
<authorization>
<allow users="*" />
</authorization>
Grant access to any authenticated user.
To grant anonymous access you need to use
<authorization>
<allow users="?" />
</authorization>
It turns out there was an error in the global.asax that was causing the page to be redirected to a default error page, and that page was the 401 culprit. Go figure! But thanks to both commenter for at least helping me change my perspective just enough to get the thing.
i created some pages in asp.net. but i want to allow the users only if he is login. how to do that. is there any controls available for that one.
Thank you
In the web.config there is a section below <system.web> where you can add:
<authorization>
<deny users="?" />
</authorization>
It is normal that you put pages that requires login in a certain sub-directory and thus you can put a new web.config in that folder with the above lines inside <system.web>, this will prevent unauthorized access.
MSDN has a great section about Forms Authentication that I recommend you to read.
Yes, you need a login page that uses Forms Authentication.
See details here
Where should I type the authentication code in order to validate the users trying to login to the website.
I have used login control in my website. Also I would appreciate few examples of codes which are generally used in authentication code.
.net has templates for login pages, password recovery, etc.
simply google for it or go here:
http://msdn.microsoft.com/en-us/library/ms178329.aspx
http://www.c-sharpcorner.com/UploadFile/sushmita_kumari/Logincontrol101312006002845AM/Logincontrol1.aspx?ArticleID=c33d0072-8f7c-4958-a7dc-ca1809737193
Not 100% what you mean. If you're using a Login control they can already authenticate with that.
Do you mean authorization? You need to check users are authorized to access your site if it is restricted to logged in users only. Say you have a part of your site called "importantstuff" that only logged in users can access. i.e. www.yoursite.com/importantstuff/. You would put this in your web.config outside of the <system.web></system.web> tags:
<location path="importantstuff">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
This would prevent unauthenticated users from accessing anything in the "importantstuff" directory.
So, I have a page that I want only anonymous users to see, and authenticated users to be redirected. So, like this:
<location path="Login_ForgotUserID.aspx">
<system.web>
<authorization>
<allow users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
The problem is, when an authenticated user attempts to access it, it redirects them to the login page. How can I send them someplace more logical? obtw, I'm confined to .NET v2.0x
Why not just add if ( Request.IsAuthenticated ) { Response.Redirect ... to the Page_Load event of the page you don't have to worry about configuring it out? Unfortunately you can only config a single page to handle Login and if someone doesn't have access they will be directed to it. You could also just check the ReturnURL on Login to see if it came from a page and the user is Authenticated, but that to me is a hokey solution.
Ok, so the answer is that I need to modify the menu before it renders. I never found a way to handle the SiteMap by changing the authoriztion/SecurityTrimming. So I decided to try to modify the SiteMap at the source, and I found out how to modify the MenuItems as they were bound. This seemed the most effective course.
Not sure how to do this in the web.config. In the Login_ForgotUserID.aspx page probably check if the user was authenticated before loading/rendering. If the user is authenticated then redirect them to some harmless home or default page.
You could look at using roles here as well.
If you were to add all users by default to a role, say "authenticated" then you could have:
<location path="Login.aspx">
<system.web>
<authorization>
<deny roles="authenticated" />
<allow users="*" />
</authorization>
</system.web>
</location>
You must ensure that deny is fisrt in the list, as these are processed in order, and the first match is used.
Two other methods to do a similar thing:
Write a custom sitemap provider to ensure that these pages aren't returned to the tree view control when the user is authenticated.
Write a control adapter for your treeview control to ensure that these pages aren't rendered by it.