I am developing a web site with MVC 5.2 and ASP.NET Identity 2.1. As long as my site is in beta, I want to keep random visitors away from my website.
I am looking for a simple 2-step-protection mechanism:
When I hit the website with my browser the default browser dialog should pop up and ask me for username and password (IIS user credentials). When I enter valid data, my site appears (with it's homepage).
Here I have to login to my application (with application specific credentials).
I enabled Basic Authentication in IIS 8.5 (and disabled Anonymous Authentication), because I was hoping this would bring up the browser dialog (from step 1). But this didn't do the trick. Instead, when I hit the page, the browser returns an error message saying that my request ended in an endless loop. No popup dialog appears. My request is obviously hitting my MVC application already and this tries to redirect me to the login form again and again.
Any ideas?
I just want to keep visitors away with a simple mechanism (does not have to be secure!!). And if possible I don't want to change my MVC code.
Thanks for any help!!
Look at this:
ASP.NET MVC - HTTP Authentication Prompt
You can also use the [Authorize] attribute for your landing actions.
Make sure [AllowAnonymous] action is not used.
Related
I've developed a simple set of pages using ASP.NET MVC - then hosted them in IIS 7.5.
These are just visual pages with no data behind them.
The server is online and I didn't want the casual observer to be able to access them so simply set IIS up with basic authentication. I then created a limited demo account so that I could send details to customers so they can take a look at these visual pages.
When going to the url:
www.myserver/mysite/home/index
The browsers username and password box pops up as I would expect.
I then type in the details for my demo account.
However after a succesful authentication rather being taken to
www.myserver/mysite/home/index
My browser instead trys to take me to something along the lines of:
www.myserver/mysite/home/index/login.aspx?ReturnURL=.....
If I then return to the original URL it loads correctly.
How can I prevent the redirect following the sucsesful login?
I have a web application that I am trying not to recompile since there is little documentation and the environment is a little sensitive.
With that in mind, all I am trying to do is hijack the authentication mechanism to redirect to one of a couple replacement websites. To that end, there is an authentication service and an authentication controller. The website redirects to /auth/login when the user comes unauthenticated.
In the views folder I have built an alternative /auth/login_new.gsp and from there can authenticate the user and get a redirection back to /auth/redirect.gsp at some frequency but not 100%. That redirect page takes a value from the DB and redirects the user to the correct follow on website. When I run authentication from /auth/login, the site ignores the redirect request to /auth/redirect.gsp.
I had set the show pages for all the different controllers to window.location.href="/auth/redirect.gsp" but I can't get it to go there 100%. I have also reset the layout/domain.gsp file to gut the other functionality of the site and script redirect as well. I was getting errors with duplicate redirect attempts, but now I just go to a dead/gutted homepage...
Any suggestions on how I can dodge the recompile?
Thanks
Leif
I have a legacy asp.net web form web site, it uses forms authentication. Now, I have the requirement to create a new sub MVC application in the web site. My new application is most likely a SPA that means most actions are done through Ajax. Everything works fine until session time out, because once time out, my background Ajax returns the content of form login page instead of my json data. This is correct session behavior, but how can I know session time out in ajax and then redirect the page to login page?
You can trap the failure of your AJAX calls and look for 401 result, which means that the request was not authorised.
I'm assuming you're using Web API for your service calls here - if you're calling methods on your normal MVC controller you'll need to do a little bit of work to ensure unauthenticated requests return 401 instead of redirecting you to the login page.
I currently have an intranet site that is accessed by external customers. I therefore set this up using Forms Authentication. However the powers that be (my bosses) want all our domain users to not have to enter their username and password to access the site.
I've done a bit or reading and everything seems to point to setting up a WinLogin.aspx page that you alter to use WindowAuthenthication and then redirect from there.
I have a problem with this as I don't like the idea of putting an aspx form in my mvc application.
Can anyone tell me how to achieve mixed authentication using a strictly MVC Controller/Action setup without a second application?
NOTES: running MVC 3 on an IIS 7 box.
Forms Authentication is not related to the URL or physical structure of your files. What matters is that a URL should ultimately map to a physical (or virtual) resource on the server, and be processed, and be returned back to the user.
Thus, somewhere in between for each incoming call (each HTTP request, even those for CSS and JavaScript files), you have to see if the current user has enough permission to access it or not. If no, then you might redirect him to the login page.
If you want, you can have a URL like /user/windowslogin where user is the name of the controller, and windowslogin is the name of your action method. Then you can create a custom authentication attribute (something like [WindowsAuthentication]) on your windowslogin action, and in that attribute (which is an MVC filter in essence), you can see if the current request comes from within your domain, and if so, talk to Active Directory for authentication or stuff like that, and on case of successful authentication, create an authentication cookie using FormsAuthentication class, and the rest of the story.
However, I don't think this would be an easy task. Others might introduce better solutions.
Hope you can help. In my ASP.net MVC3 app, all my controllers descend from a customized controller I have created.
Upon FormsAuthentication time out, my app correctly redirects users to the login page if they attempt to access any page (standard functionality).
However, for Ajax.ActionLink and Ajax.BeginForm calls, they just return nothing, which confuses users if the browser is left open for more than 20 minutes and then they try to access an Ajax link.
Is there any code I can put in to my base controller that will work generically so that when it detects an inbound Ajax call and we have timed-out, it will redirect users to my login page as expected?
I don't mind if it doesn't return to the original page afterwards - happy for it to just go to the Home Index page.
Thanks in advance for any help you can provide.
Simon.
You may take a look at the following blog post which illustrates a nice way to prevent the FormsAuthentication module from redirecting to the logon page in case of an AJAX request and simply send a 401 status code to the client so that it can act accordingly.