I have an mvc 4 application, where I have to define multiple login pages, one for each role type user.
Is there any way to do this? trying to configure multiple login pages inside the location tag in web. config gives me errors.
thanks,
luca
One way is just to create different login controllers for each role type. To make it possible for people to access two different login pages while they are not logged in, you can open up those locations in web.config:
<location path="Employee/Login">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Customer/Login">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
You say that when people get logged out they can be redirected to the home page. To do this, in the forms authentication portion of web.config, set loginUrl to your home page.
If your login logic is mostly the same, but you want to present a different view, you could reuse the same controller, but have a route value that specifies which mode you're in and switch between Views depending on which value is provided.
Related
I'm trying to restrict access to this URL using the location element code defined in my Web.config, but it doesn't seem to redirect the user when entering the URL directly in the address bar.
<location path="~/management/account">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*" />
</authorization>
</system.web>
</location>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
Is this possible to achieve in Web.config? Or do I just use the Authorize + roles access definition attribute above the relevant function, for this particular scenario?
I've seen the location element used to restrict access to folders and specific pages, but have not come across one with URL routing?
you can't use the authorization and/or location elements in an MVC app. To get authorization support in an MVC app apply the [Authorize] attribute on the controller level (then all actions requires authorization) or on the action level
We have an MVC2 site that we need to add Windows Authentication to, for the sole purpose of capturing the AD login name -- the site, itself, does not need to be restricted. All pages on it are open to all on our network.
So in our web.config, we have this:
<authentication mode="Windows" />
And several location nodes to open up the various areas of the site to all users:
<location path="default">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path=".">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="sales/index">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
However, when we try to hit sales/index, for example, it prompts for the login, and even a correct login will yield a 401:
Not Authorized
HTTP Error 401. The requested resource requires user authentication.
Some other details:
We don't have any sort of authorization action filters, because as I said, the whole site should remain open to all on our network.
We have IIS (site and app pool) configured identically, best we can tell, to another (MVC3) site where authentication works.
We also have folder permissions configured identically between the two.
The only difference we can think of, at this point, is the broken one is an MVC2 site, and the working one is an MVC3 site.
The broken MVC2 site will prompt for a user, whereas the working MVC3 site does not -- it uses passthrough authentication.
The broken MVC2 site will return the same response for a valid user, both with a valid password, or with an invalid password.
The broken MVC2 site will continue to prompt for a username/password if an invalid user is entered.
I've a asp.net mvc 3 site and i publish it in iis 7.5 (framework 4.0), and the problem is that the css and the scripts don't work util the user log in the website. So:
The website was created like virtual directory and converted into a application.
The mode is forms authentication.
I enable in the iis the forms and anonymous authentication.
The web config has:
<location path="Content" allowOverride="true">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Scripts" allowOverride="true">
<system.web>
<authorization>
<allow users="*" />
</authorization>
<globalization culture="pt-BR" uiCulture="pt-BR" />
</system.web>
</location>
<authorization>
<deny users="?"/>
</authorization>
Obs: the dlls that i add in bin directory: System.Web.Helpers.dll, System.Web.Mvc.dll, System.Web.Routing.dll, System.Web.WebPages.dll.
I tried to change the path in the localtion as "~/Content", but i got the same result.
I tried to put the tag allow in the autorization tag as:
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
But i got the same result.
What am i missing?
I figured it out. It was something I missed from my checklist when setting up a new IIS application: Select the application, double-click "Authentication", select "Anonymous Authentication", then Edit, and change it to use the Application Pool Identity. Make sure that user has permissions on the folder that contains the site like the others said.
I've had this problem too and it's not the asp.net authorization that is the problem it's the rights to the files in the filesystem.
You need to make sure the website runs under an account that has access to the files. For my internal testing I usually make the website run under my account but I guess this wouldn't be good idea security wise if you host it in public. You can set this under advanced settings -> Physical Path Credentials for the website.
Try to allow content path, where your scripts and css files are stored:
<configuration>
<location path="content" allowOverride="true">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<allow roles="admin" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
I see that you figured it out and you are happy with your answer.
I also had this problem, but it was not an app pool authentication issue. Instead, I just allowed all users access to the locations of the css/js files, so at least the login page would render appropriately until the user logged in.
e.g. by putting this web.config file in the root of /site/public (or wherever your necessary css & js files are collected)
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
I agree with Mikael that it could be file access rights; try to give permissions to Everyone account, and if it cures your problem - find out which account IIS use for Application Pool which you use and give permissions to it.
Also, if it doesn't work, try to put web.config files inside folders Scripts and Content, with authorization attributes only.
And also there is a little possibility that you overtuned your Routing in some way, and it intercepts real file requests.
IUSR is generally the default impersonation user configured for anonymous authentication. If that is the case, I would make sure that IUSR has read permissions to the folders in question.
You can configure the site to use a different user as well, but I'm not sure that I'd simply switch the site to run as the application pool user. The application pool user often has more permissions than the anonymous user would/should have.
To follow up on the accepted answer, you can add the authentication tags inside the location so that you don't have to manually set this in IIS when deploying on new machines. This only shows one path, but it's easy to copy it for other paths like ~/Scripts, ~/Fonts, or any other static content you want to reference.
<location path="Content" allowOverride="true">
<!-- Authorize all users -->
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<!-- Authenticate anonymous users -->
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
The default controller in my ASP.NET MVC project is decorated with the [Authorize] attribute. When I deploy the website on my development machine and access the website, I am redirected to the login page (defined in forms loginUrl section of the Web.Config). Result: everything works as expected.
When I publish the website on our production server (Windows Server 2008, IIS 7, DefaultAppPool) and access the website, the expected address shows in the address bar (/Account/LogOn?ReturnUrl=*my_expected_return_url*), but the page displays "You do not have permission to view this directory or page." instead of the login page. If I remove the [Authorize] attribute on the default controller/action, the page displays correctly.
My Web.Config file:
sessionState mode="InProc" timeout="30"
authentication mode="Forms"
forms loginUrl="~/Account/LogOn" timeout="2880"
Do you have a section in your web.config to explicitly allow non-authorised users to access the ~/Account/LogOn page?
<configuration>
<location path="~/Account/LogOn">
<system.web>
<authorization>
<allow users="*" />
<allow users="?" />
</authorization>
</system.web>
</location>
</configuration>
Got some problem with settings up the Authorization.
First i got :
<authorization>
<deny users="?" />
</authorization>
So i deny all unknown users and then allow them to view those pages:
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Public">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Now to the problem .. they can access the Public pages and Default.aspx .. but not www.mydomain.com or www.mydomain.com/ .. so www.mydmain.com/Default.aspx works fine.
So how to make those work ?
Keep in mind that there's a fundamental difference in protected resources between WebForms and MVC. In WebForms, the resources you're trying to protect are the pages themselves, and since the pages exist on disk at a well-known path you can use Web.config to secure them. However, in MVC, the resources you're trying to protect are actually controllers and actions, not individual paths and pages. If you try protecting the path rather than the controller, your application likely has a security vulnerability.
In MVC, by default all controllers + actions are accessible to all users, both authenticated and guest. To secure controllers or actions, the [Authorize] attribute has been provided. See http://www.asp.net/learn/mvc/#MVC_Security for more information.
In short, it sounds like for your application you'd want to attribute every controller except the default controller and the Public controller with the [Authorize] attribute.