In webforms if a path is not accesable for a certain user, it will be hidden, can this be done with the MvcSiteMap?
https://github.com/maartenba/MvcSiteMapProvider
In Webforms all you need todo is
<location path="SomePath">
<system.web>
<authorization>
<allow roles="SomeRole" />
<deny users="*" />
</authorization>
</system.web>
</location>
If you do not belong to the SomeRole the menu item will be hidden, possible in MvcSiteMap?
In ASP.NET the recommended way to define authorization is to use the AuthorizeAttribute.
The AuthorizeAttribute is fully supported by MvcSiteMapProvider when securityTrimming is enabled. See Registering the provider.
I know this is an old post but just in case someone else happens upon it, you can explicitly achieve what you are looking for by adding the roles attribute to your mvc.sitemap file where you register the nodes. Anyone not belonging to the role will not be able to see the node with that attribute.
<mvcSiteMapNode title="TheMenuOption" clickable="false" roles="someRole">
Related
I have a link to /ForgotPassword on my Login page. When it's clicked, I'm just redirected to /Login?ReturnUrl=%2fForgotPassword. This is an MVC5 app using Form-based authentication. I'm attempting to use AllowAnonymous, but it isn't working.
Web Config:
<location path=".">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Content">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Scripts">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="App_Themes">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<authentication mode="Forms">
<forms loginUrl="~/Login" timeout="15"/>
</authentication>
ForgotPassword Controller:
[AllowAnonymous]
public class ForgotPasswordController : Controller
{
[AllowAnonymous]
public ActionResult Index()
{
return View();
}
}
No such luck. Aside from a _ViewStart, I can't find anything that is being used that should be decorated with AllowAnonymous.
What I'm a missing here? Thanks!
don't use authorization tags in we.config, use only authorization attributes in controllers and actions.
authorization tags in web.config are useful to allow/restrict Access to files and it Works well with web forms and static content.
But in MVC there is routes which is mapped to controllers and actions, and you may have different actions in the same controller with different authorization tags, e.g.: you can use [Authorize] for the whole controller, and allow only one action for anonymouse users by using [AllowAnonymous] attribute to the desired action only.
read more here: https://weblogs.asp.net/jongalloway/asp-net-mvc-authentication-global-authentication-and-allow-anonymous
I am using [Authorize] tags to ensure a user is logged in before viewing a controller or action. However, it redirects to :
Account/Login?ReturnUrl=%2f_internal%2fHome%2f
and I would like to change this to redirect to /Account/Account/Login (to include the area), but I can't seem to find where I can go to change this link?
If you are using Forms Authentication you can edit the URL in the web.config file in the root of your application. The section will look something like the following.
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
</system.web>
Change the loginUrl attribute and you are good to go :)
I have a MVC Webapplication. It uses Forms auhtentification.
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="90" />
</authentication>
How can i bypass this for a single route, like xyz.com/us/ht/ht?
I want to bypass the whole functionality to prevent getting aspxanonymous cookies and i dont want entries in the membership db for this route.
If you are using MVC4 just add the [AllowAnonymous] tag to your controller action.
Otherwise do it in your web.config like this
<configuration>
<location path="route/thatanon/isallowed">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
One way to solve this is to use a custom AnonymousIdentificationModule for the route /us/ht/ht/.
The stuff is handled here ->
System.Web.Security.AnonymousIdetificationModule
I am trying to create my own form-authentication view in MVC application, but my site appear not to find the Login function.
I first tried to create a regulr view, and call the function using ajax, but it didn't work, so I tried to use form and submit as following:
<form method="post" action="~/Login/Login_btnClick">
<input type="submit" name="Login" value="Login" />
of course I also declared in the web config it's form authentication, and set the login page to be the link:
<authentication mode="Forms">
<forms loginUrl="~/Login/Login" defaultUrl="~/Home/index" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
I also used locations so my javascripts and css files will be found. As I got the
Failed to load resource: the server responded with a status of 400 (Bad Request)
error, I tried to add also the Controllers folder to locations:
<location path="Controllers">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
But it still got me the same error....
Any idea what might solve my problem ?
Thanks
You should create a corresponding controller action that will handle the form submission. So for example if you have the following form:
<form method="post" action="/Login/LogOn">
<input type="submit" name="Login" value="Login" />
</form>
then you should create a LogOn action on your Login controller:
[HttpPost]
public ActionResult LogOn()
{
...
}
Also the snippet you have shown from your web.config in which you are disabling access to the Controllers folder is absolutely unnecessary. In ASP.NET MVC controllers are compiled and when you deploy your application such folder doesn't exist at all.
In addition to that authorization in ASP.NET MVC is controlled with the [Authorize] attribute, not in web.config using the <authorization> tag. So for example if you want to protect a certain controller action from being accessible only to authenticated users you simply decorate it with this attribute:
[Authorize]
public ActionResult Index()
{
...
}
Here are some tutorials on the ASP.NET MVC site which illustrate how you could implement authentication and authorization in an MVC application.
Also when you create a new ASP.NET MVC 3 application using the Internet Template there's already an AccountController created for you as well as the corresponding views. You could play with this out-of-the-box template to better understand the concepts.
Thanks, I got the solution....
I should have done 2 things:
1. Change the
<deny users="?" />
to:
<allow users="?" />
change in my form the action so it should be: #Url.Action("MyLoginFunc", "MyLoginController")
Hi i using this article as my app base.
https://blogs.msdn.com/hammett/archive/2009/04/23/mef-and-asp-net-mvc-sample.aspx
In my UI.master file i show images by <%= Url.Content("~/Content/Shared/Images/logo.png")
In my LoginExtension.dll i have AccountControler and all ok.
But when i try to write in web.config:
<authorization>
<deny users="?"/>
</authorization>
I show my login page without images,css files and js, its seems like invalid path. To show images i delete
Url.Content and write only image name...
How can i fix it ? What i do wrong?
Thanks a lot
When you use the authorization tag you are allowing only authenticated users to access those resources. I would recommend you using the [Authorize] attribute on your controllers/actions to define authorization instead of using this tag.