I have written a custom Membership Provider and Role Provider and locally these work great. They are pulling all the correct data and writing correctly.
However, when i deploy this project to the web server; I receive a 500.19 error pointing to the web.config file. I have narrowed the issue to the declaration of the membership provider
<connectionStrings>
<add name="ProjectConnectionString" connectionString="blahblahblah" providerName="System.Data.SqlClient" />
</connectionStrings>
<membership defaultProvider="CustomMembership">
<providers>
<clear/>
<add name="CustomMembership" type="CustomMembership.CustomMembershipProvider" connectionStringName="ProjectConnectionString"
enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="60"
applicationName="/" />
</providers>
</membership>
Has anyone seen this issue before? or have an idea what could be causing it?
Technology
asp.net 4.0 with mvc3
locally - VS 2010
server - Server 08
As far as i see from using google, main reason for this is insufficient permissions, as error message says. Your file permissions do not allow the IIS_IUSRS (or, if your aplication pool is running on custom user, that user) user to access web.config (or probably any of the files).
One easy way to test this is to prevent remotely accessing website and add everyone full rights to that folder, just to see, that it is permission issue.
Related
I have a MVC 4 web application which I want to implement SqlRoleProvider and Windows Authentication into it.
After I did search in Google I added SqlRoleProvider tables in my database by running aspnet_regsql command in VS command prompt.
Then I added this to my web.config:
<authentication mode="Windows" />
<roleManager enabled="true">
<providers>
<clear />
<add connectionStringName="PortalDbContext" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" />
<add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
</providers>
</roleManager>
Now I need to know how can I manage roles? I mean how to create/edit/delete roles and assign/un-assign users from roles?
Should I create these pages by myself or there is something already available may be with NuGet?
I usually just roll my own. And this has been years, not sure if its supported anymore, but you can use the Asp.Net Web Site Administration Tool if your on IIS. It's slow and clunky but if I recall get's the job done.
I have a basic MVC site built on Umbraco 6.1.2 and hosted with 1&1 (1and1) using their shared Windows hosting.
The site works perfectly on my local machine but once deployed it throws an encoding error on Firefox, Chrome and IE (other browsers untested, but I assume this will affect all browsers). The back office is accessible and I am able to log in and navigate through the content tree, it is just the rendering of the site content using MVC and Razor which appears to be affected by the problem.
I disabled gzip in Firefox (using this method: http://forgetmenotes.blogspot.co.uk/2009/05/how-to-disable-gzip-compression-in.html) and the website worked as expected, therefore I can only assume that this is an issue with 1&1's gzip configuration.
Has anybody had the same issue? Is it related to Umbracp or has anyone seen the same problem with standard MVC applications?
You should probably enable gzip in your web.config
<system.webServer>
<httpCompression directory="%SystemDrive%\inetpub\
temp\IIS Temporary Compressed Files">
<scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll"/>
<dynamicTypes>
<add mimeType="text/*" enabled="true"/>
<add mimeType="message/*" enabled="true"/>
<add mimeType="application/javascript" enabled="true"/>
<add mimeType="*/*" enabled="false"/>
</dynamicTypes>
<staticTypes>
<add mimeType="text/*" enabled="true"/>
<add mimeType="message/*" enabled="true"/>
<add mimeType="application/javascript" enabled="true"/>
<add mimeType="*/*" enabled="false"/>
</staticTypes>
</httpCompression>
<urlCompression doStaticCompression="true" doDynamicCompression="true"/>
</system.webServer>
There are a few more tricks here
Setting the gzip compression in asp.net
I have found the cause of the problem. I commented out all references to ClientDependency in the Web.config and now my site runs as expected. It seems as though that module is attempting to compress content but failing. This forum post helped locate the issue: http://our.umbraco.org/forum/ourumb-dev-forum/bugs/13525-Client-Dependency-Module-playing-havoc-with-gzip-content-compression
This causes some problems with the core product and is therefore not a fix, it does however give us a starting point for investigations into how the problem can be resolved.
I have updated the Umbraco issue tracker with this information. For those who are interested see here: http://issues.umbraco.org/issue/U4-2203
I'm running a MVC4 website on windows azure. I've created a worker role to perform scheduled tasks. One of these tasks requires deleting user who have not confirmed their registration for a long time. I need to use SimpleMembershipProvider in my worker but I can't configure it. I get exceptions roleManager feature is not enabled. I've tried adding the following to my app.config (found somewhere on the internet, can't find any documentation for it):
<system.web>
<roleManager enabled="true" defaultProvider="WebConfigRoleProvider">
<providers>
<add name="WebConfigRoleProvider" type="WebConfigRoleProvider.Core.WebConfigRoleProvider"/>
</providers>
</roleManager>
</system.web>
and now I get errors about WebConfigRoleProvider missing from some assembly.
Please help...
First post here on stackoverflow but I love the site!...
I've successfully created a fully functioning Azure hybrid model application using MVC 4. Published and works great. Now I want to add ACS for auth to my site. I've followed all the steps but when I run the app in simulation it fails to re-direct to ACS and offers up the page stating that it couldn't find login.aspx.
I have created a simple website solution just to prove that my ACS is setup correctly and it works just fine. I noticed that the web.config files of the two solutions were wildly different.
Anyone tried to do this yet? Any help would be appreciated.
--------- Solution -----------
I finally got everything to work. The key was to remove the WebMatrix.WebData references since I didn't need to do my own auth. The following came from MVC4 Release notes.
When WebMatrix.WebData.dll is included in in the /bin directory of an ASP.NET MVC 4 apps, it takes over the URL for forms authentication. Adding the WebMatrix.WebData.dll assembly to your application (for example, by selecting "ASP.NET Web Pages with Razor Syntax" when using the Add Deployable Dependencies dialog) will override the authentication login redirect to /account/logon rather than /account/login as expected by the default ASP.NET MVC Account Controller.
Open your web.config file.
Locate the Authentication node.
Change it from:
<authentication mode="Forms" />
To:
<authentication mode="None" />
Comment here, if it doesn't help, and what is the result after changes to web.config.
As a side question - how did you add reference to the ACS namespace - via "right click -> Add STS Reference", or manually changed the web.config ?
Make sure that the required Modules are registered with the web server:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<add name="ClaimsPrincipalHttpModule" type="Microsoft.IdentityModel.Web.ClaimsPrincipalHttpModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
<add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
<add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" />
</modules>
...
</system.webServer>
Also make sure that you have microsoft.identityModel section, and you have federatedAuthentcation node within it:
<federatedAuthentication>
<wsFederation passiveRedirectEnabled="true" issuer="https://[your_namespace].accesscontrol.windows.net/v2/wsfederation"
realm="http://127.0.0.1:81/" requireHttps="false" />
<cookieHandler requireSsl="false" />
</federatedAuthentication>
Where "realm" shall be valid URL for Realying Party Application. And requireHttps="false" is to simplify development process.
When you debug it locally, make sure you are running the Cloud project (which uses IIS), and not the Web Project (which will use Cassini / webdevserver, which does not understand the system.webServer section!)
On the first run of my mvc "hello world", i get a couple of buttons; home, about and log on. If I create a user account on the log on, where is the data stored? Is it secure enough to just leave it as is when the time comes to develop my application or should this be going to a database (if it isn't already)?
Thanks for your time.
ASP.Net MVC and WebForms share many of the same components including membership storage, authentication, authorization. These components are used on thousands of public sites around the internet.
Membership
The default ASP.Net MVC template uses the same SqlMembershipProvider as WebForms to store membership information. If you look in the web.config file you'll see the configuration section under the <membership/> element, it'll look like this;
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices"
enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
applicationName="/" />
</providers>
</membership>
It references the connection string named ApplicationServices which you'll find defined at the top of the config file:
<connectionStrings>
<add name="ApplicationServices"
connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true"
providerName="System.Data.SqlClient" />
</connectionStrings>
This mounts the aspnet.mdf file found in your application's App_Data directory using a locally installed instance of Microsoft Sql Server Express.
You can easily upsize this to full SQL Server by copying the MDB file to your SQL Server, mounting it, and updating the connection string.
Authentication
Authentication is again handled by the same FormsAuthentication class used for WebForms, it is also configured in the web config file:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
Authorization
The default template also has configuration entries for SqlRoleProvider, and WindowsTokenRoleProvider which can be used to store and retrieve roles for your users from the database or ActiveDirectory respectively. Role managers are configured in the <roleManager/> element.
<roleManager enabled="false">
<providers>
<clear/>
<add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
</providers>
</roleManager>
Roles are by default disabled, you can enable support for roles by changing the enabled attribute of the roleManager element from false to true.
Once you have roles configured, you can use ASP.Net authorization elements to control access to resources on your site. You can also use Authorize attributes on your controllers and/or actions for more finely grained access control. You don't have to use roles for authorization, usernames work just fine, but doing so will make management of authorization much easier.
Security
All of these modules are written using industry accepted security best practices. Authentication is handled by IIS, which can use Digest or Windows Integrated auth, both secure methods; because of browser support, anything you wrote yourself would be restricted to these methods as well.
The passwords are stored hashed in the database with a salt making brute-force attacks with methods such as rainbow tables much more difficult. The providers also support password complexity, and expiration out-of-the-box.
The authentication tokens are securely encrypted with a machine specific key and signed with a MAC to ensure that they haven't been tampered with, only then are they stored in a client-side cookie.
Testability
Even though the security is quite standard, one emphasis that MVC proponents encourage which these components don't make simple, is testing. This issue however can be worked around fairly simply with some strategically placed interfaces, a couple facade classes, and some dependency injection (which is supported by default in MVC3 now).
Yes, it's stored in a database. The database is in the App_Code folder under the name of ASPNETDB.MDF. You can configure it at your web.config file.
Is it secure? Well, IMHO, it is. But I really don't like this approach, I prefer to design my own authentication service and have full control over it. If you're going to stick with this method, you should read more about ASP.NET Membership Provider with Forms Authentication.
I'm taking the answer to the next logical step: OK, so I know it is in ASPNETDB.MDF, so how can I browse the table?
(at least it was my next logical question)
Here is a good link: http://learningsqlserver.wordpress.com/2011/02/13/how-can-i-open-mdf-and-ldf-files-in-sql-server-attach-tutorial-troublshooting/
Essentially:
Run SQL Server Management Studio (menu shortcut under "Microsoft SQL
Server ####")
Connect Object Explorer to your SQLEXPRESS server
Right-click on Databases and choose Attach...
Browse to your MDF file
If you create a default ASP.NET MVC 3 app and look int the the web.config, you'll see:
<add name="ApplicationServices"
connectionString="data source=.\SQLEXPRESS;Integrated Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true"
providerName="System.Data.SqlClient" />
And
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices"
enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false"
maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10"
applicationName="/" />
</providers>
</membership>
This appears to attempt to connect to a local SQL Server Express instance and load aspnetdb.mdf from the app data folder. The membership.providers key then references System.Web.Security.SqlMembershipProvider, and references the ApplicationServices connection.
the database is created aoutomatically by asp.net. this feature uses asp.net build in membership feature. you shoul look at it firstly : http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx
and also look at the models folder, you will see the account model there. and look at the controller folder. there, you will accountcontroller. review the code and you will figure it out.