Trying to set security on Controllers and Content - asp.net-mvc

So I am having this issue of getting CSS files applied through the masterpage. I had another question: Can't get CSS loaded in Master page that helped me to apply the link tag correctly (or different options).
This is confirmed in Firebug where the call is coming back 302 found, but the styles are not being applied.
This question lead to another contributor pointing out possible access issues to the controller/content in my Web.config. Thus the reason for this question separate "Security" related question.
I have went through a number of full MVC app tutorials such as NerdDinner (v.1, v.2) and Pro MVC 2's not to mentioned a good bit of reading material in my pursuit to learn ASP.NET MVC - and I have not come across any details on access to sources such as /Content to anonymous users just to load css files. Nor have I read anything that MVC takes the approach that it is entirely locked down and you must open specific areas to specific roles/users/everyone OR open it all up for everyone.
So I still have the problem of not being able to get CSS rules applied even though it shows that the .css file is being found (302). But another issue is that I am seeing a second call to load the file in the console:
localurl.com/Account/Logon?ReturnURL=%2Content%2AdminViews.css
But errors with a 500.
Now I have commented out the logon URL line in my web.config "Authentication" section, and there is no route that I can see in my route dictionary.
Any thoughts on both of these related issues?
UPDATE
I found that the problem with why the redirection to the
localurl.com/login.aspx?returnurl=content/adminview.css
was that theforms authentication (in IIS) was enabled with the properties set to "Login.aspx". Changing this generated an ACL rights (yellow screen of death) when accessing the file directly
localurl.com/contents/adminview.css
I found adding users to the content directory (i.e. IUSR account) would rectify this issue.
So I now need to find what the proper way to set security. What account I should use ...etc. I did already have the IUSR_ComputerName already given access, which my understanding is the default IIS anonymous user account. So why this wouldn't be enough to access resources in the ~/contents/ directory is beyond me.

You could allow access to these resources using web.config.
<location path="Content">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

Related

Redirecting legacy URLs in DotNetNuke

We are building a revamped version of our old site in DotNetNuke. There are many pages that link to pages on our old site and we would like those old URLs to still lead to relevant information on the new site. The old URLs end in a variety of extensions, and sometimes in no extension (our old site is a mishmash of several platforms as well as static files). Does a DNN plugin exist that allows for such redirects? Friendly URLs aren't entirely adequate.
note: I realize that this could be handled in IIS, but we would like our non-coder, non-admin site manager to be able to handle this dynamically.
You will probably want to use a Module like this
http://www.dnnsoftware.com/forge/open-url-rewriter-for-dnn-dotnetnuke/view/extensiondetail/project/openurlrewriter
There is another option though. You can actually put URL records into the database directly, I believe you would simply add a record to the TabUrls table, the TABID is the page in DNN you want to point to. Then you put in the URL, and the HTTPStatus of 301.
You could do that for all the old pages if you know where they need to be mapped to in DNN.
You have to force all request through the ASP.NET pipeline, and you can do that by adding only this single line to the web.config of your application:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>

MvcSiteMapProvider - Prevent display/serving sitemap.xml

I have a web app that uses MvcSiteMapProvider, but I don't want it to server /sitemap.xml as every page but the login page requires authentication, so there is no need for the public to see my sitemap.
Is there a way to turn off the the /sitemap.xml file in config? Or a way to do it with RoutesConfig?
As per the documentation, if using internal DI, you can disable the /sitemap.xml endpoint using the MvcSiteMapProvider_EnableSitemapsXml setting.
<appSettings>
<add key="MvcSiteMapProvider_EnableSitemapsXml" value="false"/>
</appSettings>
If using external DI, you need to remove this line from the /App_Start/MvcSiteMapProviderConfig.cs file (or anywhere else it may exist in your application startup code).
// Register the Sitemaps routes for search engines
//XmlSiteMapController.RegisterRoutes(RouteTable.Routes);
FYI - although this setting does what you asked, there really was no problem to begin with. Search engines do not scan web sites for XML sitemap files, they have to be explicitly submitted. According to the sitemap protocol, they can be submitted via HTTP request, via search engine control panel, or by adding the location to the \robots.txt file. But none of these are done without explicit intervention on the part of the webmaster. In all cases, the webmaster chooses the URL that the XML sitemap will be hosted at. Unlike the \robots.txt file, there is no default location for it. We chose the most reasonable logical path \sitemap.xml, but technically it could be anything.

Avoiding Resharper <location> web.config Warnings with MVC and WebAPI

ReSharper 7.1.1 code inspection falsely reports <location> elements in a web.config file as being redundant if they concern URLs that do not directly correspond to folders in your source tree. If you're using ASP.NET MVC or Web API, it's normal to have URL paths that don't correspond directly to any particular physical folder.
If you run solution-wide inspection, you get two warnings, and I've been able to disable one of them, but I can't work out how to disable the second.
The first is the "Redundant location element" warning. ReSharper fades out the entire location section. Here's an example of something it'll fade out:
<location path="FederationMetadata">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
You need this configuration if you're using federated login via ACS, and you want to offer a metadata endpoint for that. But there will be no corresponding path of this name.
(Strictly speaking this particular has nothing to do with MVC or Web API. I gave this example because it's quite a common one. However, my project also has several <location> elements corresponding to paths handled through MVC and Web API routing configuration, and they have the same problem. The root cause seems to be the same: ReSharper can't see anything corresponding to this location in the project, so it concludes, incorrectly, that it's wrong. It afflicts MVC and Web API controllers, and also any paths that are available due to things like modules.)
It's easy enough to get rid of this first warning: you can turn it off in the Inspection Severity settings.
Then you end up with a second warning: "Location element is unused: no project item found at FederationMetadata" (and similar warnings for each of the controllers that have corresponding <location> elements).
This one only appears in the "Inspection Results" panel that appears when you inspect the entire solution. None of the usual inspection widgets appear when you look in the source file itself. And weirdly, this one doesn't seem to have an option to be disabled.
I know you can right-click and select "Hide..." (although that appears to think this is a "Redundant location" issue, the one I've already disabled in the settings), but as far as I can tell, hiding inspection results is local to my machine. I want to configure the team shared dotsettings so that it doesn't show this warning anywhere.
I'm aiming for clean inspection results for all users without making each user hide results. Resharper is reporting this issue spuriously - the web.config is fine, it's just that R# has misunderstood it. Does anyone know how I can make this second warning go away? (Or, better, is there some way I can empower R# to be able to know that these 'hidden' locations really do exist?)
I just added this:
<!-- ReSharper disable WebConfig.RedundantLocationTag -->
<!-- ReSharper disable WebConfig.WebConfigPathWarning -->
<location path="api">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<!-- ReSharper restore WebConfig.RedundantLocationTag -->
<!-- ReSharper restore WebConfig.WebConfigPathWarning -->
You can change the R# settings so that they are not local to your machine.
In VS, click the RESHARPER menu, then click Manage Options...
Double click the team-shared item (should be the middle one, between This computer and personal).
By changing settings here, it will create a [ProjectName].csproj.DotSettings file in your project. If you check this file into source control, the settings will be shared with other R# users who develop on the project. AFAIK, any setting you can change (for example telling R# that an inspection severity should be different than the default), you should be able to add to the team-shared settings.
As for your web.config error, I have an even bigger beef with R# because when it is enabled, I lose intellisense on web.config and app.config files. You may be able to tell R# to ignore the error with the following, though I'm not sure it is the solution you are looking for because it will ignore all R# issues with the web.config file.
After double-clicking to edit your team-shared settings (described above), click the Settings item under Code Inspection on the left menu.
Click the Edit Items to Skip button.
Under Files and folders to skip when analysing, click Add File....
Navigate to your web.config file and add it.
This tells R# to ignore the entire web.config file when analysing. Again, not sure if this is the solution you want, but it may work to suppress the false suggestions you are seeing.
Update (reply to comments)
You can in fact change the inspection options from the VS context menu. When the Inspection Options dialog comes up with the radio buttons (Do not show - Error), there is a Save To button. Click that to save the settings to your team-shared DotSettings.
It seems that there are two pieces to this:
Configuring a web path is the best way to deal with both errors
Apparently you have to move the setting out of your DotSettings.user file and into your shared team file by hand
If you click on the offending path attribute (putting the caret in the attribute value) and then wait for the R# popup thing to appear, its menu should offer a way to create a 'path mapping' or to edit the existing mappings for the site. You can use this to tell R# where the actual file corresponding to the path is. Or, since there is no such file in this case, you can just set the action to Ignore for this path.
With that in place, neither of the warnings mentioned will appear.
Unfortunately, the Path mapping dialog is (like the Filter Issues dialog) one of those which only has a "Save" button, and no "Save To" button, offering no control over where the settings will go. In practice, they seem to end up in the <project>.DotSettings.user file for the web project.
But it turns out to work just file if you open that file in a text editor, cut the settings out of there, and paste them into your team-shared solution settings. That appears to get rid of both warnings in a way that should apply to everyone in the project.
(You should be able to use a similar trick for the "Filter Issues" settings, although you need to look in a different place. Those end up in your global settings, but you can use the Manage Options dialog to export those, and then you can open up the exported settings, and copy them into the team-shared solution settings.)

login/logout issue for multiple IIS applications under the same site

I have 2 applications under the same website in IIS7.5. The problem is the follow:
Open the browser and login the first application;
Open another browser tab and login the second appication;
The first application automatically logout.
I have the same asp.net authentication DB but I created two different users with different roles and different ApplicationId. I also set different applicationName attribute in membership provider configuration in applications web.config file.
Can you help me please? Sorry for my English.
Thanks.
If the IIS website is configured to use Forms-Based Authentication, then the problem is most likely that the cookie for the 2nd login (which is a different user) is overwriting the cookie from the initial login. By default, the cookie is named ".ASPXAUTH". You should be able to verify this by inspecting the response headers returned from IIS using something like Fiddler.
You can control the cookie name IIS uses to maintain the session by changing the "name" attribute in the element in the web.config. See this documentation for more details. An example of this portion of the web.config would be something like:
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="APP1SESS" />
</authentication>
If the applications are contained within single, separate sub-folders, then you could also use the "path" attribute instead to tell the browser to only send the cookie for requests in that sub-folder. Be careful here as any shared resources like images that are not in the sub-folder would need to be publicly accessible.
The //authentication/forms element can only be specified at the root level of the application. Check this SO post for a discussion on that.

Images not showing on published ASP.NET MVC Website [duplicate]

This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Images in CSS not showing in ASP.NET MVC
I have already asked this but didn't receive an answer that fixed it. I'm asking again because I have tried everything I can think of and am absolutely stuck. My previous question was here: CSS images not showing in ASP.NET MVC
I have an ASP.NET MVC application with images in an ~/image/ directory. When I run it in development, the images show fine. When published, they do not show at all. I don't think it is a reference path issue because I've tried every combination of ../, ./, ~/, etc. I can think of. Neither css references, <img> or <asp:Image> tags work and all have the same problem. I've tried editing windows security on the image and all parent folders to no avail.
When I mouse over the image path in firebug, the image preview box just spins as though the image is found but can't load.
The very strange thing is that when I try to go to the image directly (www.web.com/images/image.png), I am redirected to the default log in page. The default account controller that ASP.NET MVC puts in projects is in my app, but I have not implemented any log in controls yet. So I think it's an issue with authentication. Or perhaps it is an IIS issue?
I appreciate any help you can give. I have been stuck on this for almost a week and may have to abandon images all together I can't get this sorted.
The redirect to a logon page is a usual indicator that your IIS security is set to force authentication before displaying the contents of the specified directory. The images subdirectory is one of those usually permitted to be visible even by unauthenticated users.
Add this to your web.config file under the <configuration> element to allow unfettered access to the contents of that directory:
<location path="images">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
Check the path in firebug. Is it correct?
Are you using the helper to generate the URL? Something like:
<img src='<%= Url.Content("~/images/image.png")' />
I FINALLY figured it out. The image file in question was encrypted. Right click the image file -> properties -> advanced button on general tab -> uncheck "Encrypt contents to secure data" -> OK -> OK.
The tip off finally came when I noticed the file name was green in windows explorer. I see green file names all the time with no problems so I didn't think anything of it. Then I noticed it was the only green file in the entire web app folder. Put 2 and 2 together and it worked instantly. Thanks everyone for your help.
I reread and see that you are using iis instead of casini. Does it work in casino. If it does, then we are dealing with an iis config issue. Sometimes you need to run aspnet_regiis.exe to register asp.net with iis. Seems like a long shot since the other parts of the page are rendering. Worth a try. Here is a link with some additional info http://www.devx.com/vb2themax/Tip/18849.
Just for kicks, put some images under a different folder and try and see if you can hit them without having to authenticate, it would be good if you posted your web.config

Resources