Security :: Grant Access To Default Page For All Users - Authenticated & Non-Authenticated?
Aug 18, 2010
I've a default.aspx page in my application's root folder. I added a a page in the root of inetpub that redirects requests to the default page. The idea is that the user need only enter the server name to get to the default page. How can I set things up so that all users have access to the default.aspx and that they only have access to the other pages once they've been authenticated?
I am using Windows Integrated Security and the users are being challenged and authenticated properly. I want them to be able to access Default.aspx without any challenges.
(On a side note which may answer this question, when using WIS does the user *allows* have to be challenged? Isn't it possible to pass through their Windows User and ID without the prompt?)
edirect.aspx (set as default document in IIS and simple executes Response.redirect("sites/mercury/default.aspx")
c:documents and settingsall usersdocumentswebsitesmercurydefault.aspx (home page for the site & server)web.config includes
I have an MVC 3 application which uses asp.net authentication. I have just created a custom errors controller and a couple of views for unknown errors and 404's. This works fine when I am logged into the application but if an internal server error happens during logon I would like to display the error/unknown view. However I just keep getting redirected back to the login as I am not authenticated.
I have added a location path for 'Views/Error' to my Web.config to allow access to all users but I am guessing it's the controller access that is causing the redirection.
Is there any way you can allow this in MVC or do I need to think of another solution? Just did not want to add a generic message to the login page as that's what my unknown error view is for.
I'm setting up a new web forms app and want to use ASP.NET membership. All my users must be authenticated. What is the best way to implement this?I'd love to deny all unauthenticated users in the root folder of the app by setting this in web.config but then where would I put the login folder? I'd like the login folder to be a subfolder of my root folder so that the URL can be www.myapp.com/login/Another idea is not to put the restriction in the web.config but put the logic in Session_Start in global.asax but I really like the idea of controlling who can see what using web.config files.
I am using the membership provider and am reasonably comfortable that all of my web pages are safe.Some of the pages contain hyperlinks to documents (pdf, xls, etc.) stored in a folder under the root of the web site. I have disabled the ability of users to anonymously list folder contents, but I don't see a way to keep anonymous users from accessing the documents if they know the specific URL for that document. Example; if the document contains a spreadsheet of current sales, I don't want an ex-employee (who captured the URL while working here) to be able to bring up the current document.asswording the documents isn't a good choice because there are hundreds and we'd like to avoid changing them all every time someone leaves, or weekly, or whenever...Is there a way to restrict access to all contents of a web folder to people who have been authenticated?
I am not able to allow/deny users based on roles in the web.config (using <location path>). The following does not work even if the user is in the 'Admin' role:[Code]....
I am able successfully execute IsUserInRole() and GetRolesForUser() in the codebehind and get expected results. The same applies to the web.sitemap, adding roles in there do not seem to apply to the user even if he is a member of the role.
Here is my web.config (trimmed some sections out so it's not too long):[Code]....
This causes even the authenticated users but unauthorized resource requested users to redirect to logon page. but i need only to redirect this page if user try to access unauthorized page and not already authenticated(logged on) and redirect to custom page.
Is there easy way to do this without writing custom action filter?
Why can I still access files inside a forms authenticated part of my site? Any webpages say that you need to login to view them, but people can still access images by typing in the address bar. I am using forms authentication with my own database, so none of the aspnetdb services like membership roles etc. Is this a bad way to do things because I'm pretty deep into it now and it would be very difficult to change.
I need to check if an authenticated user is authorized to access a directory. I have done this before with a base class library method, I just cannot remember what class it's part of or what it's name was. I think the method was a static method and the class may have had the word Utility in it's name, but I just can't remember or find it on the net. BUT I KNOW I HAVE USED IT! The method definition was something like:
Ok so I've created a login page that accesses my Active Directory and challenges against it. What I would like, is if a user is logged onto the computer within the intranet with Active Directory Credentials for them to bypass the login to the web page.
However if they are outside of the building on a random computer, they should be presented with a login box just like they are now.
I want to show this video only to my registered users on my website, since the video is on second server, how can I protect it?
I thought I could build an application and install it on second server, this app will watch whether the requested url is for videos, if so then it'll redirect the user to my login page and here he'll be authenticated and again redirected to the same video url.
As part of my new user setup, when they sign up for an account I create want to be able to create a directory under a Documents folder for them and then write a web.config file in that folder limiting access to it to the new account. However because they are still in the process they are an unauthenticated user at that point (Forms authentication), and I get an error that they don't have rights to that folder I want to create their sub-folder in. What do I need to set the folder security at to be able to create a folder and a file in that folder from code?
I have a login page. Once a user is authenticated they are redirected to another page, (called pg2). I don't want just anyone typing in the url and getting to pg2. If they are not authenticated I want them to redirect to login.aspx. To achieve this, I'm using this code below. But it's not working. I am using a nested master page and I don't know if this is causing the problem.
I have used the Forms Authentication for logging in and in that i have created the Forms Authentication Ticket and in that ticket i have passing the data with comma seperated values.how can i get the data which is in the ticket to access in the Authenticated user pages
I have a web application on IIS that will authenticate using windows authentication (Active Directory). So when they access the application http://iisserver/webappname/ it ask for username pwd and domain. (currently working) How can I get information of the authenticated user in the web app through c#?
I got only one ideas to control with the session. When user log into the master page, I insert the current login user and session ID and active status to the SQL table. if user logout manually or close the browser or session expired, I want to change the inactive status. So I can check how many active user are there and the system can prompt the required info to the user. But now, I can't find the soultion to change the inactive
status in above condition.
That doesn't seem right to me. I m sure I 'm making incorrect assumption about this matter.
i have created a custom principal class, and a custom Identity.
named SystemIdentity and SystemPrincipal.
SystemIdentity class has some additional properties ( UserID, UserName, Age, ...)
in my Global.asax file I changed PostAuthenticateRequest event as bottom
i wonder theese questions answer now:
1. where i can assign the additional properties of SystemIdentity ( UserID, UserName, Age, ...) 2. which Identity is Authenticated by FormsAuthentication.SetAuthCookie? is my custom Identity, or GenericIdentity?
Since I need user click a link from his/her email once they registered, currently after user registered, and click the "Continue" button (CreateUserWizard1_ContinueButtonClick) or CreateUserWizard1_UserCreatedSuccess, it will be authenticated, how do I prevent this until they click the active link from their email?
I currently have a ProfileCommon enabled on my site and would like to know where I would start to transfer this ProfileCommon's context to a user's profile after he/she has logged in. Here is a snippet of how I have defined this ProfileCommon:
In one website I am working on we're using a java applet in 2 places: the 1st one in a public area where it works just fine and one in a protected folder where it just doesn't work. The protection is performed with forms authentication. The error is shown below. Any clue ?
java.lang.ClassFormatError: Incompatible magic value 218774561 in class file activeup/activeupload/UploadApplet at java.lang.ClassLoader.defineClass1(Native Method) at java.lang.ClassLoader.defineClassCond(Unknown Source) at java.lang.ClassLoader.defineClass(Unknown Source) at java.security.SecureClassLoader.defineClass(Unknown Source) at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source) at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source) at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Exception: java.lang.ClassFormatError: Incompatible magic value 218774561 in class file activeup/activeupload/UploadApplet