Securing Kentico Media Library file from direct URL access - authorization

I am trying to prevent unauthorized access to all files within some of my media libraries in Kentico v9.0. I intend to only provide access to certain libraries via Kentico Role membership and global admins only.
I have followed the guide published here: Securing media libraries and it seems to work fine: Direct URL path access results in a 401.2 - Unauthorized message, regardless of user authentication state and role membership. And I have a media gallery web part set up correctly to provide the permanent URLs, which also work as I expect them to.
However, I have another requirement; which is to serve up a ~/googlesitemap.xml file. I followed the guide published here: Google Sitemaps, which instructs me to provide an attribute to the system.webServer/modules node in the web.config:
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
However, when I add the above, then any authenticated user can gain access to my media library files if they enter in the full URL. This violates my attempts at media library access based on role membership; since I dont want users in other roles to be able to get at the files.
I have tried to exclude all media library files from the re-writing engine by adding my media folder root as an Excluded URL in Settings > URLs and SEO > URL Format > Excluded URLs... but this doesn't appear to help.
Any suggestions would be highly welcome!

As far as I know runAllManagedModulesForAllRequests attribute is mandatory only for different extensions (different from .aspx). If you are using IIS 7 or above you can omit this attribute in your web.config (see source).
Note: In ASP.NET websites, the value of runAllManagedModulesForAllRequests previously had to be set to true to support routing. However, once IIS 7 has been updated with a Service Pack, the value of runAllManagedModulesForAllRequests can be set to false or omitted when working with ASP.NET routing. For more information, see ASP.NET Routing on the MSDN website.
So quick fix: Do not add this attribute to web.config and your media gallery (permissions) should work as you wish.
EDIT: So I think I have got solution for you. It seems that runAllmanagedModulesForAllRequests attribute kills Anonymous Authentication setting so Kentico serves data after successful authentication. I`ve found workaround so you can forbid access to media library. Try to add something like:
<location path="MySite/media/MyMediaLibrary">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
into your web.config inside configuration section.

Related

Anonymous access to web site default doc

We have a web site in IIS 7, that has a default document (index.asp) set. The entire site uses basic authentication except the index.asp page. This is working correctly if I enter the domain with the actual page name (www.mysite.com/index.asp). However, without the page name (www.mysite.com) I am prompted for credentials, even though it is the same page.
I've tried various web config changes and tried it with anonymous user set to the app pool and the IUSR account and it doesn't work either way. I'm thinking maybe I need to enable and then configure URL rewriting for this site but I'm not positive.
If you need any other info let me know.
thanks!

Can I use the Sitefinity Membership Provider for aspx pages that are included in my Sitefinity application

I would like to be able to add aspx pages to my sitefinity project and secure the pages using the Sitefinity Membership provider. Specifically I will need to set the security level of pages in specific folders by adding allow and deny elements to the web.config.
<authorization>
<allow roles="Admin, Customers"/>
<deny users="*"/>
Is this possible out of the box? If not can anyone suggest an approach that might achieve the same/similar affect?
One way I would approach this is to extract the logic of the aspx pages into user controls (ascx) and register them as widgets in Sitefinity.
Then create the page in Sitefinity and add the widget on it.
Finally, use the Permissions on the page level to determine who can do what.
You could create a widget that works like this:
parse the url of the Sitefinity page being visited
use the url parameters to load the content for that url from the aspx
return the content to the visitor in Sitefinity
You could then create a single page for each group you want to control access for.
Oh, it's important to let Sitefinity know that you've handled the dynamic URL so it doesn't throw a 404.

MVC application most page requests being redirected to /login.aspx?ReturnUrl=

I have installed an MVC4 application provided by a third party on our web server and most requests are being redirected to http://domain.com/login.aspx?ReturnUrl=requestedpage.
The website does not have any form of authentication and it does not have this or any other login page.
The default page loads but none of the page resources (like images, CSS, etc) loads as each of those is being redirected to the non-existent login.aspx page. Even a webservice request gets redirected.
I have done lots of searching online and tried the usual fix of <add key="autoFormsAuthentication" value="false" /> but it doesn't make any difference. I also tried <authentication mode="None" />.
It is IIS8.5 on Server 2012 and anonymous access is enabled throughout.
I just tried installing MVC4 directly on the server and this did not help.
Can anyone help?
This problem turned out to be caused by the anonymous user account not being set to the ApplicationPoolIdentity.
I fixed this after finding the answer on another question.

Resstrict anonymouse user to access the site

We are building a website inwhich user must be authenticated before access the site. However, I don't know if it's possible to do that in Piranha?
I used
<authorization>
<deny users ="?"/>
</authorization>
but it does not work.
Is anyone know how to do that?
Thanks
Piranha CMS uses forms authentication, so the above should work if you add a login url to the forms configuration in the web.config. I have used that setup myself for a couple of projects.
If you want to set restrictions on page level you can do this under Settings for a page, where you can choose the group needed to view the page.
If you're using MVC you can also add the [Authorize] attribute to your controllers/actions as usuall. Basically the normal steps should apply!
Regards

In IIS7, how can I require Authentication on specific directories?

I have a website on Win 2008 and IIS7. Some directories have admin specific pages and I don't want regular site users to be able to access them.
What I would like is, if the user tries to load a page from a specific directory, for the site to popup a windows authentication window if the user has not not already authenticated.
Can this be done? Preferably just by setting web.config keys?
Yes, use <location></location> tags to override the current IIS settings at that level and set new ones.
Reference: http://msdn.microsoft.com/en-us/library/b6x6shw7(v=vs.100).aspx