My MVC application,
Decorated controller with
[AuthorizedRoles(Roles = "Manager")]
and I am trying to get the requested user name using HttpContextBase
public class AuthorizedRoles : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
httpContext.User.Identity.Name
Why Identity.Name is null ?
Web.config looks like
<authentication mode="Windows" />
<authorization>
<allow users="*"/>
</authorization>
Please help to get the request User ..
Okay this is what you need to do!
I don't know what to set in the web.config - but changing these options makes it work. to get this screen select you project and press 'F4'
EDIT: I imagine you will need to configure this in IIS when you host the site as well.
This might help in the web.config
<system.webServer>
....
<security>
<authentication >
<anonymousAuthentication enabled="false"/>
<windowsAuthentication enabled="true"/>
</authentication>
</security>
</system.webServer>
Related
Framework asp.net core 2.2 -
After developing and managed to get the Windows logged in user in the local host (IIS express):
[Route("getUser")]
[HttpGet]
public IActionResult GetUser()
{
var NullUser = User.Identity.Name; //return null
var currentUser = System.Security.Principal.WindowsIdentity.GetCurrent();
return Ok(currentUser.Name);
}
and LaunchSettings.json:
"iisSettings":{
"windowsAuthentication": false,
"anonymousAuthentication": true
...
}
So far, so good !
Now - I'm publishing the application to an IIS, with the web.config:
<system.web>
<authentication mode="Windows"></authentication>
<identity impersonate="false" /> //This is because I'm getting the username by code
</system.web>
<system.webServer>
<aspnetCore processPath=....... forwardWindowsAuthToken="true" hsotingModel="InProcess">
</aspnetCore>
<security>
<authentication>
<anonymousAuthentication enabled ="false" />
<windowsAuthentication enabled ="true" />
</authentication>
</security>
</system.webServer>
These are the basic properties of the application pool which the application works with:
.NET CLR version: No Managed Code
Managed pileline mode: Integradted
Advanced:
Process Model:
Identity: ApplicationPoolIdentity
And then, when running the application, I'm getting error 500.19 pointing on the authentication section (ignore typo errors - it is free text writing - not copy + paste):
AnonymousAuthenticationModule
Config error
This configuration section cannot be used at this path. This happens when the section is
locked at a parent level. Locking is either by default (overrideModeDefault="Deny"), or set
explicitly by a location tag with overrideMode="Deny"; ot the legacy allowOverride="false"/
Config Source:
<authentication>
<anonymousAuthentication enabled ="true" />
<windowsAuthentication enabled ="true" />
web.config.png
I am pretty sure "anonymousAuthentication enabled" should be set to false.
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/
As #Lex Li mentioned - the problem was configuration line items which are irrelevant to ASP.NET core, but to ASP.NET 4.5 - I removed them as he advised
<authentication mode="Forms">
<forms loginUrl="https://Login.Url.I.Have.To.Use" name=".Name" protection="Validation" path="/" slidingExpiration="true" timeout="10" cookieless="UseCookies" requireSSL="false" />
</authentication>
I have this entry in my Web.Config which works fine to direct the application to the desired loginUrl. The problem is that when I set the loginUrl here it no longer adds the returnUrl so after login it just stays on the loginUrl instead of going back to the requested page. Does anyone know why this would cause the returnUrl not to get set and how I can fix it?
If I don't set the loginUrl then it does add the returnUrl, but it tries to go to the default login.aspx which does not exist.
Can't believe it took me 2 days to figure this out, but the problem was just that I had left
<authorization>
<deny users="?" />
</authorization>
out of the web.config
I am familiar with:
WebSecurity.IsCurrentUserInRole("Admin")
But this does not seem to work any more. Is there another way I can check in my controller if a user is in a role when I am using SimpleMembership?
You can use
if (User.IsInRole("Admin"))
{
}
And webConfig
<system.web>
<roleManager enabled="true" />
....
After Comment
you can use something like this:
foreach (string rolesForUser in Roles.GetRolesForUser(User.Identity.Name))
{
if (User.IsInRole(rolesForUser))
{
}
}
I think there is an elegant way to do this...
You'll need to have a RoleProvider setup as well
Since you are using SimpleMembership, you probably should use SimpleRoleProvider as well.
You can either create the roles programatically by calling Roles.CreateRole or use the RoleManager web interface.
<roleManager enabled="true" defaultProvider="simple">
<providers>
<clear/>
<add name="simple" type="WebMatrix.WebData.SimpleRoleProvider,
WebMatrix.WebData"/>
</providers>
</roleManager>
I have deployed an MVC3 and WCF web service as a single application. Both work as expected. GET and POST requests work perfectly, but the PUT and DELETE requests return 404 errors. These work fine locally. Initially it was requesting a username/password for PUT/DELETE requests.
Here is my WebServer config from my web.config file
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="true">
<remove name="WebDAVModule" />
</modules>
<handlers>
<remove name="WebDAVModule" />
</handlers>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="*"
verbs="GET,HEAD,POST,DEBUG,PUT,DELETE" />
</authorization>
</security>
</system.webServer>
Here are my PUT and DELETE methods:
[OperationContract]
[WebInvoke(UriTemplate = "{id}", Method = "PUT")]
public MyResource Put(MyResource updatedResource, int id)
{
MyResource existingResource = Database.GetResourceById(id);
existingResource.Name = updatedResource.Name;
Database.SaveResource(existingResource);
return existingResource;
}
[OperationContract]
[WebInvoke(UriTemplate = "{id}", Method = "DELETE")]
public MyResource Delete(int id)
{
MyResource sampleResource = Database.DeleteResourceById(id);
return sampleResource;
}
My set up:
.NET 4.0
MVC3
IIS 7.0
Note: I am on a shared hosting plan, therefore do not have direct access to IIS7.0 a so I need to make changes via the web.config file.
Enable Tracing on your service and see why you get a 404 error when you try for a PUT or DELETE action.
I've setup and deployed a simple forms authentication website with membership using .NET 4.
I've created a virtual directory (now converted to "Application") in IIS7 and setup the web.config file in the virtual directory as follows:
<configuration>
<system.web>
<authorization>
<deny users="?">
</authorization>
</system.web>
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
</configuration>
Great! I browse to the virtual directory: ../mydomain/books/
and I'm automatically redirected to the login page specified by web.config in my root directory and the url path is placed as follows:
../Account/Login.aspx?ReturnUrl=%2fbooks
At this point, I login succesfully, but I am not redirected anywhere, and when I manually return to the directory, ../books, I'm sent back to the login page, where I'm already logged in?
So I'm confused about what my problem is! I should be successfully authenticated, and than redirected back to the directory, or at the very least be able to view it manually after I log in right?
Since I had to solve this myself, I thought I may as well post it for others in case their search brings them here.
This is everything you'll need to use Forms Authentication, allow your formatting to be exposed to anonymous users, pass credentials between an existing .Net (.aspx) web site and an MVC web application and redirect to a given url after login.
Use whatever pieces you are looking for.
Make sure your Virtual Directory/Virtual Application path for your .Net web application (.aspx) is outside of the Views directory. Also make sure you set up your Virtual Directory/Application in IIS.
I used Entity Framework and Identity with a SQLServer database to validate my users.
Your Virtual Application/Directory .Net (.aspx) web.config file needs to contain this:
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<!-- other stuff -->
<system.web>
<authentication mode="Forms">
<forms
loginUrl="login.aspx"
name=".AUTHCOOKIE"
protection="All"
path="/"
domain="your_domain.com"
enableCrossAppRedirects="true"
timeout="60">
</forms>
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
<machineKey
validationKey="your validation key"
decryptionKey="your decryption key"
validation="SHA1"
decryption="AES"
/>
<!-- other stuff -->
</system.web>
<location path="/path/to/your/site.css">
<system.web>
<authorization>
<allow users="?"></allow>
</authorization>
</system.web>
</location>
<!-- other stuff -->
</configuration>
Then, in the code behind your login.aspx page you'll need something like this:
protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)
{
string username = Login1.UserName;
string pwd = Login1.Password;
/* do your authentication here
connect to user store
get user identity
validate your user
etc
*/
if (user != null)
{
FormsAuthentication.SetAuthCookie(username, Login1.RememberMeSet);
System.Web.HttpCookie MyCookie = System.Web.Security.FormsAuthentication.GetAuthCookie(User.Identity.Name.ToString(), false);
MyCookie.Domain = "your_domain.com";
Response.AppendCookie(MyCookie);
Response.Redirect("~/path/to/your/index.aspx");
}
else
{
StatusText.Text = "Invalid username or password.";
LoginStatus.Visible = true;
}
}
Now, in your MVC applications web.config file add this:
<configuration>
<!-- other stuff -->
<system.web>
<authentication mode="Forms">
<forms
loginUrl="Account/Login"
name=".AUTHCOOKIE"
protection="All"
path="/"
domain="your_domain.com"
enableCrossAppRedirects="true"
timeout="30"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
<machineKey
validationKey="your validation key"
decryptionKey="your decryption key"
validation="SHA1"
decryption="AES"
/>
<!-- other stuff -->
</system.web>
<location path="/path/to/your/site.css">
<system.web>
<authorization>
<allow users="?"></allow>
</authorization>
</system.web>
</location>
<!-- other stuff -->
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<remove name="FormsAuthenticationModule"/>
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule"/>
<remove name="UrlAuthorization"/>
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"/>
</modules>
</system.webServer>
<!-- other stuff -->
</configuration>
In your MVC AccountController Login method should look something like this:
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{
if (ModelState.IsValid)
{
/* do your authentication here
connect to user store
get user identity
validate your user
etc
*/
if (user != null)
{
await SignInAsync(user, model.RememberMe);
FormsAuthentication.SetAuthCookie(model.Email, model.RememberMe);
System.Web.HttpCookie MyCookie = System.Web.Security.FormsAuthentication.GetAuthCookie(User.Identity.Name.ToString(), false);
MyCookie.Domain = "your_domain.com";
Response.AppendCookie(MyCookie);
if (Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl);
}
else
{
return RedirectToAction("Index", "Home");
}
}
else
{
ModelState.AddModelError("", "Invalid username or password.");
}
}
// If we got this far, something failed, redisplay form
return View(model);
}
Finally, your MVC AccountController log off method is this:
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult LogOff()
{
AuthenticationManager.SignOut();
FormsAuthentication.SignOut();
return RedirectToAction("Login", "Account");
}
You need to add code to redirect to the "ReturnUrl" URL noted in the query string from within your Login page after you login.