Resstrict anonymouse user to access the site - piranha-cms

We are building a website inwhich user must be authenticated before access the site. However, I don't know if it's possible to do that in Piranha?
I used
<authorization>
<deny users ="?"/>
</authorization>
but it does not work.
Is anyone know how to do that?
Thanks

Piranha CMS uses forms authentication, so the above should work if you add a login url to the forms configuration in the web.config. I have used that setup myself for a couple of projects.
If you want to set restrictions on page level you can do this under Settings for a page, where you can choose the group needed to view the page.
If you're using MVC you can also add the [Authorize] attribute to your controllers/actions as usuall. Basically the normal steps should apply!
Regards

Related

Securing Kentico Media Library file from direct URL access

I am trying to prevent unauthorized access to all files within some of my media libraries in Kentico v9.0. I intend to only provide access to certain libraries via Kentico Role membership and global admins only.
I have followed the guide published here: Securing media libraries and it seems to work fine: Direct URL path access results in a 401.2 - Unauthorized message, regardless of user authentication state and role membership. And I have a media gallery web part set up correctly to provide the permanent URLs, which also work as I expect them to.
However, I have another requirement; which is to serve up a ~/googlesitemap.xml file. I followed the guide published here: Google Sitemaps, which instructs me to provide an attribute to the system.webServer/modules node in the web.config:
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
However, when I add the above, then any authenticated user can gain access to my media library files if they enter in the full URL. This violates my attempts at media library access based on role membership; since I dont want users in other roles to be able to get at the files.
I have tried to exclude all media library files from the re-writing engine by adding my media folder root as an Excluded URL in Settings > URLs and SEO > URL Format > Excluded URLs... but this doesn't appear to help.
Any suggestions would be highly welcome!
As far as I know runAllManagedModulesForAllRequests attribute is mandatory only for different extensions (different from .aspx). If you are using IIS 7 or above you can omit this attribute in your web.config (see source).
Note: In ASP.NET websites, the value of runAllManagedModulesForAllRequests previously had to be set to true to support routing. However, once IIS 7 has been updated with a Service Pack, the value of runAllManagedModulesForAllRequests can be set to false or omitted when working with ASP.NET routing. For more information, see ASP.NET Routing on the MSDN website.
So quick fix: Do not add this attribute to web.config and your media gallery (permissions) should work as you wish.
EDIT: So I think I have got solution for you. It seems that runAllmanagedModulesForAllRequests attribute kills Anonymous Authentication setting so Kentico serves data after successful authentication. I`ve found workaround so you can forbid access to media library. Try to add something like:
<location path="MySite/media/MyMediaLibrary">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
into your web.config inside configuration section.

Can I use the Sitefinity Membership Provider for aspx pages that are included in my Sitefinity application

I would like to be able to add aspx pages to my sitefinity project and secure the pages using the Sitefinity Membership provider. Specifically I will need to set the security level of pages in specific folders by adding allow and deny elements to the web.config.
<authorization>
<allow roles="Admin, Customers"/>
<deny users="*"/>
Is this possible out of the box? If not can anyone suggest an approach that might achieve the same/similar affect?
One way I would approach this is to extract the logic of the aspx pages into user controls (ascx) and register them as widgets in Sitefinity.
Then create the page in Sitefinity and add the widget on it.
Finally, use the Permissions on the page level to determine who can do what.
You could create a widget that works like this:
parse the url of the Sitefinity page being visited
use the url parameters to load the content for that url from the aspx
return the content to the visitor in Sitefinity
You could then create a single page for each group you want to control access for.
Oh, it's important to let Sitefinity know that you've handled the dynamic URL so it doesn't throw a 404.

Redirect user if not logged-in in Kentico

I am very new to Kentico CMS and started implementing the basics.
I have Login button webpart which redirect me to page say 'Welcome.aspx'.
Now, what I am struggling with is if directly open 'Welcome.aspx' without login,
it should redirect to another page. Can anyone please help me in doing this?
If I understood correctly, you want the Welcome.aspx to require users to log in. If so, you can achieve that by adjusting page's ACLs at Page -> Edit -> Security and setting the Website logon page URL at Settings -> Security & Membership.
You can either set the page to be accessible by certain roles or at least require authentication.
There is an example in Corporate sample site - in section Partners.
Assuming you are using the recommended Portal Engine development model, you can set the permissions of the page on the Properties>Security tab. There you'd add a role of not authenticated and set the property to deny. Also ensure you have a default "login" page set in the settings.

MVC application most page requests being redirected to /login.aspx?ReturnUrl=

I have installed an MVC4 application provided by a third party on our web server and most requests are being redirected to http://domain.com/login.aspx?ReturnUrl=requestedpage.
The website does not have any form of authentication and it does not have this or any other login page.
The default page loads but none of the page resources (like images, CSS, etc) loads as each of those is being redirected to the non-existent login.aspx page. Even a webservice request gets redirected.
I have done lots of searching online and tried the usual fix of <add key="autoFormsAuthentication" value="false" /> but it doesn't make any difference. I also tried <authentication mode="None" />.
It is IIS8.5 on Server 2012 and anonymous access is enabled throughout.
I just tried installing MVC4 directly on the server and this did not help.
Can anyone help?
This problem turned out to be caused by the anonymous user account not being set to the ApplicationPoolIdentity.
I fixed this after finding the answer on another question.

Sharepoint FBA 2010 : Custom Application Page (Sign-in Page) redirection issue

I have configured FBA on Sharepoint 2010 site. And its working fine when I use the OOTB login page which is available at _form/default.aspx.
Now I have created my own Login.aspx page and configured the web application to get redirected to this custom page. This page I have kept it at Layouts/CustomFBA/Login.aspx location under 14 Hive. I followed this blog post to create and configure the login page.
I have included a user sign in page link at the bottom of this login page which is another application page.
I have updated the web.config of the web application to allow users to reach to the user sign-in page without getting authenticated or redirected to login page again. Ideally this should work, but somehow whenever I click that link I am being redirected back to the login page. I will really appreciate if somebody can help me in this regard
==========================================================
As I have mentioned earlier,the custom login page is working perfectly fine. But, I have link on the login page which take the users to a sign-in(UserSignin.aspx) page which is also kept in the /_layouts/CustomFBA/ folder. The problem is when I click the link, I am coming back to the Login page again.
As per some of the blog which I read, they have mentioned to allow user to view such page which should not ask for any authentication, we have to include the tag (mentioned by djeeg) in web.config of the web application. So I have done that as well.
But this is also not resolving the problem. I am still coming back to Login.aspx page when I click that "Sign-in" link on the Custom Login Page. I hope I have made my problem clear here.
Thanks & Regards,
Paddy
By default, SharePoint application pages added in Visual Studio inherit from the LayoutsPageBase class (MSDN: represents an application page to which access can be limited to users that possess certain rights).
Change the base class of the UserSignin.aspx page to UnsecuredLayoutsPageBase (MSDN: represents the base class for application pages that explicitly do not require the user to have any permissions, such as the access denied page).
Try adding this to your web.config
<location path="_layouts/CustomFBA/Login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
That should then allow anonymous access to your custom login page