I'm trying to implement Forms Authentication in ASP.NET MVC4 application and I've only one user who is going to get authenticated to do some admin activities.
<authentication mode="Forms">
<forms timeout="2880" loginUrl="~/Admin/Login" slidingExpiration="true">
<credentials passwordFormat="Clear">
<user name="user" password="password"/>
</credentials>
</forms>
</authentication>
When I try to use the FormsAuthentication.ValidateUser method I get an obsolete warning and I'm supposed to use now Membership class.
My question is how I can configure membership provider in web.config to use the credentials setup in the web.config? What provider I should specify in the name attribute?
Unfortunately, there is no built-in membership provider for the mechanism of storing the credentials in the web.config as you describe. You could write your own to invoke the FormsAuthentication.Authenticate method or call this from your own custom login control's code-behind.
Related
I have a mvc 4 intranet application.
All pages ask for credentials, when i provide these the application tries to redirect to a login.aspx page
Please assist, this web application needs to login automatically based on Active Directory.
Been battling with this for 3 days now
First thing, if you are using windows authentication the page should not redirect to login page. It shows error message.
In web.config file modification:
<authentication mode="Windows" />
Comment the following lines
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
In visual studio select project name and click F4 then enable the following.
Windows Authentication
Anonymous Authentication
Place authorization filter globally or controller level.
Run the application.
I have an ASP MVC 4 application which uses a 3rd party HTTP module for security. When using Windows authentication it will attempt to automatically log you in, if that fails, then it will redirect you to a custom login page.
This has been working fine for previous ASP Webforms and MVC 2-4 applications, but for this particular application it is failing to automatically log the user in.
The application's virtual directory has all of the authentication modes disabled (anonymous etc) except for Windows authentication which is enabled. I have also checked that the provider is Negotiate and NTLM.
The web.config is a pretty standard one that you get from the MVC template and I have tried various web.config changes to system.web and system.webServer (and changing app pool's pipeline mode) such as:
<system.web>
<authentication mode="Windows"/>
and also adding
<authorization>
<allow users="*" />
<deny users="?" />
</authorization>
But in each case the security module cannot get the user name. The module attempts to get the user name via HttpContext.Current.Request.ServerVariables["REMOTE_USER"], but I have also modified it to use HttpContext.Current.User.Identity.Name and in both cases it is blank.
Since this module has been working fine for years and still works for other applications on the same server, I believe it is an IIS or Web.config configuration issue. I have tried creating a new virtual directory and it has the same error.
Is there any additional configuration required or another reason why it is not working for this particular application?
The solution was to add the following to my the appSetting section in my web.config
<add key="autoFormsAuthentication" value="false" />
<add key="enableSimpleMembership" value="false"/>
</appSettings>
This is the first time that I have needed to add such a thing, so I am not sure why it is necessary, but it does work.
I am working on ASP.NET MVC 4 application that is using SimpleMembershipProvider. It turns out that all the content will require authentication and colleague of mine told me that adding this:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="15" slidingExpiration="true" enableCrossAppRedirects="false" protection="All" />
</authentication>
If fact I already had this - <forms loginUrl="~/Account/Login" timeout="2880" /> so I guess the key is protection="All" but the problem is that it's not working. At least not the way that I expect it to.
When I start my application I'm still routed to /home/index (haven't changed the default route) but if I add [Authorize] :
[Authorize]
public class HomeController : Controller
then I'm getting redirected to the login page.
I wasn't able to find explanation about the different attributes used in <forms../> and the different values that they can take, but it seems logical that the one that should make all controllers behave like they have [Authorize] attribute is protection="All" so am I using it in a wrong way or this attribute can not be used with SingleMembershipProvider or something else?
but it seems logical that the one that should make all controllers
behave like they have [Authorize] attribute is protection="All"
No, that's not at all. Forms Authentication existed in ASP.NET much before ASP.NET MVC was even in the heads of the Microsoft's teams designers.
protection="all" simply specify privacy and integrity for the forms authentication ticket. This causes the authentication ticket to be encrypted using the algorithm specified on the machineKey element, and to be signed using the hashing algorithm that is also specified on the machineKey element.
Now if you want to protect all controllers in your application, you could decorate them with the [Authorize] attribute or define it as a global action filter:
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new AuthorizeAttribute());
}
Now of course if all controller actions in your application require an authenticated user in order to access them, there's no way for an anonymous user to actually authenticate. You probably want to exclude the AccountController that will perform the actual authentication. This could be achieved by decorating it with the [AllowAnonymous] attribute.
I'm making a private-pages-only application in MVC4.
I successfully (almost successfully) created the login page using a custom Membership provider based on NHibernate and my domain's entities/repositories.
Every controller but AuthController is marked with [Authorize].
The webapp is supposed to redirect me to the login page when I'm not authorized. I created the whole app from scratch, so I know that nowhere I'll find the AuthController to be declared as landing URL for unauthenticated users.
How to tell MVC that?
Assuming you're using the built-in forms authentication, the URL goes into web.config, in the loginUrl attribute of the forms element.
http://msdn.microsoft.com/en-us/library/1d3t3c61(v=vs.71).aspx
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="/membership/login" />
</authentication>
</system.web>
</configuration>
i'm trying to secure some WCF services. I'd like to use IIS or the Web.config todo all of the heavy lifting/configuration if possible. I don't want to embed anything in my code - thought I know that may not be feasible. If possible, I'd like to achieve this without having to resort to AspCompatibilityMode :(
I'm using a custom BasicHttp binding with TransportCredential enabled.
This works fine. Any valid domain or machine account seems to validate against the service.
My problem is I only want users from specific windows groups to be able to access my service. I wanted to use ACLs on the actual folders to achieve this, but I don't think it is possible.
Would appreciate your help!
Thanks
TM
In your web.config try the following:
<authentication mode="Windows" />
<identity impersonate="false" />
<authorization>
<allow users="MYDOMAIN\YourGroup" />
<deny users="*" />
</authorization>
This will block it at the web config level. You can also put an ACL on your folder. Note the Windows authentication and the impersonate = false means that it is the users credentials that are being used to access the directory.