Setup:
For an ASP.NET MVC 4 app I am using Elmah.MVC 2.0.1 to log errors.
I installed Elmah.MVC using NuGet. It works fine.
Problem:
The Elmah.MVC package installs no controller or area, so I can see no obvious way to apply security via Authorize attributes, as is recommended for ASP.NET MVC.
Question:
I only want users in the Admin role to be able to view the Elmah page.
How do I do this?
Ouch!
Just found the answer;
Elmah MVC 2.0.1 NuGet package adds the following into <appSettings> (in web.config):
<add key="elmah.mvc.requiresAuthentication" value="false" />
<add key="elmah.mvc.allowedRoles" value="*" />
To achieve what I want simply:
<add key="elmah.mvc.requiresAuthentication" value="true" />
<add key="elmah.mvc.allowedRoles" value="Admin" />
I believe you can also use URL access control like this:
<location path="elmah.axd">
<system.web>
<httpHandlers>
<add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<authorization>
<allow roles="YourRole" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<handlers>
<add name="ELMAH" verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" preCondition="integratedMode" />
</handlers>
</system.webServer>
</location>
Related
Recently I have developed a very simple .net core API and then deployed the same on IIS and want to enable Windows Authentication for some users. To be able to implement it, my web.config looks like
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="Tow\USER1"/>
<deny users="*"/>
</authorization>
</system.web>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\Oculus.WebApi.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="InProcess" />
</system.webServer>
</location>
</configuration>
As it can be seen only User1 should be allowed access but everyone is able to access. My IIS authentication looks like this:
Can some one help please?
From this thread, ASP.NET Core does not support nor use web.config. The published web.config is there only for IIS hosting, since IIS requires this.
A wrokaround is that you could try to place inside system.webServer, which is directly for configuration of IIS.
<configuration>
<system.webServer>
<security>
<authorization>
<remove users = "*" roles="" verbs="" />
<add accessType = "Allow" users="Tow\USER1"/>
</authorization>
</security>
</system.webServer>
</configuration>
But the recommend way is that you'd better write you own custom authorization policy in asp.net core
https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-2.2
As title, I want to disable Anonymous Authentication for my ASP.NET Boilerplate web site (MVC) in IIS Server and use Form Authentication instead. Is it possible to do this because if I disable Anonymous Authentication, my website cause an error "HTTP Error 404.15 - Not Found"
Update 1: Here is my web.config
<system.web>
<globalization culture="auto" uiCulture="auto" />
<compilation debug="true" targetFramework="4.6.1">
<assemblies>
<add assembly="System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</assemblies>
</compilation>
<httpRuntime targetFramework="4.5.1" />
<customErrors mode="Off">
<error statusCode="404" redirect="~/Error/E404" />
</customErrors>
<httpHandlers>
<add path="Reserved.ReportViewerWebControl.axd" verb="*" type="Microsoft.Reporting.WebForms.HttpHandler, Microsoft.ReportViewer.WebForms, Version=11.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" validate="false" />
</httpHandlers>
<authentication mode="Forms" />
</system.web>
I still remember the first time I had to implement Forms Authentication in ASP. All I can say is there is a reason I only do linux based web-development now!
It is a real pain, but this should work if you don't intend on using a database to manage the users.
If you do intend to use a database then prepare yourself for a long road. U need to have the correct MSSQL database for the correct Visual studio tool and they also removed the management interface completely so you either have to design your own or use a tool that is available on the internet somewhere. I still remember I got so frustrated by the whole idea of it, that I literally wrote my own management tool I could deploy on developed sites. If it wasn't on a broken harddrive I would give it to you.
<authentication mode="Forms">
<forms loginUrl="login.aspx" defaultUrl="welcome.aspx">
<credentials passwordFormat="Clear">
<user name="abhishek" password="abhi#123"/>
<user name="Kantesh" password="sinha#123" />
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
If you plan on using a database to store your users google some tutorials.
The reason why you are getting a 404 is because you are not specifying loginUrl or it is incorrect and pointing to a non-existant page.
Hope this helps
When you disable anonymous access to all pages you cannot let users to see login page as well. what you need to to do is allowing some specific pages like login or register to be accessible.
This might not completely fits for you but you get the idea.
If it doesn't work, try removing the backslash "/" for the "/account/login" and set it like "account/login"
<configuration>
<system.web>
<authentication mode="Forms" />
<authorization>
<deny users="?" /> //this will restrict anonymous user access
</authorization>
</system.web>
<location path="/account/login"> //path here is path to login page
<system.web><authorization><allow users="*" /> // this will allow access to everyone to login page
</authorization></system.web></location>
</configuration>
My server which hosts my IIS site has just rebooted, now when i navigate to my internal site, im getting a 401 challenge, it should be windows integrated. it doesnt accept credentials either.
below is the current config, it all worked prior to the reboot and i havent changed any code since. any ideas?
Thanks
webconfig
<system.web>
<globalization requestEncoding="utf-8" responseEncoding="utf-8" culture="en-GB" />
<authentication mode="Windows" />
<identity impersonate="true" />
<authorization>
<deny users="?" />
</authorization>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<clear />
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/" />
</providers>
</roleManager>
<customErrors mode="Off" />
<compilation debug="true" targetFramework="4.0">
IIS Settings
Authentication
Anyon: Enabled
ASP.net Imper Enabled
Windows Auth Enabled
Application Pool
.net 4.9
Managed pipeline intergrated
identity applicationpoolidentity
I fixed this. my server needed an SPN adding
BaseLine: ServiceStack sample works for me in a stock MVC 4 app. I am using the variant, followed all the instructions in the readme, no problems.
Plugin Framework
I am building a plugin framework for MVC and servicestack.net is one of the plugins, that being all the assemblies are plugins which get loaded, using BuildManager.AddReferencedAssembly(assembly);
BuildManager.AddCompilationDependency(assembly.FullName);
All the ServiceStack dlls are found and successfully loaded from my personal shawdowFolder.
webconfig:
<location path="api">
<system.web>
<httpHandlers>
<add path="*" type="ServiceStack.WebHost.Endpoints.ServiceStackHttpHandlerFactory,ServiceStack" verb="*" />
</httpHandlers>
</system.web>
<!-- Required for IIS 7.0 -->
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<add path="*" name="ServiceStack.Factory" type="ServiceStack.WebHost.Endpoints.ServiceStackHttpHandlerFactory,ServiceStack" verb="*" preCondition="integratedMode" resourceType="Unspecified" allowPathInfo="true" />
</handlers>
</system.webServer>
</location>
*NOTE: I am calling from Application_Start AppHost.Init(), and I can step it so ServiceStack is truly loaded and usable before the ASP.NET app goes into full swing.*
On first launch: /api/metadata results in:
Server Error in '/' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
Requested URL: /api/metadata
Stopping the debugger and simply relaunching, which deletes all assemblies from my personal shawdowFolder, copies them, loads them, references them, results in.
A working ServiceStack.net
StarterTemplate ASP.NET Host
The following operations are supported. For a formal definition, please review the Service XSD.
etc.
I suspect that this problable has to do with .NET's shadowfolder and appdomain, but perhaps it is something with ServiceStack. Where would I find logs to see if ServiceStacks httphanderfactory is having problems.
I Changed my config as follows :
SetConfig(new EndpointHostConfig
{ ServiceStackHandlerFactoryPath = "ss"}
and my config :
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<add type="DevExpress.Web.ASPxClasses.ASPxHttpHandlerModule, DevExpress.Web.v13.1, Version=13.1.4.0, Culture=neutral, PublicKeyToken=b88d1754d700e49a" name="ASPxHttpHandlerModule" />
<add name="FormsAuthenticationDisposition" type="ServiceStack.ServiceInterface.SuppressFormsAuthenticationRedirectModule, ServiceStack.ServiceInterface" />
</modules>
<handlers>
<add type="DevExpress.Web.ASPxUploadControl.ASPxUploadProgressHttpHandler, DevExpress.Web.v13.1, Version=13.1.4.0, Culture=neutral, PublicKeyToken=b88d1754d700e49a" verb="GET,POST" path="ASPxUploadProgressHandlerPage.ashx" name="ASPxUploadProgressHandler" preCondition="integratedMode" />
<add type="DevExpress.Web.ASPxClasses.ASPxHttpHandlerModule, DevExpress.Web.v13.1, Version=13.1.4.0, Culture=neutral, PublicKeyToken=b88d1754d700e49a" verb="GET" path="DX.ashx" name="ASPxHttpHandlerModule" preCondition="integratedMode" />
<add path="ss*" name="ServiceStack.Factory" type="ServiceStack.WebHost.Endpoints.ServiceStackHttpHandlerFactory, ServiceStack" verb="*" preCondition="integratedMode" resourceType="Unspecified" allowPathInfo="true" /></handlers>
<validation validateIntegratedModeConfiguration="false" />
<security>
<requestFiltering>
<requestLimits maxAllowedContentLength="30000000" />
</requestFiltering>
</security>
</system.webServer>
Now I have to type in the following to get to my servicestack area : http://localhost/ss/
My take on what is going wrong is that mvc/asp.net forms/ servicestack each needs one entry point to map its handler to an url route, servicestack is overriding the url route for "/" your MVC project hence no resources is found.
Thus in my application I used to seperate entries points:
*http://localhost/* .... is my normal entrypoint for webforms (in your case MVC4[stock])
http://localhost/ss .... is my servicesstack entrypoint
If you are using the MVC razor engine you won't run into this.
While developing a ASP.NET MVC4 web application with VS2010, using the Mvc.JQuery.Datatables Nuget,
I found that the EmbeddedResourceVirtualPathProvider NuGet that is referenced, worked beautifully
on my dev box, but failed miserably on my production box.
The production box is Windows 2003, with IIS6 and .NET 4.0 installed.
I searched many things on SO, and Googling, but after implementing the suggested workarounds,
it still fails:
Here's what I've done.
Implement AppInitialize as suggested by https://stackoverflow.com/a/5178993
Implemented Wildcard mapping for ASP.NET as suggested by http://haacked.com/archive/2008/11/26/asp.net-mvc-on-iis-6-walkthrough.aspx
Implemented IgnoreRoute for static files as suggested by https://stackoverflow.com/a/3144841
but it still doesn't serve all of the files. I'm getting the embedded partial views, but not
the embedded css, js, and jpg files.
My web.config has an entry for the StaticFileHandler as follows:
<system.webServer>
<handlers>
<add path="*.css" verb="GET" name="Static css" type="System.Web.StaticFileHandler" />
<add path="*.js" verb="GET" name="Static js" type="System.Web.StaticFileHandler" />
<add path="*.jpg" verb="GET" name="Static jpg" type="System.Web.StaticFileHandler" />
<add path="*.gif" verb="GET" name="Static gif" type="System.Web.StaticFileHandler" />
</handlers>
</system.WebServer>
I appear to be missing something critical. Any Suggestions?
When using IIS6, all of the items listed in #1-3 are required, but additionally, you need to
recognize that IIS6 defines its handlers as httpHandlers in the system.web section,
whereas IIS7 calls them handlers and they are in the system.webServer section of the config file.
Therefore, you need to add the following to make it work in IIS6
<system.web>
....
<httpHandlers>
<add path="*.css" verb="GET" type="System.Web.StaticFileHandler" />
<add path="*.js" verb="GET" type="System.Web.StaticFileHandler" />
<add path="*.jpg" verb="GET" type="System.Web.StaticFileHandler" />
<add path="*.gif" verb="GET" type="System.Web.StaticFileHandler" />
</httpHandlers>
</system.web>