I've created a small web application using AppFuse(with JSP as Web Framework) and RichFaces. There is a page that uses rich:dataTable that should be accessible without authentication.
To make this page public I put it into a folder called "public" and added the following line to the security.xml:
<intercept-url pattern="/public/*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
The page is now accessible without authentication but the dataTable has no skin as the required CSS files are stored in a folder that apparently requires authentication...
RichFaces Skin CSS files are accessed at this path:
/a4j/s/3_3_2.SR1org/richfaces/renderkit/html/css/basic_classes.xcss/DATB/eAELXT5DOhSIAQ!sA18_.html
And when I try to access the files I get redirected to the login page.
So how do I allow unauthorized users to access these CSS files?
Thanks, Tom
EDIT: I've already tried adding the line below to security.xml but it didn't work:
<intercept-url pattern="/a4j/*" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
Solved problem by changing the line from my edit to:
<intercept-url pattern="/a4j/**" access="ROLE_ANONYMOUS,ROLE_ADMIN,ROLE_USER"/>
The second * does the trick...but I don't know why. :)
Related
Since I want to keep the admin login separate from the user login on my Wagtail site, I'm trying to use the login page settings mentioned in this section of the documentation to direct people to a custom login page. I added the following settings to my base.py folder in the settings directory for my WT project under #Wagtail settings:
WAGTAIL_FRONTEND_LOGIN_URL = '/login/'
WAGTAIL_FRONTEND_LOGIN_TEMPLATE = 'base/login.html'
My project is structured similar to the bakerydemo, so there is a base app that manages a lot of the shared pieces of the site. I put my login.html in the templates directory for the base app. See link below for screenshot.
Screenshot of project directories
I am getting a 404 error whenever I try to navigate to the login URL I specified. Is there a setting I missed? Did I put the template in the wrong directory? Still getting used to how WT structures projects, so any pointers would be very much appreciated.
You should only set one of WAGTAIL_FRONTEND_LOGIN_URL and WAGTAIL_FRONTEND_LOGIN_TEMPLATE, not both.
WAGTAIL_FRONTEND_LOGIN_TEMPLATE is used if you want to use Wagtail's own login view (located at the URL /_util/login/), but want to customise its template. If you're going down this route, a path like 'base/login.html' is correct - Django will search within all template directories for a file matching this path.
WAGTAIL_FRONTEND_LOGIN_URL is used if you want to provide your own view code. To use this, you'll need to write the view function (most likely inheriting from Django's LoginView) and register it in the URL config, then point WAGTAIL_FRONTEND_LOGIN_URL at the resulting URL. In this case, your view function will be responsible for rendering an appropriate template, so WAGTAIL_FRONTEND_LOGIN_TEMPLATE will not come into play.
I am trying to prevent unauthorized access to all files within some of my media libraries in Kentico v9.0. I intend to only provide access to certain libraries via Kentico Role membership and global admins only.
I have followed the guide published here: Securing media libraries and it seems to work fine: Direct URL path access results in a 401.2 - Unauthorized message, regardless of user authentication state and role membership. And I have a media gallery web part set up correctly to provide the permanent URLs, which also work as I expect them to.
However, I have another requirement; which is to serve up a ~/googlesitemap.xml file. I followed the guide published here: Google Sitemaps, which instructs me to provide an attribute to the system.webServer/modules node in the web.config:
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
However, when I add the above, then any authenticated user can gain access to my media library files if they enter in the full URL. This violates my attempts at media library access based on role membership; since I dont want users in other roles to be able to get at the files.
I have tried to exclude all media library files from the re-writing engine by adding my media folder root as an Excluded URL in Settings > URLs and SEO > URL Format > Excluded URLs... but this doesn't appear to help.
Any suggestions would be highly welcome!
As far as I know runAllManagedModulesForAllRequests attribute is mandatory only for different extensions (different from .aspx). If you are using IIS 7 or above you can omit this attribute in your web.config (see source).
Note: In ASP.NET websites, the value of runAllManagedModulesForAllRequests previously had to be set to true to support routing. However, once IIS 7 has been updated with a Service Pack, the value of runAllManagedModulesForAllRequests can be set to false or omitted when working with ASP.NET routing. For more information, see ASP.NET Routing on the MSDN website.
So quick fix: Do not add this attribute to web.config and your media gallery (permissions) should work as you wish.
EDIT: So I think I have got solution for you. It seems that runAllmanagedModulesForAllRequests attribute kills Anonymous Authentication setting so Kentico serves data after successful authentication. I`ve found workaround so you can forbid access to media library. Try to add something like:
<location path="MySite/media/MyMediaLibrary">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
into your web.config inside configuration section.
I have installed an MVC4 application provided by a third party on our web server and most requests are being redirected to http://domain.com/login.aspx?ReturnUrl=requestedpage.
The website does not have any form of authentication and it does not have this or any other login page.
The default page loads but none of the page resources (like images, CSS, etc) loads as each of those is being redirected to the non-existent login.aspx page. Even a webservice request gets redirected.
I have done lots of searching online and tried the usual fix of <add key="autoFormsAuthentication" value="false" /> but it doesn't make any difference. I also tried <authentication mode="None" />.
It is IIS8.5 on Server 2012 and anonymous access is enabled throughout.
I just tried installing MVC4 directly on the server and this did not help.
Can anyone help?
This problem turned out to be caused by the anonymous user account not being set to the ApplicationPoolIdentity.
I fixed this after finding the answer on another question.
How do you log a user in and out in Flask using the Flask-Security extension?
I just started using flask-security, and going through the documentation here http://pythonhosted.org/Flask-Security/api.html , I can't really figure out how to explicitly log a user in and out, as well as authenticate the user before logging them in.
Flask-Security uses Flask-Login. So you can do the following as per documentation:
login_user(user) # where user is your user object
logout_user()
Obviously, you still need to write your views where you will validate the form submissions etc before calling these methods and do the proper template rendering or redirects as needed.
Go to the flask security configurations page here: http://pythonhosted.org/Flask-Security/configuration.html
and copy over all the default configuration values into your init.py file like:
app.config['SECURITY_LOGIN_USER_TEMPLATE'] = 'security/login_user.html'
etc...
Then you have to download the security file which contains all the html templates. Put that folder in your templates folder where you keep all the other html templates. You can use google to figure out where to download the folder as well as how to set up the rest of flask security. I had a lot of trouble figuring out flask security as well, but after poking around here and on google, I was able to get some of it working, so don't lose faith. Hope this helps.
I have configured FBA on Sharepoint 2010 site. And its working fine when I use the OOTB login page which is available at _form/default.aspx.
Now I have created my own Login.aspx page and configured the web application to get redirected to this custom page. This page I have kept it at Layouts/CustomFBA/Login.aspx location under 14 Hive. I followed this blog post to create and configure the login page.
I have included a user sign in page link at the bottom of this login page which is another application page.
I have updated the web.config of the web application to allow users to reach to the user sign-in page without getting authenticated or redirected to login page again. Ideally this should work, but somehow whenever I click that link I am being redirected back to the login page. I will really appreciate if somebody can help me in this regard
==========================================================
As I have mentioned earlier,the custom login page is working perfectly fine. But, I have link on the login page which take the users to a sign-in(UserSignin.aspx) page which is also kept in the /_layouts/CustomFBA/ folder. The problem is when I click the link, I am coming back to the Login page again.
As per some of the blog which I read, they have mentioned to allow user to view such page which should not ask for any authentication, we have to include the tag (mentioned by djeeg) in web.config of the web application. So I have done that as well.
But this is also not resolving the problem. I am still coming back to Login.aspx page when I click that "Sign-in" link on the Custom Login Page. I hope I have made my problem clear here.
Thanks & Regards,
Paddy
By default, SharePoint application pages added in Visual Studio inherit from the LayoutsPageBase class (MSDN: represents an application page to which access can be limited to users that possess certain rights).
Change the base class of the UserSignin.aspx page to UnsecuredLayoutsPageBase (MSDN: represents the base class for application pages that explicitly do not require the user to have any permissions, such as the access denied page).
Try adding this to your web.config
<location path="_layouts/CustomFBA/Login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
That should then allow anonymous access to your custom login page