+1-888-365-2779
Try Now
More in this section

Forums / Bugs & Issues / Secure .aspx pages

Secure .aspx pages

11 posts, 0 answered
  1. Guenni
    Guenni avatar
    8 posts
    Registered:
    14 Jul 2008
    08 Sep 2008
    Link to this post

    Hello,
    I'm confronting confusing authorization problems

    I created a website with sitefinity, it contains 3 pages.

    Login.aspx
    public.aspx
    onlyAdmin.aspx
     
    All contain a template, where i dragged a SiteMenu control, a LoginStatus control and a UserName control.
    I've two roles with both 1 user; admin (administrators role) and user1 (MyMembers role)

    In my web.config I specified that onlyAdmin.aspx could only be viewed by users of the administration role
    Like this:

    <location path="onlyAdmin.aspx">  
      <system.web> 
       <authorization> 
        <allow roles="administrators"/>  
        <deny roles="MyMembers"/>  
        <deny users="?"/>  
        <deny users="user1"/>  
       </authorization> 
      </system.web> 
     </location> 

     

    I even specified that particularly user1 should not be granted acces.

    This is written in the authentication tag:

    authentication mode="Forms">  
    <forms name=".ASPNET" loginUrl="~/sitefinity/login.aspx" protection="All" timeout="1440" path="/"/>  
    </authentication> 
     
      <authorization> 
      <allow users="?"/>  
      </authorization> 
     


    If I browse the website all pages are still displayed in the SiteMenu disregarding if i'm logged in or not, or whatever rol I'm logged in with.

    I have have a former website where the results are succesfull, I can't view the denied pages if I'm not loggedin or belong to a denied role.

    I also noticed a strange behaviour if I visit onlyAdmin.aspx. I can't logout via the LoginStatus control. It just refreshes this page and remains logged on.
    On the other pages I'm able to logout without any problems.

    Could anyone explain this strange behaviour, and help me secure my aspx pages.

    Thnx in advance

    ~Guenni~

  2. Ivan
    Ivan avatar
    478 posts
    Registered:
    16 Jun 2015
    12 Sep 2008
    Link to this post
    Hello Guenni,

    is there a particular reason why you have chosen not to use Sitefinity page permissions? In our User Manual on the page 246 you can find a topic named "Page Permissions" which will explain how to achieve your goal directly through Sitefinity.

    I hope you'll find this information helpful. Let us know if there is anything else we can do for you.

    Greetings,
    Ivan
    the Telerik team

    Check out Telerik Trainer, the state of the art learning tool for Telerik products.
  3. Manuel Plaza
    Manuel Plaza avatar
    6 posts
    Registered:
    15 Sep 2004
    14 Nov 2009
    Link to this post
    I have looked there already... and the options are not specific to what we are tring to achieve!

    The option of VIEW is not Authorized. Which is exactly why we were both looking in the web.config file to try to disallow non authorized users.

    We want to know how to disallow entry into the site without a log in. If you look at the ASP.NET site they have step by step instructions on how to do this. Please can you do the same, I am so frusterated and have wasted 2 days already doing what you advertised in your features page as simplistic but yet there is not one page that show a 101 - step by step on how to do such a thing.
  4. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    15 Nov 2009
    Link to this post
    Hello Manuel Plaza,

    You can set  Anonymous Access  property to Deny for your pages and all not authenticated users will be redirected to your login form. The settings under authorization node of the web.config file are valid for physical files only.

    All the best,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
  5. Manuel Plaza
    Manuel Plaza avatar
    6 posts
    Registered:
    15 Sep 2004
    16 Nov 2009
    Link to this post
    Exactly where does one do this?

    * There is no anonymous role - if you mean the everyone role see next
    * there is no option to Deny role as stated if you mean that setting the Everyone role to deny is how to set the Anonymous view to authorize

  6. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    16 Nov 2009
    Link to this post
    Hi Manuel Plaza,

    Take a look at attached screenshot and you will find a page security options and Anonymous access property.

    Regards,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
  7. Manuel Plaza
    Manuel Plaza avatar
    6 posts
    Registered:
    15 Sep 2004
    16 Nov 2009
    Link to this post
    Ivan,

    Thank you for the screenshot. I am telling you as a user I scoured looking for that. If I can not clearly understand your documentation on where to find such things,your help docuements need help! I guess I am left to asking each question, step by step.

    If we could get a 101 how to setup a membership site with self registeration and custom login pages and the such it would save EVERYONE much time. I am looking through your forums and support tickets and everyone is having this problem. Another user said it best:
    " Is there any place where there is detailed documentation on how permissions work, the user manual seems to gloss over it and deoes not address my issue."
    If we had something similar to what the asp.Net team had which was is quickstart 101 step by step tutorials it would be a benefit to us all:
    http://quickstarts.asp.net/QuickStartv20/aspnet/doc/security/default.aspx

    Anyways.. so I found where to set anonymous permission.
    * Now I am testing and I made my own login.aspx page since that is what was defined in the web.config section.
    * I then added a Login Status control to my home page
    * I added a log out page
    * I then tried to point the login control to the logout page I created within siteFinity and could not navigate to it! UGH!!! Anyways, I figured small issue test the Login Status control first, deal with this later.
    * I run the site, I see I am logged in, I click LOGOUT on the Login status control and it points me to the Sitefinity Login page, NOT the one I created. What gives?
    -WHERE DO I SET THE LOGIN STATUS CONTROL TO USE MY LOGIN PAGE ONCE IT LOGS ME OUT?
    -HOW DO I SET MY LOGIN PAGE AS THE DEFAULT LOGIN PAGE NOT THE SITEFINITY PAGE?
    -WHEN I CREATED THE LOGIN PAGE, I TRIED TO LINK TO THE REGISTER PAGE I MADE WITHIN SITEFINITY, I COULD NOT FIND WHERE TO DO THAT?

    Do you see the many issues I am having implementing the membership model into Sitefnity? I am so frusterated, with the poor documentation.
  8. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    17 Nov 2009
    Link to this post
    Hi Manuel Plaza,

    First the "problems" you have are related to standard ASP.NET control on no one of the controls you want to use is specific to Sitefinity.

    1. LOGIN STATUS CONTROL - it has two properties that you have to set
    - LogoutAction - RedirectToLoginPage
    - LogoutPageUrl - set the property value to the page that you want to be sent.

    2. HOW DO I SET MY LOGIN PAGE AS THE DEFAULT LOGIN PAGE NOT THE SITEFINITY PAGE?

    You can modify Forms authentication settings in your web.config file - forms attribute,  loginUrl property.
    The third question is not clear to me so if you can elaborate a bit more it will be great.

    Do you see the many issues I am having implementing the membership model into Sitefnity?

    There will not be any problems using multiple membership providers. Note that the backend supports only one membership provider.

    Sincerely yours,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
  9. Manuel Plaza
    Manuel Plaza avatar
    6 posts
    Registered:
    15 Sep 2004
    17 Nov 2009
    Link to this post
    Per Question #2:
    -HOW DO I SET MY LOGIN PAGE AS THE DEFAULT LOGIN PAGE NOT THE SITEFINITY PAGE?
    You can modify Forms authentication settings in your web.config file - forms attribute,  loginUrl property.
    -- I thought I jhad that already done since I checked the web.config section first and made my login.aspx page appropriatly to what was in the web.config:
    "Now I am testing and I made my own login.aspx page since that is what was defined in the web.config section. "

    --So the question again is how do I set that LoginPage? See attatched image screenshot.
    --- If we can get through this section I may be able to deal with question3 on my own.
    ---Testing question 1 again, perhaps I missed something in your menus.

  10. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    17 Nov 2009
    Link to this post
    Hi Manuel Plaza,

    Take a look at MSDN to gather more information about how FormsAuthentication works. Each property and attribute is descriptively explained. As you see we use FormsAuthentication, so everything that is explained in the article applies to Sitefinity.

    All the best,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
  11. Manuel Plaza
    Manuel Plaza avatar
    6 posts
    Registered:
    15 Sep 2004
    17 Nov 2009
    Link to this post

    I fully understand the Forms Authentication and how it works.
    Hence why I looked in your web.config section FIRST!

    I was trying to mirror what you had as default to overwrite your LoginPage with mine created in SiteFinity. Hence, the screenshot and checking what the login page URL should be to have mine ignore/overwrite yours. I looked at your documentation and it specified all pages made with in SiteFinity where placed in the SiteFinity folder. Which is why I was asking WHICH url path to place in the forms attribute. If I did not understand where to look in the first place it would mean I did not understand the MS forms authentication model. DUH!!!

    Needless to say, I tried my file path and it worked.
    Which is: "~/Login.aspx"
    NOT
    "~/sitefinity/Login.Aspx"

    BUT
    If I look at the folder, the page I created is physically inside the Project folder. Which is what arised the confusion.

    So, with all that being side here is what was the solution:
    When I created the Login page within Sitefinity; it physically created the file within the SiteFinity folder.
    I then modified the web.config section of the project I am working on to use the relative path:

     

    <

     

    authentication mode="Forms">

     

    <

     

    forms name=".ASPNET" loginUrl="~/login.aspx" protection="All" timeout="1440" path="/"/>

     

    </

     

    authentication>

     

    <

     

    authorization>

    Of Which the default path:

     

    loginUrl

     

    ="~/sitefinity/login.aspx"

     

     

    Will not point to the custom page one makes, although you may see that page if you name your custom login page by the same name of login.aspx of which you will see physically in the SiteFInity folder.

Register for webinar
11 posts, 0 answered