+1-888-365-2779
Try Now
More in this section

Forums / General Discussions / Admin Login Page with SSL

Admin Login Page with SSL

15 posts, 0 answered
  1. Chen Chuan
    Chen Chuan avatar
    14 posts
    Registered:
    11 Sep 2011
    15 Sep 2011
    Link to this post
    Hi,

        How can i configure the admin login page must use SSL?

    Thanks,
  2. Boyan Barnev
    Boyan Barnev avatar
    1429 posts
    Registered:
    02 Dec 2016
    20 Sep 2011
    Link to this post
    Hello Chen Chuan,

    That's a tough one, the default Login page is an embedded resource and is passed through a route handler before being rendered. The easiest approach would be to create a custom login page from Administration->BackendPages under the Sitefinity node, and mark its Require SSL property. You can then  provide the ceritficate in IIS. There is a role for non-authenticated users -  "Anonymous". Denying this role View permissions  would raise error code "403 Forbidden" , which you can handle in the customErrors element in you web.config to automatically redirect you to the login screen when a user who lacks the proper permissions is trying to access a certain page. Please refer to the sample below:

    <customErrorsmode="On">

      <errorstatusCode="403"redirect="~/Sitefinity/Login"/>

    </customErrors>

    alternatively it's possible to configure this in an application-wide settings class, i.e. Global.asax, where you could say:

    protected void Application_Error(object sender, EventArgs e)
           {
               var currentPage = HttpContext.Current.Request.Url.ToString(); //.Split('/').Last();
               Exception ex = Server.GetLastError();
               if (ex is HttpException)
               {
                   HttpException httpEx = ex as HttpException;
                   if (httpEx.Message == "You are not authorized to access this page")
                   {
                       Response.Redirect("~/Test?returnurl=" + currentPage);
                       Server.ClearError();
                   }
               }
           }

    I hope this suits your needs for the functionality you want to implement.



    Regards,
    Boyan Barnev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  3. Chen Chuan
    Chen Chuan avatar
    14 posts
    Registered:
    11 Sep 2011
    21 Sep 2011
    Link to this post
    Hi Boyan,

        First, i don't understand why all other admin pages able to activate the "Required SSL" property and the most basic page for admin (Login Page) not able to be configured? The admin login page is not important or the login and password doesn't require to protect?

        Second, although i created a custom Login Page, the page is still protected by Sitefinity Admin. If i input the URL /Sitefinity/customlogin, page will be redirected to "Sitefinity/Login?ReturnUrl=/Sitefinity/customlogin".

        Last, if this custom page really works, how can i override the default login page?

    Thanks,
  4. Boyan Barnev
    Boyan Barnev avatar
    1429 posts
    Registered:
    02 Dec 2016
    26 Sep 2011
    Link to this post
    Hello Chen Chuan,

    In that case, why don't you try implementing an HttpModule and inside execute the following logic

    if(context.Url.EndsWith("Login"))

    httpContext.Response.RedirectPermanent(httpContext.Request.Url.AbsoluteUri.Remove(0, 7).Insert(0, "https://"), true);

    httpContext.Response.End();



    Kind regards,
    Boyan Barnev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  5. Chen Chuan
    Chen Chuan avatar
    14 posts
    Registered:
    11 Sep 2011
    26 Sep 2011
    Link to this post
    Hi Boyan,

        Thanks for your reply, how can i implement it? Change it in Global.asax or create a new class and change the web.config? Please let me know if there is any sample.

    Thanks,
  6. Boyan Barnev
    Boyan Barnev avatar
    1429 posts
    Registered:
    02 Dec 2016
    26 Sep 2011
    Link to this post
    Hello Chen Chuan,

    Actually both implementations are possible, you can find a sample on this forum thread. What you can do, as a quicker workaround would be to set SSL in IIS for all pages under the /Sitefinity node, please let me know if this solution will be more suitable for your use case scenario.

    Greetings,
    Boyan Barnev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  7. Chen Chuan
    Chen Chuan avatar
    14 posts
    Registered:
    11 Sep 2011
    26 Sep 2011
    Link to this post
    Hi Boyan,

        Thanks for your quick reply. Actually i have tried to set the SSL in IIS for all pages under /Sitefinity before. But the problem is all my theme images and css will also SSL protected for all public pages. As we need to care for the performance issue, so we try not to use this workaround.

         The thread you provided maybe useful (i haven't tried it) but to me it is a bit complicated as what i want is just auto redirect the Login to https. I am trying to find a way to replace the login url in route table. Isn't it possible?

    Thanks,
  8. Boyan Barnev
    Boyan Barnev avatar
    1429 posts
    Registered:
    02 Dec 2016
    29 Sep 2011
    Link to this post
    Hello Chen Chuan,

    I understand your concern, unfortunately overriding the default handler that constructs the login page would not be possible for now, as it's being registered in second place in the list of handlers, so adding it later would not suit the necessary functionality. You'll basically need to create your custom route handler, by inheriting from LoginRouteHandler.cs and then in Global.asax subscribe to Bootstrapper.Initialized and in there unload all default handlers ( routes.Clear(); ), and then load them again, with your custom login handler being loaded instead of the default login handler.
    Thank you very much for the constructive feedback and pointing out the need for easier overriding of the default handlers, I've logged your suggestion as a feature request, and we'll see if we can include it in the implementation plans for the upcoming releases.

    All the best,
    Boyan Barnev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  9. Nicolas
    Nicolas avatar
    156 posts
    Registered:
    19 Jan 2011
    18 Nov 2011
    Link to this post
    Hi Boyan,

    I look for set HTTPS on login page too. I already made my own route handler and register it in "Global.asax".
    I successfully redirect towards a custom aspx into my solution, but I want an other thing. I want to redirect it to a page into Sitefinity, I'll test to replace virtual path of my aspx by SFPageService virtual path without success. It seems inherit LoginRouteHandler can't permit to use SFPageService.

    Regards,
    Nicolas
  10. Boyan Barnev
    Boyan Barnev avatar
    1429 posts
    Registered:
    02 Dec 2016
    23 Nov 2011
    Link to this post
    Hello Nicolas,

    Actually, why not use the approach described in this KB article which we've released recently on the topic- once you've set your pages to requre SSL under IIS and provided the appropriate certificate, you'll need to just llop trhough your Sitefinity pages, using our Pages API, and set their REquireSSL property to true. Since the Login page is constructed under the /Sitefinity node it will automatically requre SSL as well. Please find below a code sample I've prepared for you which should accomplish this task:
    App.WorkWith().Pages()
                              .Where(p => p.Page != null)
                               .ForEach(p =>
                                           {
                                               p.Page.RequireSsl = false;
                                           }).SaveChanges();


    Best wishes,
    Boyan Barnev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  11. Nicolas
    Nicolas avatar
    156 posts
    Registered:
    19 Jan 2011
    30 Nov 2011
    Link to this post
    Hi Boyan,
    the KB article is interesting. But it forgot a little thing, with a configuration like this you have to go in Administration > Settings > Advanced > System > ServicesPaths
    and set your "http://mysite" otherwise you break publishing workflow.

    Another thing, it's more like a bug. When you made your backend RequireSSL, editing pages who are not in SSL doesn't work on my site.
    Because when you try to edit page the url is not under ~/Sitefinity.

    Regards,
    Nicolas
  12. Dan Sorensen
    Dan Sorensen avatar
    256 posts
    Registered:
    13 Aug 2010
    20 Apr 2012
    Link to this post
    Any update on this thread? Does 5.0x have built in SSL security for administrative pages? 

    We would like to block access to the Sitefinity back end administrative from outside our network to protect our website. (only allow local and VPN access), however since both the Administrative backend and many of the resources both use the /Sitefinity path, this may not be realistic or possible.

    So at a minimum, we would like to require SSL for access to edit our pages.
  13. Dan Sorensen
    Dan Sorensen avatar
    256 posts
    Registered:
    13 Aug 2010
    20 Apr 2012
    Link to this post
    Does anyone know if this KB article for Sitefinity 4.2 still applies to 5.x to require SSL for Sitefinity back end pages?
    http://www.sitefinity.com/devnet/kb/sitefinity-4-x/securing-a-sitefinity-backend-with-ssl.aspx 

    It seems like requiring SSL for back end access would be a simple check box somewhere. Instead it is giving me grief. I'm not even certain if I can force SSL on the "Sitefinity" folder as it includes a lot of the web services used for the site.

    ...argh. Any advice? Is everyone just using it without SSL?
  14. Kevin
    Kevin avatar
    16 posts
    Registered:
    09 Feb 2012
    28 Jan 2013
    Link to this post

    Hello,

    I'd like to echo Dan's question from April-- does that KB article still apply for version 5.x? Are there any drawbacks to requiring SSL for all backend pages?

    Thanks,
    Kevin

  15. Boyan Barnev
    Boyan Barnev avatar
    1429 posts
    Registered:
    02 Dec 2016
    29 Jan 2013
    Link to this post
    Hello everyone,

    We've updated the KB information with the latest set of instructions for enabling SSL for your Sitefinity site's backend, or globally. You can find the updated information at the same location: Securing a Sitefinity Backend with SSL.

    Please do not hesitate to let us know if you spot anything you think should be added or corrected in the guide, we'll be glad to review your suggestions.

    All the best,
    Boyan Barnev
    the Telerik team
15 posts, 0 answered