More in this section

Forums / Developing with Sitefinity / Anonymous Access "Deny" by default

Anonymous Access "Deny" by default

7 posts, 0 answered
  1. Gabe Sumner
    Gabe Sumner avatar
    440 posts
    Registered:
    09 Sep 2007
    25 Oct 2007
    Link to this post
    How can I globally, for every page that gets created, set "Anonymous Access" to "Deny"?

    As an aside, a better way to do this would be for Sitefinity to get rid of the "Anonymous Access" Allow/Deny feature entirely and replace it with a special security role called "Anonymous".  Then we could simply simply set the permissions for "anonymous" like we do "everyone".  All pages could also benefit from the inheritance functionality that is already working.

    I am trying to use Sitefinity for an Intranet, which is why this is needed.

    Gabe
    ==================
  2. Yasen
    Yasen avatar
    121 posts
    Registered:
    18 May 2013
    29 Oct 2007
    Link to this post
    Hi Gabe,

    We are not planning for now to implement the "anonymous" role. However, you have at least two approaches to use as a workaround.

    The first is to create a custom http module and add a check on post authenticate to see if the user is authenticated. If not, you can redirect him or do what you please.

    Another thing you can do is to add a method that executes on the Executing event of the Telerik.Cms.CmsManager class and if a new page is being created to set its deny anonymous property. Here is a sample class that shows the idea:

    using System;  
    using Telerik.Framework;  
    using Telerik.Cms;  
    using Telerik.Cms.Data;  
     
    namespace Services  
    {  
        class DenyAnonymous : IService  
        {  
            public void Initialize()  
            {  
                CmsManager.Executing += new EventHandler<Telerik.ExecutingEventArgs>(CmsManager_Executing);  
            }  
     
            void CmsManager_Executing(object sender, Telerik.ExecutingEventArgs e)  
            {  
                if (e.CommandName == "CreatePage")  
                {  
                    ((CmsPage)e.CommandArguments).DenyAnonymous = true;  
                }  
            }  
        }  

    Also, you have to add this class as a service in the web.config => telerik => framework => services section.

    I hope you find this information helpful, if you have any other questions, feel free to ask again.

    Sincerely yours,
    Yasen
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  3. Gabe Sumner
    Gabe Sumner avatar
    440 posts
    Registered:
    09 Sep 2007
    26 Nov 2007
    Link to this post
    Thanks for the reply Yasen.  I'm just now finding time to revisit this issue.

    I had another thought as I was working through this.  Because I'm creating an intranet and because only authorized users should be able to view anything, I just tried plunking the following line into the web.config file:

    <authorization> 
        <deny users="?"/>  
    </authorization> 

    This resulted in the following error message:

    Server Error in '/' Application.
    Invalid Page request! The CMS entry point should never be called directly.
    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.Web.HttpException: Invalid Page request! The CMS entry point should never be called directly.

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:

    [HttpException (0x80004005): Invalid Page request! The CMS entry point should never be called directly.]
       Telerik.Cms.Web.InternalPage.OnPreInit(EventArgs e) +708
       System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +521

     I like the simplicity of this approach.  Anything I could do to make this work?

    Thanks,

    Gabe
    =================

  4. Gabe Sumner
    Gabe Sumner avatar
    440 posts
    Registered:
    09 Sep 2007
    26 Nov 2007
    Link to this post
    I got Yasen's suggestion of a custom HTTP module working.  Here is the code:

    using System;  
    using System.Collections.Generic;  
    using System.Text;  
    using System.Text.RegularExpressions;  
    using System.Web;  
     
    namespace Intranet.Web  
    {  
        public class HttpIntranetModule : IHttpModule  
        {  
            public void Init(HttpApplication app)  
            {  
                app.AuthorizeRequest += new EventHandler(OnAuthorizeRequest);  
            }  
     
            public void Dispose()   
            {  
            }  
     
            public void OnAuthorizeRequest(Object s, EventArgs e)  
            {  
                HttpApplication app = s as HttpApplication;  
     
                if (Regex.IsMatch(app.Request.RawUrl, @"^/Sitefinity/login.aspx") == false)  
                {  
                    if (app.Request.IsAuthenticated == false)  
                    {  
                        app.Response.Redirect("~/Sitefinity/login.aspx?ReturnUrl=" + app.Request.RawUrl);  
                    }  
                }  
            }  
        }  
    }  
     

    In addition to that, the following needs added to the web.config file:

    <httpModules> 
      <add name="Cms" type="Telerik.Cms.Web.CmsHttpModule, Telerik.Cms"/>  
      <add name="HttpIntranetModule" type="Intranet.Web.HttpIntranetModule, Intranet" /> 
    </httpModules> 
     

    I haven't yet done any extensive testing with this code, but it seems to work.  This basically locks down the entire web site and forces a person to be logged in before they can view any pages.

    I'm personally content with this solution.  If anyone has anything to add or better suggestions, please speak up!

    Gabe
    ================
  5. Yasen
    Yasen avatar
    121 posts
    Registered:
    18 May 2013
    04 Dec 2007
    Link to this post
    Hi Gabe,

    I'm glad to hear that you have a working solution.

    About the deny users="?" , this is a good simple approach to achieve almost the same. The reason we didn't provide it in the beginning as a solution is that we concentrated on the "allow anonymous access" property, that gives you flexibility to allow some pages for not authenticated users.

    Thanks to your note about the ASP.NET authorization we were able to locate the bug you mentioned (you get redirected to the cmsentrypoint.aspx, which should not be accessed directly). It will be fixed in the next Sitefinity version in January.

    Your Telerik points have been updated.

    Sincerely yours,
    Yasen
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  6. JNC
    JNC avatar
    4 posts
    Registered:
    31 Jan 2008
    12 Feb 2008
    Link to this post
    Implementing the IService interface looks like a powerful way to extend Sitefinity.  Is this documented anywhere? 

    Also, can you provide some more information about this comment:  "you have to add this class as a service in the web.config => telerik => framework => services section."  How would I do this?
  7. Sonya
    Sonya avatar
    231 posts
    Registered:
    24 Sep 2012
    15 Feb 2008
    Link to this post
    Hello JNC,

    Thank you for the feedback. We will include information in the documentation about using services. In the meantime, what you need to do is write a class that implements the IService interface and add information about it to the web.config file the way that is explained in the post you have read (about services). If you would also like to view the service in the Admin part of Sitefinity, Administration -> Services tab, the class should also implement WebModule.

    Here is a sample implementation:

    Service1.cs
    using System; 
    using System.Data; 
    using System.Configuration; 
    using System.Linq; 
    using System.Web; 
    using System.Web.Security; 
    using System.Web.UI; 
    using System.Web.UI.HtmlControls; 
    using System.Web.UI.WebControls; 
    using System.Web.UI.WebControls.WebParts; 
    using System.Xml.Linq; 
    using Telerik.Framework; 
    using Telerik; 
     
    /// <summary> 
    /// Summary description for Service1 
    /// </summary> 
    public class Service1 : WebModule, IService 
        public Service1() 
        { 
             
        } 
     
        public override System.Collections.Generic.IList<Telerik.Web.IToolboxItem> Controls 
        { 
            get { return null; } 
        } 
     
        public override string Description 
        { 
            get {return "Test"; } 
        } 
     
        public override string Name 
        { 
            get { return "Service1 and 1"; } 
        } 
     
        public override string Title 
        { 
            get { return "Service 1"; } 
        } 
        #region IService Members 
     
        public void Initialize() 
        { 
        } 
        #endregion 


    Also, add the following highlighted code to the web.config file:
    <framework> 
      ... 
      <services> 
        <add type="Service1, app_code"/> 
        ... 
      </services> 


    I have attached a screenshot to show you where you could find the service.

    Hope this helps. Please let us know if we could further assist you.


    Regards,
    Sonya
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
Register for webinar
7 posts, 0 answered