More in this section

Forums / Developing with Sitefinity / Sitefinity/admin to admin

Sitefinity/admin to admin

6 posts, 0 answered
  1. Tim
    Tim avatar
    156 posts
    Registered:
    23 Sep 2007
    12 Nov 2007
    Link to this post

    Sitefinity Team,

    We would like to create a virtual directory called admin points to sitefinity/admin instead of using sitefinity/admin as file structure. That way we can apply windows authentication for the admin virtual directory for extra security. Right now the sitefinity/admin directory is exposed to the public. That’s definitely a security problem.

    Please let me know if there is any configuration I can do to make it happen. It’s very very important for us.


    Thanks in advance
    Tim

  2. Yasen
    Yasen avatar
    121 posts
    Registered:
    18 May 2013
    13 Nov 2007
    Link to this post
    Hi Tim,

    Unfortunately, it would be a complicated task to separate the Sitefinity administration in another virtual directory. So using a different authentication mode for the administration should be achieved manually. Here is a possible way to use Windows authentication only for the admin part:

    You should add this at the beginning of the Global.asax file:
    <%@ Import Namespace="System.Security.Principal" %> 
    <%@ Import Namespace="System.Web" %> 
    <%@ Import Namespace="System.Web.Security" %> 


    Also, add these methods in the <script> tag of the same file to take care of the authentication process:
    public void FormsAuthentication_OnAuthenticate(object sender,  
      FormsAuthenticationEventArgs e)  
        {  
          if (null == e) throw new ArgumentNullException("e");  
     
          // Check if a Windows user is present  
          WindowsIdentity winID = e.Context.Request.LogonUserIdentity;  
          if (winID == null)  
              return;  
     
          string path = e.Context.Request.Path;  
          if (!IsWindowsAuthenticated(path, e.Context))  
              return;  
     
          // Check for guest accounts  
          if (winID.IsGuest || winID.IsAnonymous || winID.IsSystem)  
              return;  
     
          WindowsPrincipal principal = new WindowsPrincipal(winID);  
          if (principal.IsInRole("Guests"))  
              return;  
     
          e.User = principal;  
      }  
     
      private static bool IsWindowsAuthenticated(string path, HttpContext context)  
      {  
        if (string.IsNullOrEmpty(path))   
            throw new ArgumentNullException("path");  
        if (null == context)   
            throw new ArgumentNullException("context");  
     
        // Check if the request is for Sitefinity administration  
        if (path.StartsWith(Telerik.Cms.Web.UrlHelper.LowerAdminPath, StringComparison.OrdinalIgnoreCase))  
            return true;  
     
        return false;  
        } 

    Doing this should be enough to enable Windows authentication for the cms part, while Forms authentication is set for the application. Thank you, your request has been considered and we will definitely include this option in a future Sitefinity release.

    Your Telerik points have been updated.

    Greetings,
    Yasen
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  3. Tim
    Tim avatar
    156 posts
    Registered:
    23 Sep 2007
    13 Nov 2007
    Link to this post

    Sitefinity Team,

    Thank you very much for your consideration.

    By the way, I tried your code and it doesn't work. It still goes to sitefinity/admin without prompt for windows authentication.

    Please let me know if I missed anything.
    Thanks
    Tim

  4. Tim
    Tim avatar
    156 posts
    Registered:
    23 Sep 2007
    13 Nov 2007
    Link to this post
    By the way, Following is my Global.asax file code:

    <%@ Application Language="C#" %> 
    <%@ Import Namespace="System.Security.Principal" %>  
    <%@ Import Namespace="System.Web" %>  
    <%@ Import Namespace="System.Web.Security" %>  
     
    <script runat="server"
     
        public override string GetVaryByCustomString(HttpContext context, string custom) 
        { 
            if (custom.Equals("cms", StringComparison.CurrentCultureIgnoreCase)) 
            { 
                Telerik.Cms.Web.ICmsUrlContext urlContext = Telerik.Cms.Web.CmsUrlContext.Current; 
                if (urlContext != null) 
                { 
                    return urlContext.Path; 
                } 
            } 
            return base.GetVaryByCustomString(context, custom);  
        } 
     
        public void FormsAuthentication_OnAuthenticate(object sender, 
      FormsAuthenticationEventArgs e) 
        { 
            if (null == e) throw new ArgumentNullException("e"); 
     
            // Check if a Windows user is present   
            WindowsIdentity winID = e.Context.Request.LogonUserIdentity; 
            if (winID == null) 
                return; 
     
            string path = e.Context.Request.Path; 
            if (!IsWindowsAuthenticated(path, e.Context)) 
                return; 
     
            // Check for guest accounts   
            if (winID.IsGuest || winID.IsAnonymous || winID.IsSystem) 
                return; 
     
            WindowsPrincipal principal = new WindowsPrincipal(winID); 
            if (principal.IsInRole("Guests")) 
                return; 
     
            e.User = principal
        } 
     
        private static bool IsWindowsAuthenticated(string path, HttpContext context) 
        { 
            if (string.IsNullOrEmpty(path)) 
                throw new ArgumentNullException("path"); 
            if (null == context) 
                throw new ArgumentNullException("context"); 
     
            // Check if the request is for Sitefinity administration   
            if (path.StartsWith(Telerik.Cms.Web.UrlHelper.LowerAdminPath, StringComparison.OrdinalIgnoreCase)) 
                return true; 
     
            return false; 
        }  
         
         
        void Application_Start(object sender, EventArgs e)  
        { 
            // Code that runs on application startup 
     
        } 
         
        void Application_End(object sender, EventArgs e)  
        { 
            //  Code that runs on application shutdown 
     
        } 
             
        void Application_Error(object sender, EventArgs e)  
        {  
            // Code that runs when an unhandled error occurs 
     
        } 
     
        void Session_Start(object sender, EventArgs e)  
        { 
            // Code that runs when a new session is started 
     
        } 
     
        void Session_End(object sender, EventArgs e)  
        { 
            // Code that runs when a session ends.  
            // Note: The Session_End event is raised only when the sessionstate mode 
            // is set to InProc in the Web.config file. If session mode is set to StateServer  
            // or SQLServer, the event is not raised. 
     
        } 
            
    </script> 
     

  5. Yasen
    Yasen avatar
    121 posts
    Registered:
    18 May 2013
    14 Nov 2007
    Link to this post
    Hello Tim,

    This code is working properly for me. The Windows login form you are talking about should not show up in IE as IE authenticates automatically, you should see this form in Mozilla and other browsers, but only if you deny anonymous access to the sitefinity/admin folder in your IIS settings. Sorry I forgot to mention this in my first post.

    However, considering the "Windows authentication for extra security" part of your request, I think that the code will not be appropriate. It only adds a Windows user to the context, so a malicious user could use the same techniques to attack your application as Forms authentication is still active.

    Here is another version of this code that only checks if the user has the right Windows credentials and if not, it throws an exception. This way a request from a remote user won't be granted access even if he provides correct Sitefinity username/password:

     public void FormsAuthentication_OnAuthenticate(object sender, FormsAuthenticationEventArgs e)  
        {  
            if (e == nullthrow new ArgumentNullException("e");  
     
            string path = e.Context.Request.Path;  
            if (path.StartsWith(Telerik.Cms.Web.UrlHelper.LowerAdminPath, StringComparison.OrdinalIgnoreCase))  
            {  
                WindowsIdentity winID = e.Context.Request.LogonUserIdentity;  
                if(winID == null || winID.IsGuest || winID.IsAnonymous || winID.IsSystem)  
                    throw new HttpException(403,"error");  
            }  
        } 

    Sorry for the frustration caused by my first post, I hope everything is clear now. If you still have problems, it would be helpful for us if you are more specific about the expected login behavior and the actual one.

    Regards,
    Yasen
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  6. Tim
    Tim avatar
    156 posts
    Registered:
    23 Sep 2007
    14 Nov 2007
    Link to this post
    Sitefinity Team,

    It works this time.

    Thanks
    Tim
Register for webinar
6 posts, 0 answered