Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Allowing access to specific pages with ASP-MVC and Forms Authentication

Tags:

security

asp.net-mvc

forms-authentication

Here is a simple overview of my directory layout for my views:

Project

  • Page 1
  • Page 2
  • RSS

Issues

  • Page 1
  • Page 2
  • RSS

I am using forms authentication to deny access to all unauthenticated users, that works fine. However, I want to be able to grant access to the RSS views to everyone (so they can subscribe via google reader and stuff)

I understand that you can grant access to pages by adding the following page to your web.config

  <location path="TOURPAGE.aspx">
<system.web>
  <authorization>
    <allow users="*" />
    <allow users="?" />
  </authorization>
</system.web>

However, how would I do this with my dynamically made URL's, such as:

Issues/RSS/chrisj
  • That path maps to a controller in issues called RSS, which takes a username and spits out an RSS of thier issues...

EDIT

Some answers I thought had fixed it, but:

It seems that, in my case at least, you still need the authentication cookie in order to see the page. You can be logged out and view it, so long as you have the cookie.

That is no good to me, I need the page to be completely public, as it is an RSS feed.

like image 701
Chris James Avatar asked Dec 04 '08 15:12

Chris James

3 Answers

Forget about the <location><allow /><deny /> stuff... sounds like you need to use the [Authorize] attribute on your actions.

Check out these pages for more info: http://www.asp.net/learn/mvc/tutorial-17-cs.aspx http://www.pnpguidance.net/post/ASPNETMVCFrameworkPreview4HandleErrorAuthorizeOutputCacheActionFilterAttributes.aspx

Also, the attribute can be applied at the controller level as well, so you don't have to put it on each individual action.

like image 91
Charlino Avatar answered Sep 27 '22 17:09

Charlino

This was actually much simpler than I thought. Seems .net is quite clever, I tried the following:

  <location path="Issues/RSS">
<system.web>
  <authorization>
    <allow users="*" />
    <allow users="?" />
  </authorization>
</system.web>

And it worked :)

like image 36
Chris James Avatar answered Sep 27 '22 16:09

Chris James

 
<location path="/Issues/RSS/">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

EDIT: The reason this works by the way, is because .NET is assuming that URL goes to a directory, and this location tag above says "anything in the 'Issues/RSS' directory is safe :)

like image 29
Timothy Khouri Avatar answered Sep 27 '22 16:09

Timothy Khouri
Sign in to Comment

Related questions

publish two projects in same solution
Progressive web app implementation in ASP.NET MVC [closed]
ASP.NET core FromQuery getting invalid parameters with dot sign inside
What is the point of AsyncTimeout action filter?
knockout Typescript definition errors for TS > 2.2
IdentityServer4 signin-oidc page is redirecting to login page infinitely
ViewData is not passed to layout in ASP.NET Core 2.1
Regex for Name, Streetname, Cityname, etc
AuthorizationCodeReceived event not firing
Why is the Razor UI class library built as .NET Standard and not in .Net core
Want to get 405 (Method Not Allowed) instead of 404
MVC Web API Angular App ('http://localhost:4200' has been blocked by CORS policy)
Resolve dependency Injection for abstract class in .Net core 2.0
Holding value between multiple pages
dotnet-run command not working as expected
Have you got a CascadingDropDown working with ASP.NET MVC?
How do the CakePHP and codeigniter frameworks compare to the ASP.NET MVC framework?
Dynamically changing Master Template in ASP.NET MVC
How much computation is behind a HttpContext.Current call?
Somebody explain me Html.DropDown and it's dearest friend SelectList

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!