I created a new ASP.NET WebForms application with Visual Studio 2013, Update 2. Then I updated all of the NuGet packages and removed all of the OAuth stuff since I just want "forms" authentication, which is what I'm familiar with.
What I want is to configure the OWIN/ASP.NET Identity framework so that all pages require authorization, including default pages - so the first page a user should see is the Login page. What is the correct way to do this? I cannot find any resources on the Internet that show how to secure a WebForms page with OWIN/ASP.NET Identity.
I added the following XML to the bottom of my main web.config file, I get an error:
<authorization>
<deny users="?"/>
</authorization>
The error is: The requested page cannot be accessed because the related configuration data for the page is invalid.
You can configure the <authorization> element at the server level in the ApplicationHost. config file, or at the site or application level in the appropriate Web. config file. You can set default authorization rules for the entire server by configuring authorization rules at the server level.
You are right that there are no resources about using the classic ASP.Net authorization with the OWIN security middleware.
I'm using ASP.Net Web Pages, so my experiment is similar to yours (we both try to protect static files being aspx or cshtml).
My experiment was so horrific. I was about to bang my head at a wall.
At last I discovered how to make it run. And here is what I did:
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="shell.cshtml">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="notFound.cshtml">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="security/login.cshtml">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
public static class Startup
{
public static void Configuration(IAppBuilder app)
{
var cookieExpiration = TimeSpan.FromMinutes(20);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
CookieName = "efa",
ExpireTimeSpan = cookieExpiration,
SlidingExpiration = true,
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<UserManager, User, long>(
validateInterval: cookieExpiration,
regenerateIdentityCallback: (manager, user) => user.GenerateUserIdentityAsync(manager),
getUserIdCallback: identity => Identity.Identity.ExtractIdFromClaims(identity))
}
});
app.UseWebApi(new HttpConfig());
}
}
It was crucial to set AuthenticationMode = AuthenticationMode.Active
. I spent a whole work day to discover this. If you set it to Passive
, the authentication middleware won't populate the Identity and Principal objects of the HTTP context and the authorization module will forbid all requests.
This will make the classic UrlAuthorization
module work for you based on the identity populated by the OWIN middleware. It must be noted that the Nuget package Microsoft.Owin.Host.SystemWeb
must be installed, otherwise OWIN won't be integrated with the ASP.Net pipeline.
You may also use these modern OWIN authorization modules http://leastprivilege.com/2014/06/24/resourceaction-based-authorization-for-owin-and-mvc-and-web-api/ They're highly customizable and can protect MVC controller, Web API controllers, and static files.
Adding the following filter to the default App_Start/FilterConfig.cs file (in the RegisterGlobalFilters method) did the trick:
filters.Add(new AuthorizeAttribute());
The old .NET forms authentication HTTP module is gone and has been replaced by OWIN Forms middleware.
Here are a few articles to get you started.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With