Re: Forms Authentication - Confused!
From: Simon Harris (too-much-spam_at_makes-you-fat.com)
Date: 01/26/05
- Next message: Thomas Wenning: "Re: Users are being prompted to login to our IIS server, when trying to view Adobe report from CR for .NET"
- Previous message: velmj: "Hide datagrid"
- In reply to: William F. Robertson, Jr.: "Re: Forms Authentication - Confused!"
- Next in thread: William F. Robertson, Jr.: "Re: Forms Authentication - Confused!"
- Reply: William F. Robertson, Jr.: "Re: Forms Authentication - Confused!"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 26 Jan 2005 16:41:22 -0000
Hi William,
My /web.config file now contains:
<authentication mode="Forms">
<forms name="Ado" path="/" loginUrl="/adocommon/authenticate.aspx"
protection="All" timeout="30">
<credentials passwordFormat="Clear">
<user name="admin" password="password" />
</credentials>
</forms>
</authentication>
...and more snipped stuff here...
</system.web>
<location path="contenteditor">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
I've deleted the /contenteditor/web.config file (No specific settings in
there) and tried again - The IIS log reads:
16:34:19 127.0.0.1 - GET /contenteditor/index.aspx 302
16:34:25 127.0.0.1 MachineName\Simon POST /adocommon/authenticate.aspx 302
16:34:25 127.0.0.1 MachineName\Simon GET /contenteditor/index.aspx 302
16:34:25 127.0.0.1 MachineName\Simon GET /adocommon/authenticate.aspx 200
The result of FormsAuthentication.Authenticate(txtUser.Text,
txtPassword.Text) is now true, but /contenteditor/index.aspx still redirects
me back to the login page...
I feel like I'm going round in circles! :-(
"William F. Robertson, Jr." <theman@nameht.org> wrote in message
news:ukedT06AFHA.3700@tk2msftngp13.phx.gbl...
>I will try to be more clear this time around.
>
> You will define the forms authentication inside the /web.config.
>
> If you place the forms authentication inside /contenteditor/web.config,
> when
> the server is processing a request from /adocommon, it will use the
> /adocommon/web.config. When you are calling the
> FormsAuthentication.Authenticate(), it will check the credentials defined
> in
> /adocommon/web.config. If there are none there, it will check
> /web.config.
> Because you have the user/pass defined in /contenteditor/web.config, it
> can
> (and never will) never validate the way you want.
>
> You need to define your forms authentication stuff "globally" to your
> site.
> You should by default allow all users regardless of authentication status.
> You should use the location tag to secure the contenteditor directory. I
> believe you can also add the <authorization> tag inside the
> /contenteditor/web.config, but try this one out first to remove any extra
> errors you might experience.
>
> You should place the following snippet inside your root /web.config file.
>
> (snippet)
>
> <configuration>
> <system.web>
> <!-- place all your forms authentication stuff in here -->
> </system.web>
>
> <!-- The next section will set the permissions for the directory you wish
> to
> protect-->
> <location path="contenteditor">
> <system.web>
> <authorization>
> <deny users="?" />
> <allow users="*" />
> </system.web>
> </location>
> </configuration>
>
> (/snippet)
>
> HTH,
>
> bill
>
> "Simon Harris" <too-much-spam@makes-you-fat.com> wrote in message
> news:%23Llwfu4AFHA.608@TK2MSFTNGP15.phx.gbl...
>> Just updating my own thread...in the hope that it might be useful to
> someone
>> in the future...
>>
>> It seems the path attribute only sets the path of the cookie - It is not
>> relevent to the directory you are trying to secure.
>>
>> I'm even more lost now though, because after proving the above, I amended
>> the web.config file in the folder to be secured again, which now does not
>> return true for a valid username and password.
>>
>> Currently I have:
>>
>> /contenteditor
>> This is the folder to be secured, which contains the following web.config
>> info:
>>
>> <authentication mode="Forms">
>>
>> <forms name="AdoContentEditor" path="/"
>> loginUrl="/adocommon/authenticate.aspx" protection="All" timeout="30">
>>
>> <credentials passwordFormat="Clear">
>>
>> <user name="admin" password="password" />
>>
>> </credentials>
>>
>> </forms>
>>
>> </authentication>
>>
>> <deny users="?" />
>>
>> </authorization>
>>
>> When I access an ASPX page in the root of the site, as expected it serves
> it
>> up correctly.
>>
>> When I access an ASPX page in /contenteditor, as expected I am redirected
> to
>> my login page. I then enter admin and password - The result of
>> FormsAuthentication.RedirectFromLoginPage(txtUser.Text,
>> chkPersistLogin.Checked) is always false....
>>
>> Grrrrrr!!!! :-(
>>
>>
>> "Simon Harris" <too-much-spam@makes-you-fat.com> wrote in message
>> news:OQAJhpyAFHA.1188@tk2msftngp13.phx.gbl...
>> > The cookie is:
>> > simon@localhost/contenteditor/
>> >
>> > My IIS logs say:
>> > 21:41:13 127.0.0.1 - GET /contenteditor/index.aspx 302
>> > 21:41:13 127.0.0.1 - GET /adocommon/authenticate.aspx 401
>> > 21:41:13 127.0.0.1 MACHINENAME\Simon GET /adocommon/authenticate.aspx
> 200
>> > 21:41:13 127.0.0.1 MACHINENAME\Simon GET /adocommon/assets/main.css 200
>> > 21:41:24 127.0.0.1 MACHINENAME\Simon POST /adocommon/authenticate.aspx
> 302
>> > 21:41:24 127.0.0.1 - GET /contenteditor/index.aspx 302
>> > 21:41:24 127.0.0.1 MACHINENAME\Simon GET /adocommon/authenticate.aspx
> 200
>> >
>> > So, it looks like its reaching the page that requires authenitcation,
>> > bouncing the user to authenticate.aspx, which later bounces the user
> back
>> > to the page requiring authentication...which AGAIN sens us off to
>> > authenticate...
>> >
>> > Just a thought...My IIS is not configured for anonymous access, but
>> > from
>> > what I read this shouldnt make a difference - The IIS level of
>> > authenication is handled, then a token passed to the ASP.Net engine
> (Which
>> > should accept any token from IIS)
>> >
>> > I dont geddit....yet.
>> >
>> >
>> > "William F. Robertson, Jr." <theman@nameht.org> wrote in message
>> > news:uH8o68xAFHA.3504@TK2MSFTNGP12.phx.gbl...
>> >>I am purely speculating here, but perhaps the redirect is working, but
> the
>> >> path/cookie name isn't working properly. So when it tries to open the
>> >> page
>> >> again, it doesn't see the correct authentication cookie. Try going
>> >> directly
>> >> to your login page and login. It should redirect you to default.aspx
>> >> since
>> >> there is no ReturnUrl defined in the querystring.
>> >>
>> >> Are the text boxes clearing out after the RedirectFromReturnUrl? I
> mean
>> >> is
>> >> the page just sitting there, or does it re-request the page.
>> >>
>> >> bill
>> >>
>> >>
>> >> "Simon Harris" <too-much-spam@makes-you-fat.com> wrote in message
>> >> news:O6F4IewAFHA.4028@TK2MSFTNGP15.phx.gbl...
>> >>> Hi William,
>> >>>
>> >>> Thanks for your reply - I am getting:
>> >>> "Unrecognized configuration section 'location'"
>> >>>
>> >>> When I add this to my root web.config:
>> >>>
>> >>> <location path="/contenteditor">
>> >>> <authentication mode="Forms">
>> >>> <forms name="AdoContentEditor" path="/contenteditor"
>> >>> loginUrl="/adocommon/authenticate.aspx" protection="All"
>> >>>
>> >>> timeout="30">
>> >>> <credentials passwordFormat="Clear">
>> >>> <user name="admin" password="password" />
>> >>> </credentials>
>> >>> </forms>
>> >>> </authentication>
>> >>> <authorization>
>> >>> <deny users="?" />
>> >>> </authorization>
>> >>> </location>
>> >>>
>> >>> I have also tried putting the above into /web.config without the
>> >>> location
>> >>> tag, and had a little more success...
>> >>> FormsAuthentication.Authenticate(txtUser.Text, txtPassword.Text) now
>> >> returns
>> >>> true when expected (e.g. correct user/pass) however, the following
> line
>> >> does
>> >>> not seem to do anything:
>> >>>
>> >>> FormsAuthentication.RedirectFromLoginPage(txtUser.Text,
>> >>> chkPersistLogin.Checked)
>> >>>
>> >>> Not that I know I am reaching this part of the code, as I set a
>> >>> labels
>> >> value
>> >>> within the same if statement - The redirect simply doesnt occur for
> some
>> >>> reason!
>> >>>
>> >>> Cheers again,
>> >>>
>> >>> Simon.
>> >>>
>> >>>
>> >>> "William F. Robertson, Jr." <theman@nameht.org> wrote in message
>> >>> news:OuSdxRvAFHA.2156@TK2MSFTNGP10.phx.gbl...
>> >>> >I will try to help you with this one.
>> >>> >
>> >>> > \ (root directory)
>> >>> > \Admin
>> >>> > \Common
>> >>> >
>> >>> > You try to access \admin which has forms authentication defined in
>> >> there.
>> >>> > You are redirected to \Common\Login. When you call the
>> >>> > Authenticate
>> >>> > method,
>> >>> > it is looking in the \Common\web.config for the user/pass. It
>> >>> > can't
>> >> find
>> >>> > it, so it goes to the \(root) to look for user/pass. And can't
>> >>> > find
>> >>> > anything there so it returns false.
>> >>> >
>> >>> > You should place the forms authentication stuff in the root
> directory.
>> >>> > Then
>> >>> > use the location web.config attribute to control access to certain
>> >> folders
>> >>> > and such.
>> >>> >
>> >>> > This is the \(root)web.config
>> >>> > <system.web>
>> >>> > <!-- all your authentication/credentials are in here. -->
>> >>> > <authorization>
>> >>> > <allow users="*" /> <!-- Allows all unauthenticated
> users -->
>> >>> > </authorization>
>> >>> > </system.web>
>> >>> >
>> >>> > <location path="Admin/">
>> >>> > <system.web>
>> >>> > <authorization>
>> >>> > <deny users="?" /> <!-- Denies unauthenticated users -->
>> >>> > <allow users="*" /> <!-- Allows all users -->
>> >>> > </authorization>
>> >>> > </system.web>
>> >>> > </location>
>> >>> >
>> >>> > You probably will have to tweak my syntax (went by memory), but I
>> >> believe
>> >>> > this should work, or atleast this is the directory I believe you
>> >>> > should
>> >>> > head
>> >>> > in.
>> >>> >
>> >>> > HTH,
>> >>> >
>> >>> > bill
>> >>> >
>> >>> >
>> >>> > "Simon Harris" <too-much-spam@makes-you-fat.com> wrote in message
>> >>> > news:egvXa4sAFHA.1396@tk2msftngp13.phx.gbl...
>> >>> >> Sorry - Slight mistake, my web.config file with the auth
>> >>> > mode/authroization
>> >>> >> sections actually resides in /admin
>> >>> >>
>> >>> >> With it in here, I am correctly redirected to my login page, but
>> >>> >> as
>> >>> >> mentioned, the user is not authenticated.
>> >>> >>
>> >>> >> Cheers,
>> >>> >> Simon.
>> >>> >>
>> >>> >> "Simon Harris" <too-much-spam@makes-you-fat.com> wrote in message
>> >>> >> news:...
>> >>> >> > Hi All,
>> >>> >> >
>> >>> >> > I'm trying to setup forms based authentication, so that the user
>> >>> >> > gets
>> >>> >> > prompted for a password when they try to access /admin (I wont
>> >> actually
>> >>> >> > call it that in production of course!)
>> >>> >> >
>> >>> >> > I want the user/pass to be stored in web.config.
>> >>> >> >
>> >>> >> > This will be for a website that is otherwise open to anonymous
>> >> access.
>> >>> >> >
>> >>> >> > At the moment, I have:
>> >>> >> >
>> >>> >> > /common/authenticate.aspx - My login page, with the following
>> >> code,
>> >>> >> > onclick of the login button:
>> >>> >> > If FormsAuthentication.Authenticate(txtUser.Text,
>> >>> > txtPassword.Text)
>> >>> >> > Then
>> >>> >> >
>> >> FormsAuthentication.RedirectFromLoginPage(txtUser.Text,
>> >>> >> > chkPersistLogin.Checked)
>> >>> >> > Else
>> >>> >> > Me.lblErrorMsg.Text = "Result of authentication
>> >> attempt:
>> >>> > "
>> >>> >> > & FormsAuthentication.Authenticate(txtUser.Text,
> txtPassword.Text)
>> >>> >> > End If
>> >>> >> >
>> >>> >> > /admin/web.config, which contains:
>> >>> >> > <authentication mode="Forms">
>> >>> >> > <forms name="AdoContentEditor" path="/contenteditor"
>> >>> >> > loginUrl="/common/authenticate.aspx" protection="All"
> timeout="30">
>> >>> >> > <credentials passwordFormat="Clear">
>> >>> >> > <user name="admin" password="password" />
>> >>> >> > </credentials>
>> >>> >> > </forms>
>> >>> >> > </authentication>
>> >>> >> > <authorization>
>> >>> >> > <deny users="?" />
>> >>> >> > </authorization>
>> >>> >> >
>> >>> >> > When I try to access an aspx page in /admin, as expected I am
>> >>> >> > redirected
>> >>> >> > to /common/authenticate.aspx, how ever,
>> >>> >> > FormsAuthentication.Authenticate(txtUser.Text, txtPassword.Text)
>> >> always
>> >>> >> > returns 'false'.
>> >>> >> >
>> >>> >> > I suspect I have got my web.config locations wrong, but have
> tried
>> >>> >> > a
>> >>> >> > few
>> >>> >> > combinations...any help/advice will be much appreciated!
>> >>> >> >
>> >>> >> > Thanks,
>> >>> >> > Simon.
>> >>> >> >
>> >>> >> >
>> >>> >> >
>> >>> >>
>> >>> >>
>> >>> >
>> >>> >
>> >>>
>> >>>
>> >>
>> >>
>> >
>> >
>>
>>
>
>
- Next message: Thomas Wenning: "Re: Users are being prompted to login to our IIS server, when trying to view Adobe report from CR for .NET"
- Previous message: velmj: "Hide datagrid"
- In reply to: William F. Robertson, Jr.: "Re: Forms Authentication - Confused!"
- Next in thread: William F. Robertson, Jr.: "Re: Forms Authentication - Confused!"
- Reply: William F. Robertson, Jr.: "Re: Forms Authentication - Confused!"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
