<authentication mode="Windows" /> missing from my Web API - asp.net-web-api

If I create a Web API in Visual Studio 2013 and I select that I want "Individual User Accounts" type of authentication (which is the equivalent of the ASP.NET Identity), the web.config file will include the following line in its section:
<authentication mode="None" />
However, if I select Windows Authentication as my choice for authentication, I would expect to see
<authentication mode="Windows" />
in the web.config file, but I don't. Why is that? Is Windows Authentication the default setting so that when missing is implied by the server?
Thanks,
Ed

None = no or custom.
Default = Windows.
http://msdn.microsoft.com/en-us/library/aa291347%28v=vs.71%29.aspx

Related

being redirected to wrong loginUrl -> account/login instead of account/LOGON

I have a strange error I have never run into before.
I secured a controller with:
[Authorize(Roles = "admin")]
public class LoggingController : Controller
When a non-admin user tries to access any protected content, they are redirected to:
http://localhost:50501/Account/Login?ReturnUrl=%2flogging
note: account/login and NOT account/logon
The AccountController.Login action does not exist.
web.config has:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
I can of course implement the Login action and redirect to Logon.
I am just puzzled and would like to know why this happens.
Search your project for login - it has to be specified somewhere. Is there any other web.config value overriding this (maybe looking at a child root and the parent value is being used)
Also is there any redirect that is happening? Are there any defaults set in your machine's web.config?
Is your default url on the project set to be a /login?
Install glimpse route debugger to see which route is being used for this page as well.
EDIT:
A little more research yields a known issue.
Check out this link:
ASP.NET MVC issue with configuration of forms authentication section
Theres a bug in mvc 3 beta - are you running the beta bits?
Also notice the mentioned item in the above url for RTM bits:
<add key="loginUrl" value="~/LogOn" />
Also check out
http://forums.asp.net/p/1616153/4138366.aspx
EDIT 2
Below is a solid comment about a potential source of this from #santiagoIT (upvote his comment please if the specifics help you)
Today I discovered the root of this problem: I had added 'deployable dependency' on 'ASP.NET Web Pages with Razor Syntax'. This adds a reference to: WebMatrix.Data.dll This assembly has a class with a static constructor that does the following: static FormsAuthenticationSettings(){ FormsAuthenticationSettings.LoginUrlKey = "loginUrl"; FormsAuthenticationSettings.DefaultLoginUrl = "~/Account/Login";} That explains!
This worked for me and I'm using MVC 3
<appSettings>
<add key="loginUrl" value="~/Account/LogOn" />
</appSettings>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" name=".ASPXFORMSAUTH" />
</authentication>
</system.web>
Also I found that adding the followinf part to the web config (only during debugging the config) helped speed up my debugging as had to authenticate for ANY page.
<authorization>
<deny users="?" /> <!-- remove after debugging -->
</authorization>
Just simply remove the WebMatrix dll if they are present in your deployed bin folder.
I fixed it this way
1) Go ot IIS
2) Select your Project
3) Click on "Authentication"
4) Click on "Anonymous Authentication" > Edit > select "Application pool identity" instead of "Specific User".
5) Done.

Routing requests that end in ".cshtml" to a controller

(This is cross-posted to the ASP.NET forms)
I'm working on the WebGit .NET project, and we are close to a "1.0" release. However, I'm having trouble getting my "Browse" controller (which pulls files out of the repository) to serve-up ".cshtml" files.
I originally had trouble with ".config" and ".cs" files as well, but I fixed that with this in the web.config:
<location path="browse">
<system.webServer>
<security>
<requestFiltering>
<fileExtensions allowUnlisted="true">
<clear />
</fileExtensions>
<hiddenSegments>
<clear />
</hiddenSegments>
</requestFiltering>
</security>
</system.webServer>
</location>
The routing that should be handling this request (that is successfully routing everything else) is:
routes.MapRoute(
"View Blob",
"browse/{repo}/blob/{object}/{*path}",
new { controller = "Browse", action = "ViewBlob", path = UrlParameter.Optional });
Now, whenever I try to access a URL that ends in ".cshtml", it gives a 404, even though my request should have been handled by the "Browse" controller. The files I'm serving-up do not exist on disk, but are instead pulled from a git repository as blobs. Every other file extension that I have tried works just fine.
How can I fix this behavior?
EDIT: I have tried disabling WebPages like so:
<appSettings>
<add key="webpages:Enabled" value="false" />
</appSettings>
But that appears to have no effect.
As a quick workaround, you can put a temporary browse.cshtml file at your application root and put this inside your web.config,
add key="webpages:Enabled" value="false"
This is a known bug in ASP.NET WebPages, which gets implicitly loaded when you are using MVC 3. I don't think there is a straightforward way of disabling this behavior. The only workaround is to use a different extension (specifically, one that is not listed via WebPageHttpHandler.GetRegisteredExtensions())
This will be fixed in MVC 4, however. Sorry for the inconvenience.

login redirect changed after using microsoft.web.helpers

In an asp.net mvc3 website, I imported the microsoft.web.helpers, webmatrix.data, and webmatrix.webdata. After that, I have found that when I use the [Authorize] attribute on some ActionResults in Controllers, my redirect points to account\login and not account\logon which is what it had done before and is the default.
I'm not using WebMatrix but would like to use the microsoft.web.helpers functionality. I've searched in code for any reference to account\login but there isn't any I could find. My web config for authentication is shown below:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
To override use:
<configuration>
<appSettings>
<add key="loginUrl" value="~/Account/Logon" />
</appSettings>
</configuration>
From http://www.redmountainsw.com/wordpress/archives/webmatrix-redirects-unauthorized-pages-to-accountlogin
I ran into that same issue some time ago.
I had added a 'deployable dependency' on 'ASP.NET Web Pages with Razor Syntax'. This adds a reference to: WebMatrix.Data.dll This assembly has a class with a static constructor that does the following:
static FormsAuthenticationSettings()
{
FormsAuthenticationSettings.LoginUrlKey = "loginUrl";
FormsAuthenticationSettings.DefaultLoginUrl = "~/Account/Login";
}
That explains! It will override whatever you had in your web.config.
you can just delete WebMatrix.WebData.dll from you bin file

Html.Telerik().StyleSheetRegistrar() output file generating 404 message on asset.axd

I'm using the Telerik controls form MVC and they work great in my work/home dev environments, and in the work prod environment, but when I tried to deploy to my home prod environment (IIS7) I get a problem.
I've added the axd mime type, but wan't sure what else to do.
I read a post suggesting adding a handler, but wasn't sure if I'm setting that wrong or I'm just looking in the wrong direciton.
if you're on IIS7 make sure you add the handler to the <system.webServer><handlers> section:
<add name="MyName" path="MyName.axd" verb="*" type="NameSpace.Class, Assembly" />
I added: <add name="ScriptRegistrar" path="Access.axd" verb="*" type="Telerik.Web.Mvc.UI.ScriptRegistrar, Version=v2.0.50727" />
http://localhost:1000/asset.axd?id=sQAAAB-LCAAAAAAABADsvQdgHEmWJSYvbcp7f0r1StfgdKEIgGATJNiQQBDswYjN5pLsHWlHIymrKoHKZVZlXWYWQMztnbz33nvvvffee--997o7nU4n99__P1xmZAFs9s5K2smeIYCqyB8_fnwfPyJ-8UfT9qNHH7X5u_butGk-Gn10SX_u7ezujHfH93Ye0gfTjx619TqnX2YfPbr36f3RR_Tze7_4oxU1PKmWbb5s775ur8scb5_zV9VHj3ZGHy2pwbRaLKrlGKB_yYi_2JUv2rzM6-LtuN9gL2xwWTRtJt9__5d8_5f8PwEAAP__qtxwmrEAAAA%3d
To enable web resource combining with the Telerik Extensions you need to register the WebAssetHttpHandler in your webconfig:
IIS 7
<add name="AssetHandler" preCondition="integratedMode" verb="GET,HEAD" path="asset.axd" type="Telerik.Web.Mvc.WebAssetHttpHandler, Telerik.Web.Mvc"/>
IIS 6
<add verb="GET,HEAD" path="asset.axd" validate="false" type="Telerik.Web.Mvc.WebAssetHttpHandler, Telerik.Web.Mvc"/>
This handler enables you to use the Combine, Compress, and Cache features of the Script and StyleSheet Registrars. You can learn more and see additional config details in the Telerik online docs:
http://www.telerik.com/help/aspnet-mvc/web-assets-working-with-javascript-web-assets.html

Enabling FormsAuthentication for multiple subfolders in a site

We're trying to implement formsAuthentication on our site, but in a scenario that we haven't been able to find a solution for yet - other than creating our own HttpModule and doing the custom logic ourselves - so I thought I'd toss the question out there to see if this was indeed the only solution.
We'd like to use formsAuthentication on top of custom Membership providers, but would like to use a different provider for different folders. Our site partitions these sections with subfolders (eg: ~/Admin, ~/GoldCustomer, ~/SilverCustomer, ~/BronzeCustomer), so we'd like to use different Membership providers for each section/subfolder. Using the framework to support this, we'd implement our web.config like:
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<location path="Admin">
<system.web>
<authentication mode="Forms">
<forms name="AdminAuth" loginUrl="~/AdminLogin.aspx" />
</authentication>
<membership defaultProvider="AdminProvider" >
<providers >
<add connectionStringName="ConnString" name="AdminProvider" type="Assembly.AdminMembershipProvider" ... />
</providers>
</membership>
</system.web>
</location>
<location path="GoldCustomer">
<system.web>
<authentication mode="Forms">
<forms name="GoldCustomerAuth" loginUrl="~/GoldCustomerLogin.aspx" />
</authentication>
<membership defaultProvider="GoldCustomerProvider" >
<providers >
<add connectionStringName="ConnString" name="GoldCustomerProvider" type="Assembly.GoldCustomerMembershipProvider" ...="" />
</providers>
</membership>
</system.web>
</location>
<system.web>
<compilation debug="true" />
<authentication mode="Forms" />
</system.web>
</configuration>
Doing this though results in the runtime error:
It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
Line 11: <location path="Admin">
Line 12: <system.web>
Line 13: <authentication mode="Forms">
Line 14: <forms name="FormsAdmin" loginUrl="~/login.aspx" />
Line 15: </authentication>
It seems that the only way to accomplish what we're trying is with a custom HttpModule - or change our approach (like breaking the folders up into different web apps in IIS). Is this correct, or am I missing something? Or are there other alternatives I'm not aware of?
Thanks for your help!
First of all, I think role-based security makes perfect sense for your application if you have control over the databases. But if you can't change it, it's a no-go.
The alternative solution can be a gateway login forms that redirects user to folder specific login form based on ReturnUrl querystring variable and that form will use the provider it wants to validate the user. Then it uses the FormsAuthentication.RedirectFromLoginPage to set an authentication cookie and redirect to the previous page. You can set the roles and use role based security to control access to each folder with <authorization> tag in web.config.
I'm not sure what you're trying to do but how about Roles for each of these customer types? Limit access by a role for each sub folder but you'd still have 1 membership provider and 1 role provider.

Resources