I have a question regarding authorization in MVC3.
I'm currently looking at dening certain user access to the application.
I can du this in 2 ways. in the web.config (for global settings) or on the individual controllers (or actions).
But I see a different behaivour in these 2 approches.
when a user is denied access using web.config settings, they get a 401.2 error page stating "Access is denied.".
If they are denied access using a controller setting they still get a 401 response, but a blank page.
Related
Permission page
I'm trying to allow my app to work be able to allow users to login via LinkedIn, however i keep getting the 403 Forbidden Error as shown in the screenshot.
Hopefully someone can advise.
The error message clearly says that you do not have enough permission to use LinkedIn API. You need to request permissions from linkedin.
I'm getting this error when I try and access my website:-
HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers.
Most likely causes:
• No authentication protocol (including anonymous) is selected in IIS.
• Only integrated authentication is enabled, and a client browser was used that does not support integrated authentication.
• Integrated authentication is enabled and the request was sent through a proxy that changed the authentication headers before they reach the Web server.
• The Web server is not configured for anonymous access and a required authorization header was not received.
• The "configuration/system.webServer/authorization" configuration section may be explicitly denying the user access.
Things you can try:
• Verify the authentication setting for the resource and then try requesting the resource using that authentication method.
• Verify that the client browser supports Integrated authentication.
• Verify that the request is not going through a proxy when Integrated authentication is used.
• Verify that the user is not explicitly denied access in the "configuration/system.webServer/authorization" configuration section.
• Create a tracing rule to track failed requests for this HTTP status code. For more information about creating a tracing rule for failed requests, click here.
Detailed Error Information:
Module UrlAuthorizationModule
Notification AuthorizeRequest
Handler ExtensionlessUrlHandler-Integrated-4.0
Error Code 0x80070005
Physical Path D:\Logs
Logon Method Anonymous
Logon User Anonymous
More Information:
This error occurs when the WWW-Authenticate header sent to the Web server is not supported by the server configuration. Check the authentication method for the resource, and verify which authentication method the client used. The error occurs when the authentication methods are different. To determine which type of authentication the client is using, check the authentication settings for the client.
View more information »
Microsoft Knowledge Base Articles:
• 907273
• 253667
I have to use Anonymous authentication only, can anyone help please?
This unbelievably vague question and answer actually led me to the proper solution for the specific problem of HTTP 401.2 Unauthorized against an Anonymous Authentication resource in IIS. The "Authorization Rules" element within IIS allows a explicit Allow/Deny entries, with an explicit option for "All Anonymous Users." Specifying this solved an access problem I spent the better part of a day trying to resolve, and I thought I'd add the additional detail here.
For me, the solution was to go into IIS Manager, select the website, right-click on Authentication, select Open Feature, and then enable Anonymous Authentication.
This SO question has more possible solutions since it seems that there's a myriad of different reasons:- HTTP Error 401.2 - Unauthorized You are not authorized to view this page due to invalid authentication headers
Ok, Finally i got solution to my problem.
'Authorization Rules' were not set up on system.
I setup required 'Authorization Rules' and able to browse site successfully.
I'm having an issue with how to handle Bad Request (Error 400) in my MVC 4 application. I followed this article: http://www.digitallycreated.net/Blog/57/getting-the-correct-http-status-codes-out-of-asp.net-custom-error-pages to get my error pages setup to send the proper response codes. It works for all the codes I've tested so far (403, 404, and 500). But I'm having troubles with the 400 error code because I lose access to Session and User objects when the error is thrown. I am using Session and User to generate the menus (different users can see different menus depending on their role). So when I call to the menu controller to generate the menu, it throws a null ref exception because there isn't a Session or User object. I read that I don't have access to Session until after AcquireRequestState event is raised. So I suspect I haven't gotten there yet (how can I check this in debugger?). What other options do I have? I was thinking I could store the information in a cookie instead of the session, but I'd rather not...
My application requires the user to grant permission for getting transaction details on their behalf.
I'm using 'PayPal::SDK::Core::Util::OauthSignature' to generate the X-PAYPAL-AUTHORIZATION header but I'm confused by the url parameter.
I thought to use the API endpoint for that specific operation, which is https://svcs.paypal.com/AdaptivePayments/PaymentDetails, but it doesn't seem to work since I'm getting the same You do not have permission to get these payment details error.
We have a SharePoint 2007 site which has FBA configured (extended the webapp to different zone). The problem is that a user has to authenticate twice when the URL changes from http://site to http://www.site i.e if the user enters http://site it asks for username and after authenticating if the user clicks on a url containg http://www.site it authenticates again.
Our host header has both enteries for http and http://www.
Can anyone help me fix this issue (why is SharePoint treating http:// and http://www differently).
I don't think this is a SharePoint problem. The reason this is occuring is the FBA auth cookie is being set for http://site as the domain, so when the user navigates to http://www.site, the cookie isn't getting passed back to the server, and the user is being seen as unauthenticated.
I don't think there is a way to set the cookie for both sites without writing some code (if its even possible).