We have an MVC ASP.NET Application. A Person can see a View, if they are in one of the Active Directory Groups. We have only one box for hosting our Database and Application(code)
Our Problem:
A person does not exist in any one of The ADGroups, but he is Administrator on the box.
For Some Reason, he is authenticated with the View.. He is not supposed to be authenticated.
Do not know why its happening.
I know this is unique problem, Does anyone had similar issue?
This is the code we are using for authenticating a user
if (LoginHelper.IsUserMemberOfRoles(LoginHelper.GetLoggedInUser(), new List<string> { GroupEnum.OurADGroupName.ToString()}))
{
//authenticated
}
else
{
//Redirect to not authorised View
}
My Understanding:
As the Person is Admin on the Box, does this override all ADGroupName Permissions.
It sounds very silly but I thing, this is one possibilty?
He surely must be an admin or in a group in Active Directory
Related
Still using a very old (and slightly customized) version of BlogEngine.NET on a Windows XP (!) server so I'm a bit afraid to upgrade.
In the past, I have written a couple of extensions in order to grant or prevent access to static pages and/or posts based upon the users / roles and / or the post categories. For instance, I can prevent access to the blog from unauthenticated users, I can grant access to a subset of the blog (post categories) to users having the 'Readers' role, etc.
I noticed that images are still accessible, either ones stored explicitly under the /App_Data/files/ folder and served by the image.axd handler, or ones associated with blog posts.
Is there an extension point available where I could add some logic to prevent access to images based on criteria such as authentication and/or users / roles ? Perhaps based upon their file extensions, or whatnot ?
I don't know about an official extension point but I think the edits you need to make are as follows.
According to this line in the web.config
<add verb="*" path="image.axd" type="BlogEngine.Core.Web.HttpHandlers.ImageHandler, BlogEngine.Core" validate="false"/>
The image.axd is handled by BlogEngine.Core.Web.HttpHandlers.ImageHandler
If you look in the BlogEngine.Core project you will find the ImageHandler.cs that defines this class. Assuming you need access to the Session you will need to IReadOnlySessionState as an implemented interface to the class.
public class ImageHandler : IHttpHandler, IReadOnlySessionState {
...
}
Once this is in place you can access the Session in the ProcessRequest Method to perform your custom checks.
public void ProcessRequest(HttpContext context) {
if(context.Session["SomeKey"] == true){
//serve image code goes here
}
}
When I try to log in while I'm already logged in, wicket gives me a LoginException; Additional Logins are not allowed. This makes sense of course.
What I want to do, is invalidate the session if there is already a user logged in, and log in in the same event.
if (((AuthenticatedWebSession) getSession()).isUserAuthenticated()) {
((AuthenticatedWebSession) getSession()).invalidateNow();
}
((AuthenticatedWebSession) getSession()).login(secureLoginContext);
It seems invalidateNow is completed after the onSubmit event, because Wicket still gives me the same LoginException.
Any ideas how to make this work?
Why do you want to log in again? Are you trying to log in with different credentials?
I have once written a panel where a user (already logged in) could log in as another user if he had sufficient rights. I ran into a similar problem and fixed it by forcing wicket to make a new session with ThreadContext.setSession(null).
So you code would become:
if (((AuthenticatedWebSession) getSession()).isUserAuthenticated()) {
((AuthenticatedWebSession) getSession()).invalidateNow();
ThreadContext.setSession(null);
}
((AuthenticatedWebSession) getSession()).login(secureLoginContext);
How do users reset passwords while in "off-line" mode.
We are running the site as Intranet.
Joomla 2.5.4
Mhm.. this is quite long to do, but maybe you can work it out.
Grant your user level offline access (you can do that in Global configuration -> Permissions)
Create a menu entry that point to the user profile and set visible to your users
Set every menu/modules etc etc invisible to "normal" users (except the previous one)
I've never tried it before, but it should work.
I just wanted to share my solution for Joomla 3.9:
In the file "offline.php" of your template (or in /templates/system if the template has no offline.php) you can place this code before where the login form is displayed:
if( JRequest::getVar('option') == 'com_users') {
?><jdoc:include type="message"/><?php
$registrationController = new UsersController();
$registrationController->display();
} else {
// Login Form
}
so it displays the dialogs to reset the password if the page is loaded by using "index.php?option=com_users&task=request.reset" or similar, but shows the "offline" login form by default.
Recently I asked a question about how to use ajax calls to
authenticate user in asp.net mvc, and I got my answer.
But then is decided to use 'Roles' property of 'GenericPrincipal' class
so I changed my code as follow to contain 'Roles':
HttpContext.User = new System.Security.Principal.
GenericPrincipal(new System.Security.Principal.GenericIdentity(login.LoginName),
userRole);
In my site.master view, I check to see which kind of roles users
belongs to and I show appropriate menu, but when I watch
'HttpContext.Current.User.Identity' values during debugging,
I see m_roles=string[0] and 'IsInRole("Admin")' returns false.
How could it be fixed?
Try setting the current thread principle:
System.Threading.Thread.CurrentPrincipal = principal;
as is shown here:
http://social.msdn.microsoft.com/forums/en-US/Vsexpressvcs/thread/5f9735a9-096b-47af-963d-e95130cad6b4
Is there a way to enable sessions for just a specific part of the Coldfusion application by just adding Application.cfm into its directory with the session enablers?
For example, a website that has the following:
/extranet
/intranet
/store
/rentals
I want to use session variables in the rental section, independent of the ones in the intranet and store.
If you don't want to share session variables, and don't need to share application variables, then it's easy. Just put a different Application.cfc (or .cfm) in the root of the context for which you want access to the session variables.
So if you want sessions in /extranet, and sessions in /intranet and don't want them to be the same application, then:
/extranet/Application.cfc:
component {
this.name = "extranet";
this.sessionmanagement = true;
}
/intranet/Application.cfc:
component {
this.name = "intranet";
this.sessionmanagement = true;
}
It sounds like you aren't really up to speed on all of the things that you can do with Application.cfc, so I'll also add that this is a really good reference. There is a lot to learn, but it is also pretty simple once you understand how it works.
Maybe a Single Signon (SSO) solution would work for you? Rather than monkey around with the values in the session struct, just pass a user id from one app to another. When the user passes from extranet to rentals, the app says "here comes user #45", the rentals app looks them up in the db, does some validation to make sure that the user is who the extranet says they are, then starts a new session for them in rentals.