Reputation: 10400
How can I deny anonymous access to a path at runtime
I have a multi-language .Net 4 webforms site (www.example.com/en/, www.example.com/fr/ etc.) and each language has a member area, e.g. www.example.com/en/members/ and www.example.com/fr/members/
A CMS (Umbraco) has control over language branches and content, and therefore has control over adding or removing them. This means that I cannot use the <location> sections in the root web.config to deny anonymous access to each members branch as they may be published after the application has started.
Is there any way to add a ConfigurationLocation section to the Locations property of a System.Configuration.Configuration instance after an application has started, without restarting the application? Alternatively, is there a more flexible way to control path access at runtime?
Upvotes: 0
Views: 222
Answers (2)
Reputation: 10400
The solution I used was to create a HttpModule. But with a HttpModule in umbraco, you can not easily retrieve the currentNodeId as this is added as part of a different process.
The module carried out the following checks on the PostAuthenticateRequest event:
- Is the requested path a reserved path in umbraco?
- Is the user authenticated already?
If these two both returned false
- Using the request domain, I retrieved the root node id by finding the node with the matching asscociated domain;
- I then created a xpath query using the parts of the requested path but that existed underneath the node with the id retrieved above. This query gave me the current node;
- I then checked whether the current node existed as a descendant of a node flagged as requiring authentication.
Upvotes: 0
Reputation: 63956
Alternatively, is there a more flexible way to control path access at runtime?
You can extend all secure pages from a BasePage that has something like this inside the Page_Load event
if(!HttpContext.Current.User.Identity.IsAuthenticated)
Response.Redirect("Login.aspx");
Update
If you don't know which pages are going to be secured, change my code above to read the pages that need to be secured from a database table and compare the current page name with the ones contained in the list from the table. You can catch the list and automatically expire the cache every 20 min, for example. At least you'd be able to flag a page as Secure w/o restarting the app while maintaining some flexibility as far as not needing to know in advance which ones should be secure.
Upvotes: 1
Related Questions
- Allow anonymous authentication for a single folder in web.config?
- ASP.NET web.config Forms Authentication, deny anonymous users, allow anonymous access for single files
- Deny user access to the location path
- How to lock down paths in ASP.NET MVC?
- Allow only anonymous users via web.config authorization
- How do I configure ASP.net forms authentication to deny only a specific URL
- Can forms authentication restrict any path?
- deny anonymous for all pages except the "~/" path in asp.net
- ASP.NET MVC Authorization for a dynamic path
- Can I deny ASP.NET anonymous access to all files?