Force user to log in to view protected pages
I have a number of protected pages the need to hide form the user unless they're logged in. I
tried breaking page permission inheritance and setting the "Advanced>Explicitly deny
this to selected roles and users:" option to "Anonymous".
I would have expected this to redirect to the login page but I'm getting the following instead:
Server Error in '/NLGSitefinityWebApp' Application.
This type of page is not served.
Description: The type of page you have requested is not served because it has been explicitly forbidden. Please review the URL below and make sure that it is spelled correctly.
Requested URL: /NLGSitefinityWebApp/user/digital-content
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.237
I'm running SF 4.4. What's the recommended practice for redirecting users to a login page?
Thanks -- Steve
Hello,
When you deny access to anonymous users, they get a 403 Forbidden HTTP error. So, what you can do here is add CustomErrors in your web.config and redirect to login page when a user gets a 403 error:
<customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm"> <error statusCode="403" redirect="NoAccess.htm" /> </customErrors>Hi Svetoslav,
Will this work if the login page is dynamically generated by SF? On my development box, my login page is located at:
http://localhost/NLGSitefinityWebApp/user/login
I have edited my web.config file like so:
<customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm"> <!--<error statusCode="403" redirect="NoAccess.htm" />--> <error statusCode="403" redirect="~/user/login" /> <error statusCode="404" redirect="FileNotFound.htm" /></customErrors>I decided to take a different approach to quickly get around this issue. I created a simple Widget with the following code behind:
using System;using System.Web.Security;namespace SitefinityWebApp.CustomControls public partial class ForceLoginControl : System.Web.UI.UserControl private string _RedirectURL = "~/user/login"; public string RedirectURL get return _RedirectURL; set _RedirectURL = value; protected void Page_Load(object sender, EventArgs e) protected override void OnInit(EventArgs e) base.OnInit(e); MembershipUser user = Membership.GetUser(false); if (user == null) Response.Redirect(_RedirectURL); Hi,
The path to the page should be relative - if you are using the default login, it should be referenced like that:
"~/Sitefinity/Login" (so yours seems correct). Also, you can remove the default redirect link and the 404 redirect - they are just as an example there, not needed in your case.
Finally, don't forget to restart the server, so that the change can apply.
What you did can also be done, but you will have to repeat it for every page that you want to restrict. Handling the 403 error will redirect every time a user is denied.
Hi Svetoslav,
I did try manually restarting the server from IIS before posting but it had no effect on the error--not sure what the issue is. I'll dig into this further when I have some time. For now, I think I'll go with my custom control. I don't have a lage number of pages to protect so this will get me up and running quickly.
Thanks -- Steve
Hi,
I'm glad that you found a way to get it working. Please let me know if you have any other difficulties or problems with this.
All the best,I use the following in the Global.asax to redirect to a login page as it allows for the use of the login control's redirect after login functionality.
protected void Application_Error(object sender, EventArgs e) Exception ex = Server.GetLastError(); if (ex is HttpException) HttpException httpEx = ex as HttpException; string currentPage = HttpContext.Current.Request.Url.PathAndQuery; string loginPath = "~/login?ReturnUrl="; // check for access denied and prevent possible redirect loop if (httpEx.GetHttpCode() == 403 && !currentPage.StartsWith(loginPath.TrimStart('~'), StringComparison.OrdinalIgnoreCase)) Response.Redirect(String.Concat(loginPath, currentPage)); Server.ClearError(); Feature Request:
To have a predefined set of frontend error pages, separated in similar fashion to the current frontend and backend groups, that would be customizable(title, theme, layout and content) and support multi-lingual translation. The page for a given error would always exist (base error page can't be deleted but translations of it may be deleted) and always be accessible anonymously. The Sitefinity route handler would catch an HttpException, matching a predefined error page, and redirect to the error page. I see this being most beneficial for 403 and 404 errors, as they could easily be styled to look like the site and have access to the content of site.
Hello Luke,
Thanks for sharing your code with the community and for the feature request! I logged it in our system, here's the PITS issue, that you can follow:
http://www.telerik.com/support/pits.aspx#/public/sitefinity/9187
I updated your Telerik points.
Thanks Luke--very helpful.
--Steve