Admin Login Page with SSL
Hi,
How can i configure the admin login page must use SSL?
Thanks,
Hello Chen Chuan,
That's a tough one, the default Login page is an embedded resource and is passed through a route handler before being rendered. The easiest approach would be to create a custom login page from Administration->BackendPages under the Sitefinity node, and mark its Require SSL property. You can then provide the ceritficate in IIS. There is a role for non-authenticated users - "Anonymous". Denying this role View permissions would raise error code "403 Forbidden" , which you can handle in the customErrors element in you web.config to automatically redirect you to the login screen when a user who lacks the proper permissions is trying to access a certain page. Please refer to the sample below:
<
customErrors
mode
=
"On"
>
<errorstatusCode="403"redirect="~/Sitefinity/Login"/>
</
customErrors
>
alternatively it's possible to configure this in an application-wide settings class, i.e. Global.asax, where you could say:
protected
void
Application_Error(
object
sender, EventArgs e)
var currentPage = HttpContext.Current.Request.Url.ToString();
//.Split('/').Last();
Exception ex = Server.GetLastError();
if
(ex
is
HttpException)
HttpException httpEx = ex
as
HttpException;
if
(httpEx.Message ==
"You are not authorized to access this page"
)
Response.Redirect(
"~/Test?returnurl="
+ currentPage);
Server.ClearError();
Hi Boyan,
First, i don't understand why all other admin pages able to activate the "Required SSL" property and the most basic page for admin (Login Page) not able to be configured? The admin login page is not important or the login and password doesn't require to protect?
Second, although i created a custom Login Page, the page is still protected by Sitefinity Admin. If i input the URL /Sitefinity/customlogin, page will be redirected to "Sitefinity/Login?ReturnUrl=/Sitefinity/customlogin".
Last, if this custom page really works, how can i override the default login page?
Thanks,
Hello Chen Chuan,
In that case, why don't you try implementing an HttpModule and inside execute the following logic
if(context.Url.EndsWith("Login"))
httpContext.Response.RedirectPermanent(httpContext.Request.Url.AbsoluteUri.Remove(0, 7).Insert(0, "https://"), true);
httpContext.Response.End();
Hi Boyan,
Thanks for your reply, how can i implement it? Change it in Global.asax or create a new class and change the web.config? Please let me know if there is any sample.
Thanks,
Hello Chen Chuan,
Actually both implementations are possible, you can find a sample on this forum thread. What you can do, as a quicker workaround would be to set SSL in IIS for all pages under the /Sitefinity node, please let me know if this solution will be more suitable for your use case scenario.
Greetings,
Boyan Barnev
the Telerik team
Hi Boyan,
Thanks for your quick reply. Actually i have tried to set the SSL in IIS for all pages under /Sitefinity before. But the problem is all my theme images and css will also SSL protected for all public pages. As we need to care for the performance issue, so we try not to use this workaround.
The thread you provided maybe useful (i haven't tried it) but to me it is a bit complicated as what i want is just auto redirect the Login to https. I am trying to find a way to replace the login url in route table. Isn't it possible?
Thanks,
Hello Chen Chuan,
I understand your concern, unfortunately overriding the default handler that constructs the login page would not be possible for now, as it's being registered in second place in the list of handlers, so adding it later would not suit the necessary functionality. You'll basically need to create your custom route handler, by inheriting from LoginRouteHandler.cs and then in Global.asax subscribe to Bootstrapper.Initialized and in there unload all default handlers ( routes.Clear(); ), and then load them again, with your custom login handler being loaded instead of the default login handler.
Thank you very much for the constructive feedback and pointing out the need for easier overriding of the default handlers, I've logged your suggestion as a feature request, and we'll see if we can include it in the implementation plans for the upcoming releases.
All the best,
Boyan Barnev
the Telerik team
Hi Boyan,
I look for set HTTPS on login page too. I already made my own route handler and register it in "Global.asax".
I successfully redirect towards a custom aspx into my solution, but I want an other thing. I want to redirect it to a page into Sitefinity, I'll test to replace virtual path of my aspx by SFPageService virtual path without success. It seems inherit LoginRouteHandler can't permit to use SFPageService.
Regards,
Nicolas
Hello Nicolas,
Actually, why not use the approach described in this KB article which we've released recently on the topic- once you've set your pages to requre SSL under IIS and provided the appropriate certificate, you'll need to just llop trhough your Sitefinity pages, using our Pages API, and set their REquireSSL property to true. Since the Login page is constructed under the /Sitefinity node it will automatically requre SSL as well. Please find below a code sample I've prepared for you which should accomplish this task:
App.WorkWith().Pages()
.Where(p => p.Page !=
null
)
.ForEach(p =>
p.Page.RequireSsl =
false
;
).SaveChanges();
Hi Boyan,
the KB article is interesting. But it forgot a little thing, with a configuration like this you have to go in Administration > Settings > Advanced > System > ServicesPaths
and set your "http://mysite" otherwise you break publishing workflow.
Another thing, it's more like a bug. When you made your backend RequireSSL, editing pages who are not in SSL doesn't work on my site.
Because when you try to edit page the url is not under ~/Sitefinity.
Regards,
Nicolas
Any update on this thread? Does 5.0x have built in SSL security for administrative pages?
Does anyone know if this KB article for Sitefinity 4.2 still applies to 5.x to require SSL for Sitefinity back end pages?
http://www.sitefinity.com/devnet/kb/sitefinity-4-x/securing-a-sitefinity-backend-with-ssl.aspx
Hello,
I'd like to echo Dan's question from April-- does that KB article still apply for version 5.x? Are there any drawbacks to requiring SSL for all backend pages?
Thanks,
Kevin
Hello everyone,
We've updated the KB information with the latest set of instructions for enabling SSL for your Sitefinity site's backend, or globally. You can find the updated information at the same location: Securing a Sitefinity Backend with SSL.
Please do not hesitate to let us know if you spot anything you think should be added or corrected in the guide, we'll be glad to review your suggestions.
All the best,
Boyan Barnev
the Telerik team