I want to reference a javascript file at the bottom of a page template.
I added the .js file under cmssitemanager / development / javascript files and then added the following to the master template (portal engine):
<script src="/CMSScripts/Custom/FOO/BAR.js"></script>
When I open the page in any browser, the javascript in the file isn't executing.
When try to access the file directly in the browser at domain.com/CMSScripts/Custom/FOO/BAR.js I get redirected to the Kentico logon page.
I don't see how/where I can specify security for the CMSScripts directory, but the user should not have to be logged in to access this file.
Any suggestions?
Update with info from first answer:
We are not currently using Windows Authentication, and I verified that the application pool user account has file-system permissions. I also verified that the application can add/delete/modify files using the cmssitemanager > administration > system > files > "test files" utility which resulted in OK status for creating/deleting/modifying folders and files.
I do have Check files permission checked in cmssitemanager > settings > system > files > security. Unchecking this option does not change the behavior, including after restarting both the application and the windows services.
The site is valid and has the correct license however there was NOT a domain alias defined. I added one however this did not change the behavior.
We have not made any changes to the web.config save for connection string information. If you are referring to this documentation on CMSUseTrailingSlashOnlyForExtensionLess in the web.config, this was not previously in there however adding it did not change anything. To that end, I wasn't seeing the site trying to redirect to domain.com/CMSScripts/Custom/FOO/BAR.js/ so I truly think it's tied to some kind of security ACL that is out of order.
Here is the solution provided by user FroggEye on the Kentico DevNet forum thread on this same issue:
You're best bet is to use the syntax below. Kentico does URL processing on all directories unless excluded and you'd have to exclude the CMSScripts directory from processing which isn't hard but the code below is a better solution.
<script src="/CMSPages/GetResource.ashx?scriptfile=/CMSScripts/Custom/FOO/BAR.js" type="text/javascript"></script>
This will do 2 things:
give you a standard place to call resources from (you can get stylesheets here as well)
allow you to use the build-in minimization functions.
Charles,
This is a strange behavior, it does not normally do that.
Do you have any windows auth going on ? where you possibly removed anonymous access (in IIS) to directories in the website folder ?
Do you have Check Files permissions turned on as a Kentico Site setting? (even though I'm fairly sure that won't affect requests to the JavaScript files in JS module)
Is it a valid site (enabled and running in CMSSiteManager) and domain name with a correct license and alias ?
Any custom modifications to web.config file that possibly changed httpHandlers or modules ? And are you running the correct extensionless URL settings in web.config ?
Related
I have a simple azure web app and have set the default document in the portal to home.aspx. There is a home.aspx file published, it is browsable via http://my-domain.azurewebsites.net/home.aspx (not real domain) however the default document won't work when browsing to http://my-domain.azurewebsites.net it returns a 404. There is nothing special here. I even added it to the web.confg and it still returns a 404. It is a web forms project, set to integrated security with the correct default document added. Any ideas?
I setup the following web app (West): supportforlucuma There is only one other app in that plan which is the one that isn't working.
I can see the home.html page by visit “http://supportforlucuma.azurewebsites.net/”, Is your issue solved? If no, I will provide more information of how to debug this issue.
Except to set default document on portal and web.config, the default document also could be set in RouteConfig.cs file. For example, following code will set the index.aspx as the default page of current web application and it has the highest priority. If index.aspx file is not exist, a 404 error will response to client. Please check whether the similar code is exist in RouteConfig.cs file.
routes.MapPageRoute("default", "{page}", "~/{page}.aspx",false,new RouteValueDictionary( new { page = "index" }));
For further troubleshooting this issue, we can to get the detail information of 404 response. For example, which modules are executed on server side during the default page is accessed. To do it, we need to enable Failed request tracing. Then we could see the detail information by download the tracing log from LogFiles folder. For example, "ftp://xx.ftp.azurewebsites.windows.net/LogFiles/W3SVC355162095/".
I have recently launched a website on GoDaddy hosting. I have keept some images and JavaScript files used in website, in separate folders. I want to prevent the users from browsing those images and files by simply appending the folder and file name in the website URL. For example
www.example.com/images/logo.png
If I understand correctly, you want to have html file with images, that shouldn't be accessible alone? If yes, then it cannot be done. You can watch for correct HTTP Referrer header, but it can be simply faked and it also makes it inaccessible for browsers that don't send referrer or having sending it forbidden for "privacy" reasons.
If you want hide files to be accessible only by server side scripts, ftp/scp, then you can try to use .htaccess (if GoDaddy runs on Apache) and correct configuration: https://httpd.apache.org/docs/2.2/howto/access.html
Another way could be hiding that files and creating one-shot token like this:
<img src=<?pseudocode GEN_TOKEN("file.jpg") ?> /> with another file serving these hidden files just for generated token, then deleting it from DB. Nevertheless, this will not protect anybody from downloading or accessing these files, if they want...
But, anyway, try to clarify your question better...
If you are keeping images/files in folder which is open to public, I guess you kept in that folder for purpose, you want public to access those images and files.
How public know images file name? Stop file content listing for your web site.
I am not aware which language you are using on web server, but in ASP.NET you may write module/ middle ware which can intercept in coming request and based on your logic (e.g. authentication and authorization) you can restrict access. All modern languages support this kind of functionality.
I am getting this following issue. What can be possible reason.
The requested page cannot be accessed because the related configuration data for the page is invalid.
For me all I did was delete the file web.config . However, my serverside was ColdFusion which has in-built functionality to do a deepsearch of web.config starting from the parent directory to the internal ones. so I had a web.config file in one of the inner directories.
Let's say there's a website www.example.com/user/john. Accessing that link takes you to www.example.com/user/john/index.html.
There are files like www.example.com/user/john/picture.png and www.example.com/user/john/document.html. These are also accessible to the public, but there's no link to these from index.html.
Is there a systematic way to find out these files? I'm asking because I'm going to set up my website, and I also want to put up a few files that I don't necessarily want every one to see, only people who I give the link to. So I'm wondering how easy/hard it is to find out that those files exist in my directory.
Most importantly you have to switch off the possibility to just browse the directory with the browser. Every server has its own way to switch this off. Then you can use the proposed way of "security through obscurity".
Another way can be, to have a specific folder whos access is restricted by a http basic authentication. This can be configured in the .htaccess file which you put in the root folder of your directory you want to share only with specific people.
Just google ".htacces" and "basic authentication".
HTTP does not provide a directory listing method as such. Most web servers can be set up to provide a HTML-formatted directory listing if an index file such as index.html does not exist. If you provide an index file so that autoindexing does not happen (or if you disable autoindex by web server configuration), and if your "hidden" file names are hard to guess, they should be pretty hard to find. I sometimes publish such files in a directory with a random gibberish name.
"Share links" used by Dropbox, Picasa and other services do the same, they just use longer random file/directory names or random parameters in the URL.
To provide real security you'll want to set up https (SSL/TLS) so that any eavesdroppers on the network cannot easily look at the requested URLs, and authentication such as HTTP Basic Authentication with username/password. For less sensitive stuff, http to a random hidden directory will often do fine.
How to enable the error information in the Sharepoint site by modifying the web.config file.?. I have done the following changes in web.config file
Callstack = true
CustomErrors mode = Off
Compilation debug = true
But still i am not able to get the call stack details(error details) in the sharepoint site for a error, instead of that i am getting this following error
"To enable the details of this specific error message to be viewable on the local server machine, please create a tag within a "web.config" file located in the root directory of the current web application". Please correct me on this?.
custom errors mode off, (or on, I can never remember). Then set debug=true. The catch is that there are many different web.configs used by sharepoint. There's one on the web application level (in inetpub, virtual directories), then there's one for layouts pages, control templates, etc in /web server extensions/14/. You have to make these changes in all of the relevant web configs associated with your code.
And obviously, make sure this is always turned off in production for security reasons.
You do not need to do an iisreset, changing a web.config file will cause one automatically.
Did you run iisreset?
Make sure you're changes in the web.config look like these:
<customErrors mode=”Off” />
<SafeMode … CallStack=”true” … >
<trace enabled=”true” pageOutput=”true”/>
PS: Showing stack traces in a production environment is not recomenned, instead use a tool like ULSViewer for diving through the log files.