Access denied logging in as different user - sharepoint

Our ASP.NET application pages are deployed as a feature into a MOSS 2007 farm.
When a user logs on to the site the user is directed to a default page.
In the top right corner there is an option "Log on as a different user".
If the user selects this option and enters the credentials of another user, an "Access Denied" message is displayed.
This message does not make sense since all the users have access to this default page. Furthermore, if the user now goes to the address bar and manually changes the URL to the default page, the page loads. I can see in the source part of the "Access Denied" URL that the encoded URL of the target page is the expected default page URL.
Previously, I made a change to the INIT.JS file to redirect the user in the case where the login change is done from a page that is not the default page.
function LoginAsAnother(url, bUseSource)
{
document.cookie="loginAsDifferentAttemptCount=0";
if (bUseSource=="1")
{
GoToPage(url);
}
else
{
var ch=url.indexOf("?") >=0 ? "&" : "?";
//url+=ch+"Source="+escapeProperly(window.location.href);
url+=ch+"Source="+escapeProperly(getSspLocation(window.location.href));
STSNavigate(url);
}
}
The original line is commented out.
The function getSspLocation is just a function I wrote to get the default page URL from any other URL.
function getSspLocation(url) {
var parts = url.split('/');
var result = "";
for (var i = 0; i < parts.length; ++i) {
result += parts[i] + "/";
if (parts[i].toLowerCase() == "ssp")
return result + "default.aspx";
}
return url;
}
Any ideas?

This will not answer your question, but I would advice you against modifying the init.js file. It is both against good practice and against Microsoft's recommendation, you will lose support from them. Furthermore, it will most certainly be overwritten when applying service packs and/or hot fixes.
If you have the need to customize the functionality of OOB script files, do so by deploying a custom master page that incorporates your custom scripts instead.

Related

Logged in user can only access 1 page?

Using Orchard 1.6 Iv created a new role 'FactoryWorker'. When this user logs in from the front end I want them to be navigated to one page only.
OrchardLocal/System/ManufacturedProducts
I have set this page to be a print screen of the order details so the factory worker will know what products to get ready for ship out & they wont be able to navigate as no menu appears, but also need the other pages blocked incase the user decides to enter the URL of a page they arnt allowed access to.
This is the only page I want this particular user to be able to access(after they login), and I have added a logout button, which logs out the user and returns them to the home page.
So iv been looking through editing a role, with permissions and content etc...but this all seems to be applying to forms and content in general. where the user can access any content type etc...
So can someone advise me on how to do this?
thanks for any replies
UPDATE
I forgot to mention that this is not a content type, item or part I am talking about.
I have created my own controller & View & VM which is accessible from the dash board (using the AdminMenu, which brings the admin user to OrchardLocal/System/ManufacturedProducts)
I have looked at Orchard.ContentPermissions Feature but it only seems to allow me to 1)Grant permissions for others or 2)Grant permission for own content
any ideas?
You can use a Request Filter, (I do not know if it is the best way) :
FilterProvider – defines the filter applied to each request. Resembles the way default ASP.NET MVC action filters work with the difference that it’s not an attribute. All FilterProvider objects are injected into the request pipeline and are applied to all requests (so you need to check if the current request is suitable for your filter at the beginning of an appropriate method).
From : http://www.szmyd.com.pl/blog/most-useful-orchard-extension-points
So you could implement something like this
public class Filter : FilterProvider, IAuthorizationFilter {
private readonly IAuthenticationService _authenticationService;
public Filter(IAuthenticationService authenticationService) {
_authenticationService = authenticationService;
}
public void OnAuthorization(AuthorizationContext filterContext) {
//If route is the restricted one
if (filterContext.HttpContext.Request.Url.AbsoluteUri.Contains("OrchardLocal/System/ManufacturedProducts")) {
//Get the logged user
IUser loggedUser = _authenticationService.GetAuthenticatedUser();
if (loggedUser == null)
return filterContext.Result = new HttpUnauthorizedResult();
//Get the Roles
var roles = loggedUser.As<IUserRoles>().Roles;
if (!roles.Contains("FactoryUser")) {
//User is not authorized
return filterContext.Result = new HttpUnauthorizedResult();
}
}
}
}
Note: Untested code!
EDIT: Also you could invert the logic and check if the logged user has the role 'FactoryUser' and restrict its access to every page except the one they should see.
Your module can create a new permission (look at one of the permissions.cs files for examples), then create a role that has only that permission. Have your controller action check that permission (again, many examples found by finding usage of the permissions defined in one of the permissions.cs).
You can use the Content Permissions module. Using this module you can attach a content item permission part to a content type. This part allows you to choose which roles can see the content when you create it.

Check user logged in to SharePoint Online from ASP.NET

How to check if user has logged in to SharePoint Online or not from a web application?
An approach is search for cookies of SharePoint in local machine, but it throw a security problem.
Any solution?
I have found the solution, exactly a trick that come from jQuery.getScript()
Using a function that return a string, and place one in web page, one in a .js file and upload to SPO doccument library. For example:
This function put in local web page:
function whereAmI(){
return "local";
}
This function save in a xxx.js file and upload to SPO:
function whereAmI(){
return "remote";
Notice those two function have same name.
Then in local web page, insert the following code:
jQuery.getScript("https://xxx.sharepoint.com/sites/xxx/DocLib/xxx.js", function () {
if (whereAmI() == "local") // if not logged in, getScript failed to get xxx.js, so the page call local whereAmI
// do something;
});
That's it.

WebClient with credentials still not downloading file

I am trying to download files from a website with username/password. You need to pay for a registered account in order to download files - which we have done. I am attempting to pass in the username/password and download a file as follows:
if (docUrl != null)
{
if (!string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(password))
this.WebClientInstance.Credentials = new NetworkCredential(username, password);
fileData = this.WebClientInstance.DownloadData(docUrl);
this.WebClientInstance.Dispose();
isDataDownloaded = true;
}
WebClientInstance is a System.Net.WebClient. I debugged and verified that it is hitting the line to set credentials. Instead of downloading the PDF, I end up with an HTML page that prompts me to log in to get access to the file. I have verified that the username/password is correct. I use the same credentials to scrape the website with WatiN.
Is there something else that I'm supposed to be doing here?
UPDATE
Okay, I've done some sniffing around and found some useful info on this issue. I still haven't gotten it to work, but I think I'm closer. First, you need to create a cookie aware WebClient that extends the WebClient class, as follows:
public class CookiesAwareWebClient : WebClient
{
public CookieContainer CookieContainer { get; private set; }
public CookiesAwareWebClient()
{
this.CookieContainer = new CookieContainer();
}
protected override WebRequest GetWebRequest(Uri address)
{
var webRequest = base.GetWebRequest(address);
if (webRequest is HttpWebRequest)
(webRequest as HttpWebRequest).CookieContainer = this.CookieContainer;
return webRequest;
}
}
Next is to use the WebClient.UploadValues() method to upload the login info to the target website. The full process of authenticating and downloading the target resource is as follows:
using (var webClient = new CookiesAwareWebClient())
{
var postData = new NameValueCollection()
{
{ "userId", username },
{ "password", password }
};
webClient.UploadValues(docUrl, postData);
fileData = webClient.DownloadData(docUrl);
}
I was wrong about the site using forms auth. It is a JSP website and uses a JSESSIONID. I have verified that I am getting a cookie back with what appears to be a valid 32-byte JSESSIONID value.
However, when I call WebClient.DownloadData() it is still only returning the redirected login page. I've tried to fix this by setting the AllowAutoRedirect property on the HttpWebRequest to false, but then it returns 0 bytes.
Is there something else that I need to do so it won't redirect and will take me to the resource once I have authenticated?
(Answered in a question edit. Converted to a community wiki answer. See Question with no answers, but issue solved in the comments (or extended in chat) )
The OP wrote:
Solved. So the problem was between my ears. I was passing in the URL for the secure resource to the .UploadValues() method, knowing that it would redirect to the login page. However, I really needed to pass in the URL from the login form (where it goes upon submitting) - not the login page itself. Once I did that, it worked correctly. I think I'm going to go find a career in food service now.
LINKS
There were already a few questions posted on SO that addressed this issue. I just didn't know what I was looking for at first so I didn't see those... Anywhere here are a couple good resources that I came across when working on this issue:
how to maintaine cookies in between two Url's in asp.net
Trying to get authentication cookie(s) using HttpWebRequest

SharePoint -custom sign-in page

I am running a CMS web site on WSS 3.0.
I would like to have a custom sign-in page for the publishers. Do I have any other alternative other than the Welcome control? (For example, could I use ASP.NET Login control?
Thank you for your help.
That would depend on the authentication mechanism that you use. If you're using Active Directory, you're pretty much tied to the Welcome control.
If however you're using Forms Based Authentication, you can control to login page more completely.
FBA can be tricky to configure and I'd recommend staying with AD if you can, but if you have to go FBA, here's a good guide:
http://technet.microsoft.com/en-us/library/cc262201(office.12).aspx
This is really not much difficult.
It can only be happen if you have Forms based authenticated site not windows based, then you must have to modify login.aspx page.
this relies in _layouts folder of 12 hive. so you have to modify it.
Best way to do is, fo to _layouts folder, make a copy of it and paste it in somewhere in the disk and then change the location in IIS properties for the site of the _layouts folder to your copied one. and make the changes of that login page.
Points to remember.: It uses a master page and there are 5 or 6 customplaceholders requires. so do have them in your new masterpage.
Next is about the code behing for login control to work.
If you are customizing your login code. then you have to modify
this is an example :
using System;
using System.Web.Security;
using System.Web.UI.WebControls;
namespace CustomLoginPage
{
public class Login :
Microsoft.SharePoint.WebControls.UnsecuredLayoutsPageBase
{
protected System.Web.UI.WebControls.Login loginBox;
protected override bool AllowAnonymousAccess { get { return true; }
}
protected override bool AllowNullWeb { get { return true; } }
protected void Login_Click(object sender, EventArgs e)
{
if (AuthenticateUser(loginBox.UserName, loginBox.Password))
return;
}
protected bool AuthenticateUser(string emailAddr,
string password)
{
string userName = emailAddr;
MembershipUserCollection coll =
Membership.FindUsersByEmail(emailAddr);
if (coll != null && coll.Count == 1)
{
// We're doing this to force the enumerator to give us the
// one and only item because there is no by int indexer
foreach (MembershipUser user in coll)
{
userName = user.UserName;
}
}
if (Membership.ValidateUser(userName, password))
{
FormsAuthentication.RedirectFromLoginPage(userName, true);
return true;
}
return false;
}
}
}
so please do modify it.
The one Url which i follow to perform this is :
http://www.devx.com/enterprise/Article/35068/1954
Go ahead and if you face any issues. feel free to contact me : ankurmadaan2787#live.in
The answers below are really helpful -but I'm afraid my environment is limited (WSS 3.0, shared hosting).
So I simply added this link which opens up the authentication dialog:
Sign in
(Where the Source parameter indicates the URL to redirect to upon authentication.)
Thank you.

Reset page library permission for anonymouse user in SharePoint

In the Site Collection level there is a Page library, which has been created along with the whole site. I didn't touch it for long time until recently I added new content types, modified some page layouts and master pages using a solution file. When accessing the home page using the site configured for anonymouse user it failed with "401 UNAUTHORIZED" error on the web page. I noticed the URL was /_layouts/AccessDenied.aspx?Source=...&Type=list&name={...} Then I copy this string to the site for authenticated user, it appears as "Error: Access Denied". I also checked the guid of name={...}. It's the page library list ID.
It seemed the page library permission is not correctly set. However the other page libraries of sub sites are all working well under anonymous user, using the same new content type, master page and page layouts. Their permission are identical on the settings page (all inherit from parent) and all have "allow anonymous" enabled.
I also tried create pages with other page layouts in that page library, clean up content types, all didn't help.
It's not the permission issue of the page library, rather it is related to the code I modified. SPContext.Current.Site.RootWeb is the the refernce by anonymous user. That user do not have privilege to access root folder. I assumed that SPContext.Current.Site.RootWeb.RootFolder.WelcomePage would work with elevated privilege, but after some reading I realized it's not elevate the privilege as I thought. Here's an explanation.
bool rtn = false;
SPWeb rootWeb = SPContext.Current.Site.RootWeb;
SPSecurity.RunWithElevatedPrivileges(delegate()
{
using (SPSite site = new SPSite(rootWeb.Site.Url))
{
using (SPWeb web = site.OpenWeb())
{
rtn = web.Url + "/" + web.RootFolder.WelcomePage
== this.Page.Request.Url.AbsoluteUri;
}
}
});
return rtn;

Resources