ASP.NET OWIN WebForms require authorization all pages

asp.net web-config authorization identity owin

10,732

Solution 1

You are right that there are no resources about using the classic ASP.Net authorization with the OWIN security middleware.

I'm using ASP.Net Web Pages, so my experiment is similar to yours (we both try to protect static files being aspx or cshtml).

My experiment was so horrific. I was about to bang my head at a wall.

At last I discovered how to make it run. And here is what I did:

Web.config: Protect everything except the special pages which must be available to anonymous users.

<configuration>
    <system.web>
        <authorization>
            <deny users="?" />
        </authorization>
    </system.web>

    <location path="shell.cshtml">
        <system.web>
            <authorization>
                <allow users="*" />
            </authorization>
        </system.web>
    </location>

    <location path="notFound.cshtml">
        <system.web>
            <authorization>
                <allow users="*" />
            </authorization>
        </system.web>
    </location>

    <location path="security/login.cshtml">
        <system.web>
            <authorization>
                <allow users="*" />
            </authorization>
        </system.web>
    </location>
</configuration>

OWIN startup class:

    public static class Startup
    {
        public static void Configuration(IAppBuilder app)
        {
            var cookieExpiration = TimeSpan.FromMinutes(20);

            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationMode = AuthenticationMode.Active,
                CookieName = "efa",
                ExpireTimeSpan = cookieExpiration,
                SlidingExpiration = true,
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                Provider = new CookieAuthenticationProvider
                {
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<UserManager, User, long>(
                        validateInterval: cookieExpiration,
                        regenerateIdentityCallback: (manager, user) => user.GenerateUserIdentityAsync(manager),
                        getUserIdCallback: identity => Identity.Identity.ExtractIdFromClaims(identity))
                }
            });

            app.UseWebApi(new HttpConfig());
        }
    }

It was crucial to set AuthenticationMode = AuthenticationMode.Active. I spent a whole work day to discover this. If you set it to Passive, the authentication middleware won't populate the Identity and Principal objects of the HTTP context and the authorization module will forbid all requests.

This will make the classic UrlAuthorization module work for you based on the identity populated by the OWIN middleware. It must be noted that the Nuget package Microsoft.Owin.Host.SystemWeb must be installed, otherwise OWIN won't be integrated with the ASP.Net pipeline.

You may also use these modern OWIN authorization modules http://leastprivilege.com/2014/06/24/resourceaction-based-authorization-for-owin-and-mvc-and-web-api/ They're highly customizable and can protect MVC controller, Web API controllers, and static files.

Solution 2

Adding the following filter to the default App_Start/FilterConfig.cs file (in the RegisterGlobalFilters method) did the trick:

filters.Add(new AuthorizeAttribute());

Solution 3

The old .NET forms authentication HTTP module is gone and has been replaced by OWIN Forms middleware.

Here are a few articles to get you started.

10,732

Author by

Wayne Bloss

Updated on June 14, 2022

Comments

Wayne Bloss almost 2 years
I created a new ASP.NET WebForms application with Visual Studio 2013, Update 2. Then I updated all of the NuGet packages and removed all of the OAuth stuff since I just want "forms" authentication, which is what I'm familiar with.

What I want is to configure the OWIN/ASP.NET Identity framework so that all pages require authorization, including default pages - so the first page a user should see is the Login page. What is the correct way to do this? I cannot find any resources on the Internet that show how to secure a WebForms page with OWIN/ASP.NET Identity.

I added the following XML to the bottom of my main web.config file, I get an error:
```
<authorization>
  <deny users="?"/>
</authorization>
```
The error is: The requested page cannot be accessed because the related configuration data for the page is invalid.
Skuli over 9 years

Can you use filters in a WebForm? Sounds strange. I've never seen that but have looked around quite a bit. Am I missing something obvious?
Wayne Bloss over 9 years

This filter applies only to WebApi, which you can add to a WebForms app. The rest of the app (aspx pages) are secured by entries in various Web.config files: <location><system.web><authorization><allow roles="super"/><deny users="*" /></authorization></system.web></location>
Wayne Bloss over 9 years

Just one more note: In the above comment I'm talking about my current project. Back in July when I answered this, I may have been talking about a different project but I can't remember! In any case, good luck.
Skuli over 9 years

Thank you. Makes sense now.