|
AllowAnonymousLogIn |
Post Reply 
|
| Author |
 Share Topic Printable Version Delicious Digg Facebook Furl Google Boomarks Google Buzz MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search  Topic Options
|
gregweb 
DevForce MVP 
Joined: 10-Sep-2009 Location: Dallas Texas Posts: 223 |
 Post Options
 Quote Reply
 Topic: AllowAnonymousLogInPosted: 31-Mar-2011 at 4:48pm |
|
I am trying to get Registration to work in the Templates.
In order to allow a user to register, allowAnonymousLogin must be set to true.
But does this not defeat the purpose of having a person register?
I know that currently it's an all or nothing choice on allowAnonymousLogin. But I don't want to have to resort to verifying security on every call on the server just so I can allow people to register. It would be great if there were a better way of resolving this.
Greg
|
|
 |
|
|
robertg
IdeaBlade 
Joined: 15-Mar-2011 Location: California Posts: 87 |
Post Options
Quote Reply
Posted: 05-Apr-2011 at 4:27pm |
|
Greg,
You need to have anonymous access enabled in IIS because otherwise, the user won't even be able to access public resources such as the login and registration pages. The trick is that you specify another directive in your config which requires a (forms) authentication cookie for all pages (or all pages except for login, registration, etc), and redirects the user to a specified location if they don't have it. This article on MSDN, although old, should have the information you want http://msdn.microsoft.com/en-us/library/ff647070.aspx. What you're looking for is entirely within the area of IIS administration, so you may be able to save yourself some time by asking a web admin or IT guy to do it. -- Robert |
|
|
|
|
gregweb
DevForce MVP
Joined: 10-Sep-2009 Location: Dallas Texas Posts: 223 |
Post Options
Quote Reply
Posted: 06-Apr-2011 at 12:57pm |
|
I am not sure we are on the same page here.
Starting with the SL Business Template, I add an ASPNETDB connection string which is the database for the users. Then the user goes to the Registration Page and registers. This works until I want to disallow anonymous access to the business entities. So I go into the web.config to the object server settings like this: <objectServer> <serverSettings useAspNetSecurityServices="true" loginManagerRequired="true" allowAnonymousLogin="false" /> </objectServer> In other words, I need to verify that anyone connecting to the DevForce WCF service is authenticated so I don't get a hacker somehow making calls on the database. To do that I change the object server settings to allowAnonymousLogin to false. At that point, however, a person can no longer register because he is an anonymous user when he is registering which is disallowed. Thus if I want to allow registering, I have to allow anonymous logon. So of course I would like to allow people to register, as well as not allow anonymous calls to the Data. The only suggestion on this in the past has been to allow anonymouslogin, and then check every request on the server to see if it should be allowed or not. This seems like an unworkable solution. Surely there must be a better way. Greg
|
|
|
|
|
robertg
IdeaBlade
Joined: 15-Mar-2011 Location: California Posts: 87 |
Post Options
Quote Reply
Posted: 07-Apr-2011 at 11:31am |
|
Greg,
Oh, sorry about that! Too many concepts using the same keywords... If you look at the section on Security in the DRC, at http://drc.ideablade.com/xwiki/bin/view/Documentation/authorize, you'll see a sections on RequiresAuthorization. If you don't want your authorization logic to be in the query interceptor itself, you can instead add this attribute to your partial class, or inject a base class into that partial class which has it. (Similarly, you could use RequiresRoles, supplying one role to your authenticated users, and a different role to the guest user.) Otherwise, I believe you'll have to continue validating access with each query, as described on this DRC page. We do have an example of a robust security model for SilverLight applications in the DRC, at http://drc.ideablade.com/xwiki/bin/view/Documentation/code-sample-secure-infrastructure. Let me know if I'm still missing something here... thorough, explicit, examination of data access is part of a robust security model in public applications of any sort. It is good of you to be concerned about maintaining that security, even while trying to simplify the development structure of your app. -- Robert |
|
|
|
|
gregweb
DevForce MVP
Joined: 10-Sep-2009 Location: Dallas Texas Posts: 223 |
Post Options
Quote Reply
Posted: 07-Apr-2011 at 1:42pm |
|
Hi Robert,
The [RequiresAuthorization] attribute was just what I was looking for. Somehow I had gotten the impression that there wasn't such a property in DevForce, but thankfully there is!
I do appreciate the support.
Greg
|
|
|
|
|
Post Reply
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You can vote in polls in this forum |