I'm working on a site on my localhost (IIS Express) and the site has a few Public Access protected subfolders for selected Member Groups. I use the standard asp:LoginView, LoginStatus controls and all this works great on my dev machine.
Moving this to a stage server I need to password protect the entire website. So I created a windows account on the server, set permissions on the website folder and files and enabled Basic Auth in IIS. Now when I access it it prompts me for my windows account credentials and when userr/pass is entered it lets me in.
However the Public Access protection in Umbraco seems to get sidestepped. When I try to access a "protected" subfolder I immediately get the content served and the asp:LoginName control displays my COMPUTER\USERNAME account name. (It is also impossible to logout via the asp:LoginStatus logout link.)
Is it not possible to have IIS Basic Auth ontop of Umbraco Public Access feature? If not, how should I set this up?
I'm wondering why you need to password protect the stage server? Is it to avoid that the site is being indexed or accessed by people whom it does not concern etc.?
Could it be a possible solution to you setting up IP address restrictions, on the sites in the IIS manager. I mustadmit that Ihaven't triedit myself,but I've seensimilarrecommendations,forrestrict access to theUmbracobackoffice url.
Unfortunately, I did not manage to solve this in a good way.
The solution of restricting access by IP was not a good option for us since the stage (demo) site was to be accessed by people on the road. Accessing it from various addresses (mobile operators, hotel and conference facility WIFI etc)
That would also not solve our problem. That would enable for Members to login. We kinda needed a sitewide block, so that in reality only people that actually also could log into backoffice as Users could reach the front page in the first place.
Our issue was that only some of our client's employees should be able to access the staging site from various locations while we were developing the site. When putting up content, not yet public information and/or products could appear there. And no outsider could be allowed to view this content.
And we were trying for a way to do this by config, not by code only to be run on a certain server.
Unfortunately I never managed to figure that one out. This was a few years ago so maybe there is some way, but since you are posting in this thread I assume that this is still a thing.
I used a rather simple approach and placed it as a partial view in my main layout template. I check for the UserHostAdress and if it not in my "case list", I throw a 404 exception.
@{
var clientIp = Request.UserHostAddress;
// "::1" is localhost
switch(clientIp)
{
case "::1":
//<p>Localhost</p>
break;
case "127.0.0.1":
//<p>Localhost</p>
break;
default:
throw new HttpException(404,"not found");
}
}
Password protect test site
Hi,
I'm working on a site on my localhost (IIS Express) and the site has a few Public Access protected subfolders for selected Member Groups. I use the standard asp:LoginView, LoginStatus controls and all this works great on my dev machine.
Moving this to a stage server I need to password protect the entire website. So I created a windows account on the server, set permissions on the website folder and files and enabled Basic Auth in IIS. Now when I access it it prompts me for my windows account credentials and when userr/pass is entered it lets me in.
However the Public Access protection in Umbraco seems to get sidestepped. When I try to access a "protected" subfolder I immediately get the content served and the asp:LoginName control displays my COMPUTER\USERNAME account name. (It is also impossible to logout via the asp:LoginStatus logout link.)
Is it not possible to have IIS Basic Auth ontop of Umbraco Public Access feature? If not, how should I set this up?
Thanks in advance
Magnus
Hi Magnus
I'm wondering why you need to password protect the stage server? Is it to avoid that the site is being indexed or accessed by people whom it does not concern etc.?
/Jan
Hi Jan,
It's to only let a select few access the site at this point in time.
/Magnus
Hi,
How did you get on with this? I am trying to achieve the same.
Hi Tom,
Could it be a possible solution to you setting up IP address restrictions, on the sites in the IIS manager. I must admit that I haven't tried it myself, but I've seen similar recommendations, for restrict access to the Umbraco backoffice url.
http://www.iis.net/configreference/system.webserver/security/ipsecurity
Here is a another guide with some screenshots,
http://www.hrzdata.com/node/46
Hope this could be a solution for you, and can help you further.
/Dennis
Unfortunately, I did not manage to solve this in a good way.
The solution of restricting access by IP was not a good option for us since the stage (demo) site was to be accessed by people on the road. Accessing it from various addresses (mobile operators, hotel and conference facility WIFI etc)
//Magnus
I did it this way and it worked:
http://24days.in/umbraco/2012/creating-a-login-form-with-umbraco-mvc-surfacecontroller/
Hi Tom,
That would also not solve our problem. That would enable for Members to login. We kinda needed a sitewide block, so that in reality only people that actually also could log into backoffice as Users could reach the front page in the first place.
Our issue was that only some of our client's employees should be able to access the staging site from various locations while we were developing the site. When putting up content, not yet public information and/or products could appear there. And no outsider could be allowed to view this content.
And we were trying for a way to do this by config, not by code only to be run on a certain server.
//Magnus
Hi Magnus,
I just wonder if you have found a solution. I am looking for the same thing as you.
/ Martin
Martin,
Unfortunately I never managed to figure that one out. This was a few years ago so maybe there is some way, but since you are posting in this thread I assume that this is still a thing.
Regards,
Magnus
Hi Magnus,
I used a rather simple approach and placed it as a partial view in my main layout template. I check for the UserHostAdress and if it not in my "case list", I throw a 404 exception.
is working on a reply...