Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Mike Linkovich 10 posts 41 karma points
    Jul 31, 2015 @ 17:07
    Mike Linkovich
    0

    Password protect site while in development?

    Hi, we'd like to password protect our site while in development so only we can see it. Then we'd like to remove that restriction.

    I've found this thread from several years ago. It says to paste that form code into the "standard Umbraco template" (is this the master template?)

    I tried doing that but it just prints the following on the page in plain text, no form or anything:

    LOGIN
    PASSWORD
    HUSK login & password
    
    Du er logget ind som: (Logged in as:)
    

    Is there an up-to-date way to do this? That form code doesn't look like MVC style code, I don't know what that asp / runat stuff is.

  • Casper Andersen 126 posts 508 karma points
    Aug 03, 2015 @ 09:19
    Casper Andersen
    0

    Absolutely. What you linked, was back when Umbraco was used with Webforms, but since then it has switched to MVC, you can still use Webforms but would not recommend it.

    I could type in all the code you need. BUT for your sake i think it's better if you go to the Umbraco backend, go to the settings section and then go to Partial View and create a new partial view, it will prompt you to enter a name and and if you want a to choose template, here you can choose the Login template, which will supply you with all the code you need. then you can call your partial view on whatever page you want like this.

    @Html.Partial("PartialViewNameHere")

    Hope this gives you an idea and that it helps

  • Steve Morgan 1349 posts 4459 karma points c-trib
    Aug 03, 2015 @ 12:25
    Steve Morgan
    1

    I think you'd be best doing this at the IIS level - either with an IP restriction or basic auth.

  • Alex Skrypnyk 6175 posts 24186 karma points MVP 8x admin c-trib
    Aug 03, 2015 @ 12:34
    Alex Skrypnyk
    0

    Yes, Steve, it would be better at IIS level !

  • Mike Linkovich 10 posts 41 karma points
    Aug 04, 2015 @ 14:33
    Mike Linkovich
    0

    Thanks for the help everyone. I would do it on IIS, but current IIS doesn't support basic password protection anymore, and we can't do it by IP address.

    I'll take a look at implementing the form, but I really want an easy on/off switch for the entire site and hope it doesn't involve changing every page.

  • Steve Morgan 1349 posts 4459 karma points c-trib
    Aug 04, 2015 @ 15:00
    Steve Morgan
    0

    Hi,

    You're right - it doesn't by default but is very easy to install.

    http://www.iis.net/configreference/system.webserver/security/authentication/basicauthentication

  • Mike Linkovich 10 posts 41 karma points
    Aug 04, 2015 @ 15:57
    Mike Linkovich
    1

    Thank you Steve! That works, I thought the feature had been removed from IIS. Additional notes for anyone else searching this thread:

    After installing the Basic Authentication feature for IIS, in IIS Manager you need to 1) disable Anonymous Authentication then 2) enable Basic Authentication for your Umbraco site.

    Then to view the site need to enter the credentials for an existing Windows user account that exists on that box. (Eg. create a "tester" user & password for this purpose.)

  • Barry Fogarty 493 posts 1129 karma points
    May 10, 2016 @ 11:18
    Barry Fogarty
    2

    Sorry to resurrect an old thread, but there is a problem with this approach in that you cannot log in to Umbraco once you enable Basic Auth in IIS, as it means (I believe) the Forms Auth required by the Umbraco backoffice no longer works.

    If you have found a way in config to accomplish this, it would be great if you could share the info. The simplest alternative is to use Umbraco's in-built Public Access feature (Forms Auth) to password protect the site's front end. I am looking for a more generic solution though.

    I did find a interesting article on combining Forms and Windows auth which I am going to try, unless there is an easier way!

  • Simon Dingley 1474 posts 3431 karma points c-trib
    May 10, 2016 @ 11:59
    Simon Dingley
    0

    Hey Barry,

    I just found that out the other week, it used to work but then when I tried to do it to a new site the back office login does break for the reason you highlighted. There is a warning in IIS as well to say that you can't combine them as they don't work together when you try and enable both.

    Thanks for the link looks like that's worth a try!

  • Martin 114 posts 313 karma points
    May 10, 2016 @ 12:30
    Martin
    0

    I use a simple approach using a partial view which checks if your ip-address is allowed. Otherwise I throw a 404 exception.

    If you are on a web hotel, changing ip-security may often be not allowed.

    @{
    
    var clientIp = Request.UserHostAddress;
    
    
    //  Use:  "throw new HttpException(404,"not found");" to deny access
    
    // "::1" is same as localhost
    
    
    switch(clientIp)
    {
        case "::1":
            @*<p>Localhost</p> *@
            break;
        case "127.0.0.1":
            @*<p>Localhost</p> *@
            break;
        case "xx.xxx.xx.xx":
            break;
        case "xx.x.xxx.xxx":
            break;
        default:
             throw new HttpException(404,"not found");      
    }
    }
    
  • Barry Fogarty 493 posts 1129 karma points
    May 10, 2016 @ 14:07
    Barry Fogarty
    0

    Thanks Martin, I considered IP whitelist (in fact it is possible to do it via the IIS rewrite module in web.config) but for my application it is not practical as the clients are not all on fixed IPs. Also I am looking for a portable solution that can be applied to all sites currently in dev / UAT phase.

    I'm currently looking into an interesting approach by Tim Payne that he blogged about here

  • Barry Fogarty 493 posts 1129 karma points
    May 10, 2016 @ 16:10
    Barry Fogarty
    2

    FYI For others interested in this topic, I implemented an IIS rewrite rule inspired by Tim Payne's blog post above. My use case is slightly different - the rule simply redirects all requests to the standard Umbraco backoffice login page if the Umbraco login cookie is not present. Neat! Obviously not super secure but enough to satisfy clients that their dev sites are not on public display. #H5YR to Tim Payne!

    <rule name="AdminLockout" stopProcessing="true">
              <match url="(.*)" />
              <conditions>
                <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
                <add input="{URL}" pattern="(favicon\.ico|umbraco|webresource|scriptresource)" negate="true" />
                <add input="{HTTP_COOKIE}" pattern="UMB_UCONTEXT=[^;]*" negate="true" />
              </conditions>
              <action type="Redirect" url="/umbraco#/login/false?returnPath=/{R:0}" />
            </rule>
    
  • Simon Dingley 1474 posts 3431 karma points c-trib
    Jul 27, 2016 @ 14:24
    Simon Dingley
    2

    Great stuff Barry but I had to make one small tweak or I couldn't see the login page. I needed to add DependencyHandler.axd to the list of urls to exclude from the rule as follows:

    <add input="{URL}" pattern="(DependencyHandler\.axd|favicon\.ico|umbraco|webresource|scriptresource)" negate="true" />
    

    For most people this probably wouldn't be an issue on a dev site because you will likely be in debug mode but I was testing with debug disabled and therefore all of the back office resources were being compiled with ClientDependencyFramework.

    Cheers, Si

  • Barry Fogarty 493 posts 1129 karma points
    Jul 27, 2016 @ 14:50
    Barry Fogarty
    1

    Good catch @Simon. I also had reason to do this on a 7.4 site, and found this Http Auth Module Nuget package really handy. It enables a range of simple authentication methods and IP-based restriction. Its all config-based so you can easily set up different authentications per environment.

    One for the tool belt :-)

  • Ian 23 posts 113 karma points
    Sep 09, 2016 @ 13:29
    Ian
    2

    Hi Barry

    great soln but we couldnt get it to work well because we ended up with 301 Permanent redirects, meaning that for some pages you always seemed to end up on the backoffice login screen, even after logging in (the cookie also showed the user was still auth'd).

    Changing the rule action to include redirectType="Temporary" and clearing our browser caches seemed to do the trick, ie:

    <action type="Redirect" url="/umbraco#/login/false?returnPath=/{R:0}" redirectType="Temporary" />
    

    Hope that helps anyone else with the same problem.

  • Zac 223 posts 575 karma points
    Sep 09, 2016 @ 13:59
    Zac
    0

    I've also used Barry's solution, and noticed it was defaulting to Permanent. You certainly need to change it to "Temporary"!

    I did later notice some issues, whereby the returnPath didn't work and after logging into Umbraco we would stay there. I never bothered to find a solution.

    I do like Barry's solution for it's simplicity but it would be nice to find an equally simple but actually secure option.

  • Ian 23 posts 113 karma points
    Dec 04, 2016 @ 13:48
    Ian
    1

    the returnPath didn't work and after logging into Umbraco we would stay there

    Yep we have that too. The (relatively) quick but dirty way around it that I came up with is to create a simple plugin with a single html that does a javascript redirect to the front web site.

    You can then use the dashboard.config to enable that plugin html just for the user types that you want to immediately redirect. Obviously this will stop them having backoffice access because as soon as the backoffice is displayed for them it redirects away.

    Hope it helps

  • Anders Brohäll 295 posts 561 karma points c-trib
    Aug 28, 2018 @ 14:28
Please Sign in or register to post replies

Write your reply to:

Draft