Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at

  • Eric Schrepel 153 posts 206 karma points
    Sep 09, 2019 @ 23:17
    Eric Schrepel

    How can I add [Authorize] to all front-end pages [via controller maybe]

    Odd question, but I'm trying to secure an Umbraco 8.1.4 intranet by using Okta to auto-login staff with their Windows credentials (using essentially these steps).

    I've modified a MyOwinStartup.cs to include the Okta code, plus added the line "GlobalFilters.Filters.Add(new AuthorizeAttribute())", which forces all controllers to require authorization. This approach works fine for the front end, but BackOffice users find that after login they can't do anything else (404 errors etc).

    Short of implementing the full UmbracoIdentity approach (trying to avoid the whole Members approach, don't really need that level of login control), is there a way to maybe include a surface controller on every page to which we could prepend the [Authorize] keyword? I'd then remove the GlobalFilters code from MyOwinStartup.

    Or if there's a better (but still sorta easy) approach, would love to hear what others recommend.

  • Marc Goodson 1179 posts 7894 karma points MVP 5x c-trib
    Sep 10, 2019 @ 08:56
    Marc Goodson

    Hi Eric

    I'm not sure if this is what you need for what you are trying to achieve but you can replace the default RenderMvcController that Umbraco uses with your own implementation... Eg create a new controller; inherit RenderMvcController and set it as the default during composing...

    See here for how:

  • Eric Schrepel 153 posts 206 karma points
    Sep 12, 2019 @ 21:28
    Eric Schrepel

    Still feel like I'm so close yet so far. Okta works for auto-logging in people to front-end pages (not as Members, strictly as Windows-authenticated users), but the BackOffice throws a bunch of errors after login: enter image description here

    Per Marc's suggestion, I replaced the default RenderMvcController to include the [Authorize] parameter, see code below from my App_Start/SetDefaultMvcControllerComposer.cs. This does seem to correctly trigger Okta to log users in when they first hit any front-end page. enter image description here

    Web.config has these lines which pertain to Okta login:

    <add key="owin:appStartup" value="MyOwinStartup" />
    <add key="ActiveDirectoryDomain" value="{ourdomain}.org" />
    <add key="okta:OktaDomain" value="https://{ouroktadomain}.com" />
    <add key="okta:ClientId" value="__" />
    <add key="okta:ClientSecret" value="__" />
    <add key="okta:RedirectUri" value="https://{ourdomain}/authorization-code/callback" />
    <!-- <membership><providers> section:  -->
    <add name="UmbracoMembershipProvider" type="Umbraco.Web.Security.Providers.MembersMembershipProvider, Umbraco.Web" minRequiredNonalphanumericCharacters="0" minRequiredPasswordLength="10" useLegacyEncoding="false" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" defaultMemberTypeAlias="Member" passwordFormat="Hashed" allowManuallyChangingPassword="false" />
    <!-- <system.web> section: -->
    <authentication mode="None" />
    <!-- <modules> section: -->
    <remove name="FormsAuthentication" />

    And lastly, App_Start/MyOwinStartup.cs which has both recently-added Okta code, and some earlier code for logging in Backoffice users: enter image description here

    If it's actually better/easier to incorporate Okta login into the UmbracoIdentity code example, we're happy to go that route also, it just seemed like more than we needed since we're not really using the Members section of Umbraco in this intranet, and only are needing Windows Authentication (and can't just set the overall app in IIS to use Windows Authentication because of some mobile and other out-of-office users).

Please Sign in or register to post replies

Write your reply to: