I've tried implementing your ADRoleProvider and I seem to be stuck at the very last part. What I've done up till now: added login page with the autologin usercontrol, set integrated security on IIS, added ADRoleProvider.
So to test, I created a new page and tried setting the Public Access restricted by role. The allowed role shows up fine and I'm able to set up the Public Access. When I now try browsing to the secured page, umbraco sends me to the login page. The AutoLogin usercontrol does its work, a new member is created when needed, forms authentication is set and redirect is called.
This is where it gets funky, the page keeps redirecting to itself and umbraco keeps forwarding the request to the login-page. So I get caught up in an endless loop...
I've tried debugging the ADRoleProvider and from what I'm seeing only the Initialize method is getting hit, the methods used for checking Role membership are not.
Anyone have any idea what I'm missing/doing wrong?
Hey MrBAMF, I solved my problem and I'm guessing it will solve yours too:
When a page gets loaded by umbraco, it checks the user's access to the page and logged-in status. To verify that status and redirect if the user is not logged in: there is this if-statement in the umbraco.requestHandler code:
if (System.Web.Security.Membership.GetUser() ==null||!library.IsLoggedOn()) {
HttpContext.Current.Trace.Write("umbracoRequestHandler", "Not logged in - redirecting to login page...");
currentPage = umbracoContent.GetElementById(Access.GetLoginPage(currentPage.Attributes.GetNamedItem("path").Value).ToString());
}
library.IsLoggedOn() returns true, no problem there. Membership.GetUser() however keeps returning null and so each time we get redirected to the login-page.
The reason for this is the fact that the GetUser() method tries to look up a user from your membership datastore using the current HttpContext Identity username. Now if you are using windows authentication and are using a domain, this username will look like this: domain\\username
The problem is, in the autologon usercontrol, we are stripping the domain and slashes from the username and using that to create our new membership user. That's why Membership will not find a user and hence return null.
In order to fix this, I commented out the following piece of code inside the autologon usercontrol:
// stip the \ from the username if presentif (username.IndexOf('\\') >0)
{
username = username.Substring(username.IndexOf('\\') +1); }
From then on, the member gets created using the full windows username (domain\\username) and the Membership.GetUser() method will return the correct user.
Hope this was clear enough for you, let me know if you have any other questions!
Bob, if you can run this locally, within the domain you're using, try attaching the VS debugger...
I'd first breakpoint in the WindowsLogin control; if you're being thrown back to the login/error page, that control is failing to create the Umbraco member. It sounds like that's happening OK if you're getting members being created.
So, the request is getting authenticated OK, then it's back to ADRoleProvider.GetRolesForUser(username) to get the groups from AD and return them to Umbraco to check with the allowed groups. I'd suspect an LDAP permissions failure in UserPrincipal.FindByIdentity() - it's in a try/catch block that ignores any error, so you'll never see it...
Phil, i have it all working... well, sort of... the only thing that is not working is that if i protect a node and grant access for a group other than the main group that is working it fails, even though i know i am a member of that group. does that make sense?
Hmm, weird... I'd still be tempted to try debugging GetRolesForUser, and check the actual groupnames that you're getting back from LDAP. Umbraco will show the configured group names (as roles) regardless of whether those groups actually exist, so it's possible there's a mismatch between the group names you're expecting and the ones you're actually getting.
if (System.Web.Security.Membership.GetUser() == null || !library.IsLoggedOn()) {
HttpContext.Current.Trace.Write("umbracoRequestHandler", "Not logged in - redirecting to login page...");
currentPage = umbracoContent.GetElementById(Access.GetLoginPage(currentPage.Attributes.GetNamedItem("path").Value).ToString());
}
I am using 7.2.6
How can I override this check because Membership.GetUser() I do not want to get the value from the current username stored in cookie since I will have the ID number of the user.
I would suggest you start a new thread regarding this, the reason being the age of this one. There have been quite big version jumps in Umbraco with masses of the code basis changing with each release.
This might be the reason you cannot find that code in your source, because it is no longer there.
Problem setting Public Access / Checking roles
Hi Kevin,
I've tried implementing your ADRoleProvider and I seem to be stuck at the very last part.
What I've done up till now: added login page with the autologin usercontrol, set integrated security on IIS, added ADRoleProvider.
So to test, I created a new page and tried setting the Public Access restricted by role.
The allowed role shows up fine and I'm able to set up the Public Access.
When I now try browsing to the secured page, umbraco sends me to the login page.
The AutoLogin usercontrol does its work, a new member is created when needed, forms authentication is set and redirect is called.
This is where it gets funky, the page keeps redirecting to itself and umbraco keeps forwarding the request to the login-page. So I get caught up in an endless loop...
I've tried debugging the ADRoleProvider and from what I'm seeing only the Initialize method is getting hit, the methods used for checking Role membership are not.
Anyone have any idea what I'm missing/doing wrong?
I have the same issue as you.
FF reports "The page isn't redirecting properly"
Hey MrBAMF, I solved my problem and I'm guessing it will solve yours too:
When a page gets loaded by umbraco, it checks the user's access to the page and logged-in status.
To verify that status and redirect if the user is not logged in: there is this if-statement in the umbraco.requestHandler code:
library.IsLoggedOn() returns true, no problem there. Membership.GetUser() however keeps returning null and so each time we get redirected to the login-page.
The reason for this is the fact that the GetUser() method tries to look up a user from your membership datastore using the current HttpContext Identity username.
Now if you are using windows authentication and are using a domain, this username will look like this: domain\\username
The problem is, in the autologon usercontrol, we are stripping the domain and slashes from the username and using that to create our new membership user.
That's why Membership will not find a user and hence return null.
In order to fix this, I commented out the following piece of code inside the autologon usercontrol:
From then on, the member gets created using the full windows username (domain\\username) and the Membership.GetUser() method will return the
correct user.
Hope this was clear enough for you, let me know if you have any other questions!
WEN I TYPE MY URL IN BROWSER INSTEAD OF HOME PAGE A WINDOW SAYING AUNTHENTICATION REQUIRED IS LOADING. ANY ONE PLS HELP
Thanks Bart, just had the exact same problem
phil
i see what this fix is doing... but my autologin is still not working... what could i be missing?
my umbraco member gets created... but i cannot successfully view my protected page?
plus it would be great not to have all my members in one folder, but i guess they will never really be viewed ;)
Bob, if you can run this locally, within the domain you're using, try attaching the VS debugger...
I'd first breakpoint in the WindowsLogin control; if you're being thrown back to the login/error page, that control is failing to create the Umbraco member. It sounds like that's happening OK if you're getting members being created.
So, the request is getting authenticated OK, then it's back to ADRoleProvider.GetRolesForUser(username) to get the groups from AD and return them to Umbraco to check with the allowed groups. I'd suspect an LDAP permissions failure in UserPrincipal.FindByIdentity() - it's in a try/catch block that ignores any error, so you'll never see it...
Phil
Phil, i have it all working... well, sort of... the only thing that is not working is that if i protect a node and grant access for a group other than the main group that is working it fails, even though i know i am a member of that group. does that make sense?
Hmm, weird... I'd still be tempted to try debugging GetRolesForUser, and check the actual groupnames that you're getting back from LDAP. Umbraco will show the configured group names (as roles) regardless of whether those groups actually exist, so it's possible there's a mismatch between the group names you're expecting and the ones you're actually getting.
Phil
Hi Guys,
I am using the FormsAuthentication in order to Login users and I am setting the member ID in the cookie, as follows:
The reason that I am not storing the email since user can change the email address.
Now When I tried the Umbraco Public Access Restriction, by roles, it is always redirect me to the login page.
Does anyone has an idea how can I override this since Umbraco is trying to get the User by Membership I think and it is return null.
Thank you for your help.
Kind Regards.
I cannot find this code in umbraco source code:
I am using 7.2.6
How can I override this check because Membership.GetUser() I do not want to get the value from the current username stored in cookie since I will have the ID number of the user.
Thank you.
Hi Simon,
I would suggest you start a new thread regarding this, the reason being the age of this one. There have been quite big version jumps in Umbraco with masses of the code basis changing with each release.
This might be the reason you cannot find that code in your source, because it is no longer there.
is working on a reply...