0

I have a multi-language .Net 4 webforms site (www.example.com/en/, www.example.com/fr/ etc.) and each language has a member area, e.g. www.example.com/en/members/ and www.example.com/fr/members/

A CMS (Umbraco) has control over language branches and content, and therefore has control over adding or removing them. This means that I cannot use the <location> sections in the root web.config to deny anonymous access to each members branch as they may be published after the application has started.

Is there any way to add a ConfigurationLocation section to the Locations property of a System.Configuration.Configuration instance after an application has started, without restarting the application? Alternatively, is there a more flexible way to control path access at runtime?

Digbyswift
  • 10,310
  • 4
  • 38
  • 66

2 Answers2

1

Alternatively, is there a more flexible way to control path access at runtime?

You can extend all secure pages from a BasePage that has something like this inside the Page_Load event

if(!HttpContext.Current.User.Identity.IsAuthenticated)
   Response.Redirect("Login.aspx");

Update

If you don't know which pages are going to be secured, change my code above to read the pages that need to be secured from a database table and compare the current page name with the ones contained in the list from the table. You can catch the list and automatically expire the cache every 20 min, for example. At least you'd be able to flag a page as Secure w/o restarting the app while maintaining some flexibility as far as not needing to know in advance which ones should be secure.

Icarus
  • 63,293
  • 14
  • 100
  • 115
  • Sure, but if you don't know in advance what are the secure pages, what then? – Digbyswift Jan 24 '12 at 17:16
  • @Digbyswift if you don't know in advance how were you planning to implement this programmatically in the first place? – Icarus Jan 24 '12 at 17:19
  • Please read the question. I wanted to be able to add location elements to the web.config after the application started but without restarting the app. But I'm sure this is not possible so I'd like an alternative. – Digbyswift Jan 24 '12 at 17:24
  • @Digbyswift when I read your question, I understood that you wanted to add the Location element to the `System.Configuration.Configuration instance`, not to the web.config. Now that it is clear that you are referring to the Web.config, the answer is that yes, you can, see here: http://stackoverflow.com/questions/613824/how-to-prevent-an-asp-net-application-restarting-when-the-web-config-is-modified/629876#629876) but it is not recommended. – Icarus Jan 24 '12 at 17:31
  • The Configuration instance is generated from the settings in the web.config. I need to be able to either modify this at runtime or find an alternative. Stopping file monitoring is not really a valid option, especially since there is no obvious means of turning it back on! – Digbyswift Jan 24 '12 at 17:43
  • 1
    @Digbyswift there is no other way AFAIK and I'm pretty sure it can't be done without another horrible hack like the one I linked. Sorry. – Icarus Jan 24 '12 at 17:46
  • Thanks for you time & help, it's appreciated. – Digbyswift Jan 24 '12 at 17:49
0

The solution I used was to create a HttpModule. But with a HttpModule in umbraco, you can not easily retrieve the currentNodeId as this is added as part of a different process.

The module carried out the following checks on the PostAuthenticateRequest event:

  1. Is the requested path a reserved path in umbraco?
  2. Is the user authenticated already?

If these two both returned false

  1. Using the request domain, I retrieved the root node id by finding the node with the matching asscociated domain;
  2. I then created a xpath query using the parts of the requested path but that existed underneath the node with the id retrieved above. This query gave me the current node;
  3. I then checked whether the current node existed as a descendant of a node flagged as requiring authentication.
Digbyswift
  • 10,310
  • 4
  • 38
  • 66