Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

Require authentication regardless of permissions settings


What would you suggest being the best way to lock down an environment (e.g. preproduction in Content Cloud), regardless of permissions settings, through code?

The goal is to require authentication for all users, regardless of any permissions set for the Everyone role.

For IIS, we commonly did this through web.config

<deny users="?"/>

We'd like to do the equivalent through code in a server-agnostic way.

Logically I'd like to add an authentication requirement to all registered authorization policies.

I could obviously use some middleware and short-circuit with a 401 Unauthorized, but I want the authentication middleware to handle the request as if authentication is required and redirect the user to whatever authentication method is being used.

Simply changing the response status to 401 without short-circuiting does indeed affect the response header, but page content is still served - albeit with a 401 status code. 🙈

Mar 02, 2022 16:53

I think something like this should work.

Mar 03, 2022 3:22

That's one of the options I tried, but I was unable to get it to stick.

As he mentions in the post: "default to every single Controller and Razor Page ONLY WHEN no other attribute is specified"

I can get it to work for my own vanilla controllers for example, but it has no effect on CMS content.

Mar 03, 2022 7:10

What about something like this:

public class RequireAuthenticatedHandler : IAuthorizationHandler
    public Task HandleAsync(AuthorizationHandlerContext context)
        if (!(context.User.Identity?.IsAuthenticated ?? false))

        return Task.CompletedTask;

And in startup:

services.TryAddEnumerable(ServiceDescriptor.Transient<IAuthorizationHandler, RequireAuthenticatedHandler>());
Mar 03, 2022 7:56

Ah, good idea, Mattias! That did the trick! 👍 Thanks!

Mar 03, 2022 8:50
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.