Admin Login Page with SSL - General Discussions - General Discussions - Progress Community
 General Discussions

Admin Login Page with SSL

  • Admin Login Page with SSL
  • Hi,

        How can i configure the admin login page must use SSL?

    Thanks,
  • Hello Chen Chuan,

    That's a tough one, the default Login page is an embedded resource and is passed through a route handler before being rendered. The easiest approach would be to create a custom login page from Administration->BackendPages under the Sitefinity node, and mark its Require SSL property. You can then  provide the ceritficate in IIS. There is a role for non-authenticated users -  "Anonymous". Denying this role View permissions  would raise error code "403 Forbidden" , which you can handle in the customErrors element in you web.config to automatically redirect you to the login screen when a user who lacks the proper permissions is trying to access a certain page. Please refer to the sample below:

    <customErrorsmode="On">

      <errorstatusCode="403"redirect="~/Sitefinity/Login"/>

    </customErrors>

    alternatively it's possible to configure this in an application-wide settings class, i.e. Global.asax, where you could say:

    protected void Application_Error(object sender, EventArgs e)
           
               var currentPage = HttpContext.Current.Request.Url.ToString(); //.Split('/').Last();
               Exception ex = Server.GetLastError();
               if (ex is HttpException)
               
                   HttpException httpEx = ex as HttpException;
                   if (httpEx.Message == "You are not authorized to access this page")
                   
                       Response.Redirect("~/Test?returnurl=" + currentPage);
                       Server.ClearError();
                   
               
           

    I hope this suits your needs for the functionality you want to implement.



    Regards,
    Boyan Barnev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  • Hi Boyan,

        First, i don't understand why all other admin pages able to activate the "Required SSL" property and the most basic page for admin (Login Page) not able to be configured? The admin login page is not important or the login and password doesn't require to protect?

        Second, although i created a custom Login Page, the page is still protected by Sitefinity Admin. If i input the URL /Sitefinity/customlogin, page will be redirected to "Sitefinity/Login?ReturnUrl=/Sitefinity/customlogin".

        Last, if this custom page really works, how can i override the default login page?

    Thanks,
  • Hello Chen Chuan,

    In that case, why don't you try implementing an HttpModule and inside execute the following logic

    if(context.Url.EndsWith("Login"))

    httpContext.Response.RedirectPermanent(httpContext.Request.Url.AbsoluteUri.Remove(0, 7).Insert(0, "https://"), true);

    httpContext.Response.End();



    Kind regards,
    Boyan Barnev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  • Hi Boyan,

        Thanks for your reply, how can i implement it? Change it in Global.asax or create a new class and change the web.config? Please let me know if there is any sample.

    Thanks,
  • Hello Chen Chuan,

    Actually both implementations are possible, you can find a sample on this forum thread. What you can do, as a quicker workaround would be to set SSL in IIS for all pages under the /Sitefinity node, please let me know if this solution will be more suitable for your use case scenario.

    Greetings,
    Boyan Barnev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  • Hi Boyan,

        Thanks for your quick reply. Actually i have tried to set the SSL in IIS for all pages under /Sitefinity before. But the problem is all my theme images and css will also SSL protected for all public pages. As we need to care for the performance issue, so we try not to use this workaround.

         The thread you provided maybe useful (i haven't tried it) but to me it is a bit complicated as what i want is just auto redirect the Login to https. I am trying to find a way to replace the login url in route table. Isn't it possible?

    Thanks,
  • Hello Chen Chuan,

    I understand your concern, unfortunately overriding the default handler that constructs the login page would not be possible for now, as it's being registered in second place in the list of handlers, so adding it later would not suit the necessary functionality. You'll basically need to create your custom route handler, by inheriting from LoginRouteHandler.cs and then in Global.asax subscribe to Bootstrapper.Initialized and in there unload all default handlers ( routes.Clear(); ), and then load them again, with your custom login handler being loaded instead of the default login handler.
    Thank you very much for the constructive feedback and pointing out the need for easier overriding of the default handlers, I've logged your suggestion as a feature request, and we'll see if we can include it in the implementation plans for the upcoming releases.

    All the best,
    Boyan Barnev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  • Hi Boyan,

    I look for set HTTPS on login page too. I already made my own route handler and register it in "Global.asax".
    I successfully redirect towards a custom aspx into my solution, but I want an other thing. I want to redirect it to a page into Sitefinity, I'll test to replace virtual path of my aspx by SFPageService virtual path without success. It seems inherit LoginRouteHandler can't permit to use SFPageService.

    Regards,
    Nicolas
  • Hello Nicolas,

    Actually, why not use the approach described in this KB article which we've released recently on the topic- once you've set your pages to requre SSL under IIS and provided the appropriate certificate, you'll need to just llop trhough your Sitefinity pages, using our Pages API, and set their REquireSSL property to true. Since the Login page is constructed under the /Sitefinity node it will automatically requre SSL as well. Please find below a code sample I've prepared for you which should accomplish this task:
    App.WorkWith().Pages()
                              .Where(p => p.Page != null)
                               .ForEach(p =>
                                           
                                               p.Page.RequireSsl = false;
                                           ).SaveChanges();


    Best wishes,
    Boyan Barnev
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  • Hi Boyan,
    the KB article is interesting. But it forgot a little thing, with a configuration like this you have to go in Administration > Settings > Advanced > System > ServicesPaths
    and set your "http://mysite" otherwise you break publishing workflow.

    Another thing, it's more like a bug. When you made your backend RequireSSL, editing pages who are not in SSL doesn't work on my site.
    Because when you try to edit page the url is not under ~/Sitefinity.

    Regards,
    Nicolas
  • Any update on this thread? Does 5.0x have built in SSL security for administrative pages? 

    We would like to block access to the Sitefinity back end administrative from outside our network to protect our website. (only allow local and VPN access), however since both the Administrative backend and many of the resources both use the /Sitefinity path, this may not be realistic or possible.

    So at a minimum, we would like to require SSL for access to edit our pages.
  • Does anyone know if this KB article for Sitefinity 4.2 still applies to 5.x to require SSL for Sitefinity back end pages?
    http://www.sitefinity.com/devnet/kb/sitefinity-4-x/securing-a-sitefinity-backend-with-ssl.aspx 

    It seems like requiring SSL for back end access would be a simple check box somewhere. Instead it is giving me grief. I'm not even certain if I can force SSL on the "Sitefinity" folder as it includes a lot of the web services used for the site.

    ...argh. Any advice? Is everyone just using it without SSL?
  • Hello,

    I'd like to echo Dan's question from April-- does that KB article still apply for version 5.x? Are there any drawbacks to requiring SSL for all backend pages?

    Thanks,
    Kevin