Server error when accessing proteced files

Johan Petersson

Member since: 2007

Hi,

When running a website in integrated mode (runAllManagedModulesForAllRequests set to true) protected (e.g. removed the everyone role from one folder in the global files vpp) vpp files throws a System.UnauthorizedAccessException and the users are not redirected to the login page. Is this by design?

This error is also present in the Alloy Tech templates and website http://demo.episerver.com/.

When running the website in IIS6 the users are redirected to the login page, as expected.

Is there a workaround? I tried to listen to server errors in a module and then redirect to the login page, but without any luck. I've also removed runAllManagedModulesForAllRequests and manually added the FormsAuthenticationModule, both with and without preCondition="managedHandler".

#65781 Feb 08, 2013 13:27

Paul West

Member since: 2008

This has worked for me, not sure why:
Try commenting out ScriptModule from the web config and instead adding it as described in the link below.
Though I have seen on another site another module prevented redirection to the login page - so try commenting out custom modules to see if you get the desired behaviour.

Config under module:
<add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" preCondition="managedHandler" />

Link:
http://epiwiki.se/developing/core-functionality/initialize-a-http-module-in-runtime

#65782 Feb 08, 2013 13:46

Johan Petersson

Member since: 2007

We don't have the ScriptModule registered in web.config. We have;

InitializationModule
ShellRoutingModule
FirstBeginRequestModule
Initializer
WorkflowRuntime
UrlRewriteModule

And three custom modules, which I have commented out for testing purpose.

We also have:

<add name="StaticFileHandler" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />

And for each VPP:

<location path="files">
	<system.webServer>
		<handlers>
			<add name="webresources" path="WebResource.axd" verb="GET" type="System.Web.Handlers.AssemblyResourceLoader" />
			<add name="wildcard" path="*" verb="*" type="EPiServer.Web.StaticFileHandler, EPiServer" />
		</handlers>
	</system.webServer>
	<staticFile expirationTime="-1.0:0:0"/>
</location>

#65783 Feb 08, 2013 13:55

Johan Petersson

Member since: 2007

This is what the error looks like http://demo.episerver.com/Global/StartPage/Alloy_launch_register_button.jpg. I've changed the access rights in the StartPage folder in the demo website.

#65784 Feb 08, 2013 14:00
Paul West

Member since: 2008

there are various modules installed on that demo site
one idea is that you use a default alloy site web config on your test/dev site
to see if it helps

#65785 Feb 08, 2013 14:09
Johan Petersson

Member since: 2007

As per my previous post, we don't have any custom modules or settings. We have used the config files from Deployment Center (not the example websites).

But I've also tested with the config files from Alloy Tech.

#65786 Feb 08, 2013 14:29
Paul West

Member since: 2008

Do you get the desired behaviour in your local Alloy demo?

- You are welcome to open a support ticket for this

#65791 Feb 08, 2013 17:05
Johan Petersson

Member since: 2007

Only when I run the website in Cassini. Not in integrated mode.

I will open a ticket. Thanks!

#65792 Feb 08, 2013 17:06
Johan Petersson

Member since: 2007

I found a module that caught all errors which stopped the error to bubble up to the FormsAuthenticationModule. I excluded the UnauthorizedAccessException from the module, and now it works!

The module was registered in code, that's why I didn't see it first.

#65824 Feb 11, 2013 15:58

Please login to post a reply