惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园 - 【当耐特】
Help Net Security
Help Net Security
P
Proofpoint News Feed
J
Java Code Geeks
爱范儿
爱范儿
Last Week in AI
Last Week in AI
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
F
Full Disclosure
Google DeepMind News
Google DeepMind News
H
Help Net Security
G
Google Developers Blog
Jina AI
Jina AI
Vercel News
Vercel News
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
L
Lohrmann on Cybersecurity
S
Schneier on Security
Microsoft Azure Blog
Microsoft Azure Blog
IT之家
IT之家
Security Archives - TechRepublic
Security Archives - TechRepublic
阮一峰的网络日志
阮一峰的网络日志
N
News and Events Feed by Topic
GbyAI
GbyAI
B
Blog
O
OpenAI News
博客园_首页
Cisco Talos Blog
Cisco Talos Blog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Hacker News: Ask HN
Hacker News: Ask HN
TaoSecurity Blog
TaoSecurity Blog
腾讯CDC
MongoDB | Blog
MongoDB | Blog
M
MIT News - Artificial intelligence
C
Cybersecurity and Infrastructure Security Agency CISA
Cyberwarzone
Cyberwarzone
Webroot Blog
Webroot Blog
Simon Willison's Weblog
Simon Willison's Weblog
Y
Y Combinator Blog
C
Cisco Blogs
A
Arctic Wolf
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
T
The Exploit Database - CXSecurity.com
Security Latest
Security Latest
AI
AI
W
WeLiveSecurity
aimingoo的专栏
aimingoo的专栏
The Register - Security
The Register - Security
Project Zero
Project Zero
H
Hackread – Cybersecurity News, Data Breaches, AI and More
N
Netflix TechBlog - Medium
Blog — PlanetScale
Blog — PlanetScale

博客园 - KXLF

SharePoint 事件 2137 / 2138 :SharePoint 运行状况分析器检测到错误。驱动器的可用空间不足。 SharePoint 事件 7363:对象缓存:缓存使用的超级读者帐户没有足够的权限访问SharePoint数据库。 [转] geochart 地图控件官方示例 Outlook 2007 同步到本地的SharePoint文档库,点击不同文件夹时,总是弹出登陆框 [转]Publishing files stored in the file system through external list(使用bcs映射文件系统) SPContext.Current.Web.CurrentUser 为 null [转]Use PowerShell to Manage Lists, Views, and Items in SharePoint(使用PowerShell管理列表、视图、列表项) 连接TFS服务器记住密码。 [转]How to Handle Long PowerShell Statements(在PowerShell中使用多行模式) [转]How to use String.Format in PowerShell?(如何在PowerShell中使用string.format?) 推荐一个电子书网站,里面关于SharePoint的英文书籍有很多。 SharePoint 2010 术语表 [转]SharePoint 2010: Client Object Model for JavaScript (ECMAScript)(使用客户端对象模型) [转]Importing documents to Document Libraries with Mavention Import Document Library Contents(使用VS插件导出文档库内容定义) [转]Import List Instances and their data with Mavention Import List Instance(使用VS插件导出列表数据定义) [转]how to programatically access built-in properties of open xml word doc(如何读取open xml格式文档属性) [转]Content targeting for anonymous users with SharePoint Server 2010(给匿名用户配置外部配置文件) [转]Allowing anonymous users access to SharePoint user's profile pictures(允许匿名用户访问用户配置文件中的头像图片) [转][MS-MAVA]: Microsoft Office SharePoint Server (MOSS) Analytics View Access Protocol Specification
[转]Login over HTTPS from HTTP pages(使用https登陆)
KXLF · 2011-12-12 · via 博客园 - KXLF

Specifically we’ll have a look at how we can replace the SharePoint Welcome control with a custom control that meets the following requirements:

  • Displays username and password fields in anonymous mode.
  • Allow us to login securely (via HTTPS) from a unsecured page (e.g. the homepage).
  • Display logged in username and ‘my account’ type navigation links in logged in mode.

The screen shot below shows what this will look like to anonymous users (note login form top right):

sharepoint site with login control on masterpage

Step 1 – Create a custom login control

The first step to enable this scenario is to create a custom user control that shows us a login form to anonymous users, and a welcome message to authenticated users. We can do this really easily adding ASP.NET login controls to our master page as shown below:

<asp:LoginView ID="LoginView1" runat="server">
    <AnonymousTemplate>
        <asp:Login ID="Login1" runat="server">
        </asp:Login>
    </AnonymousTemplate>
    <LoggedInTemplate>
        Welcome <asp:LoginName ID="LoginName1" runat="server" /> |
        <a href="/my-account/">My Account</a> |
        <asp:LoginStatus ID="LoginStatus1" runat="server" />
    </LoggedInTemplate>
</asp:LoginView>

The result for anonymous users using the default login template is shown below:

sharepoint site with asp.net login control on masterpage

Step 2 – Customise the login control layout

We can then customise the layout by creating our own LayoutTemplate for the login control. A simple example is shown below:

<asp:Login ID="Login1" runat="server">
    <LayoutTemplate>
        <asp:TextBox ID="UserName" Text="username"
        runat="server"></asp:TextBox>
        <asp:RequiredFieldValidator ID="UserNameRequired" runat="server"
            ControlToValidate="UserName" ErrorMessage="User Name is required."
            ToolTip="User Name is required."
            ValidationGroup="ctl00$ctl00$Login1">*</asp:RequiredFieldValidator>
        <asp:TextBox ID="Password" Text="password" TextMode="Password"
            runat="server"></asp:TextBox>
        <asp:RequiredFieldValidator ID="PasswordRequired" runat="server"
            ControlToValidate="Password" ErrorMessage="Password is required."
            ToolTip="Password is required."
            ValidationGroup="ctl00$ctl00$Login1">*</asp:RequiredFieldValidator>
        <asp:Literal ID="FailureText" runat="server"
            EnableViewState="False"></asp:Literal>
        <asp:Button ID="LoginButton" runat="server" CommandName="Login" Text="Log 
            In" ValidationGroup="ctl00$ctl00$Login1" />
    </LayoutTemplate>
</asp:Login>

sharepoint site with login control on masterpage

At this point if we try and log on the browser is going to post the username and password back to the server using HTTP (i.e. back to the page we originally requested). We can verify this using a HTTP monitoring tool such as Fiddler as shown below:

fiddler-http-post

This shows us that the request is over HTTP and is a POST request so is sending data. We can see theusername and password and since this is not over SSL it is sent in clear text. We also see that theauthentication cookie is sent back also over HTTP (i.e. the Set-Cookie statement).

Step 3 – Configure the login control to send data securely

If we don’t want to place the homepage under HTTPS we need to configure the sending (i.e. the HTTP POST) to use SSL. The easiest way to do this is in ASP.NET is to set the PostBackUrl of the Login form to be an absolute URL to the secure version of the current page.

To do this in the code behind file for our login control we can add the following:

protected void Page_Load(object sender, EventArgs e)
{
    // ensure we send credentials over a secure connection
    if(!HttpContext.Current.Request.IsSecureConnection)
    {
        string postbackUrl = HttpContext.Current.Request.Url.AbsoluteUri.Replace("http", "https");
        Button loginBtn = (Button)Login1.FindControl("LoginButton");
        loginBtn.PostBackUrl = postbackUrl;
    }
}

This code checks whether we are already on an HTTPS page and if so no action is required. If we are not on an SSL page the code finds the LoginButton and sets the PostBackUrl property to the HTTPS version of the current page.

Step 4 – Update redirect rules

Additionally we need to allow our SSL redirection module to allow POST requests over HTTPS to all pages on the site. If  you followed the example in the previous post to configure this using the IIS Url Rewrite module you will need to edit the HTTPS to HTTP rule by adding the following condition:

  • Condition input: {REQUEST_METHOD}
  • Check if input string: Matches the pattern
  • Pattern: GET

iis-url-rewrite-condition-request-method

This updates the rule that redirects HTTPS requests to HTTP so that it only applies to GET requests (i.e. POST requests will be allowed via HTTPS). Now when we click the ‘Log In’ button shown below from an HTTP page our details are sent via SSL.

https login from http page in sharepoint

Step 5 – Verify the login credentials are sent via HTTPS

We can verify this by using a tool such as Fiddler to inspect the individual requests.

fiddler-sharepoint-http-login-https

The above diagram shows:

  • The HTTP GET request to the homepage (request number 1 top left)
  • The HTTPS POST request to the homepage (top left and right highlights)
    • Inside the HTTPS POST we can see our username and password. As this is part of an HTTPS request we know this information is encrypted.
  • The HTTPS response from the server (bottom right)
    • Inside the HTTPS response we see the Set-Cookie statement. Again as this is an HTTPS request we know this cookie is secure.

Another way to verify that the authentication was completed over a secure channel is to set the ‘requireSSL’ attribute of the ‘forms’ element in the web.config to true as shown below:

<authentication mode="Forms">
    <forms loginUrl="https://www.company.com/pages/login.aspx" requireSSL="true" />
</authentication>

This specifies that the authentication cookie should only be sent via SSL. If we had tried to login from an unsecured (HTTP) page, this would have given us the following error as it would have been trying to create the authentication cookie over an unsecure channel:

“The application is configured to issue secure cookies. These cookies require the browser to issue the request over SSL (https protocol). However, the current request is not over SSL.”

Since we have configured the authentication request to be over SSL, however, this will not occur and we can be sure our login credentials are secured. There are some other implications of requiring the authentication cookie to only be transferred via SSL we will cover in the following posts.

http://www.sharepointconfig.com/2010/04/partial-ssl-sharepoint-sites-login-over-http-from-http-pages/