惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
腾讯CDC
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
L
LINUX DO - 热门话题
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Project Zero
Project Zero
V
Vulnerabilities – Threatpost
Cisco Talos Blog
Cisco Talos Blog
P
Palo Alto Networks Blog
C
Cisco Blogs
A
Arctic Wolf
月光博客
月光博客
The GitHub Blog
The GitHub Blog
T
The Blog of Author Tim Ferriss
量子位
小众软件
小众软件
Latest news
Latest news
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Microsoft Security Blog
Microsoft Security Blog
T
The Exploit Database - CXSecurity.com
Security Latest
Security Latest
N
Netflix TechBlog - Medium
K
Kaspersky official blog
人人都是产品经理
人人都是产品经理
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
博客园_首页
Y
Y Combinator Blog
P
Proofpoint News Feed
H
Hackread – Cybersecurity News, Data Breaches, AI and More
M
MIT News - Artificial intelligence
T
Threat Research - Cisco Blogs
S
Schneier on Security
D
Docker
Scott Helme
Scott Helme
MyScale Blog
MyScale Blog
Spread Privacy
Spread Privacy
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
GbyAI
GbyAI
有赞技术团队
有赞技术团队
Google DeepMind News
Google DeepMind News
The Hacker News
The Hacker News
H
Help Net Security
Simon Willison's Weblog
Simon Willison's Weblog
J
Java Code Geeks
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Tenable Blog
B
Blog
Know Your Adversary
Know Your Adversary
IT之家
IT之家

博客园 - KXLF

SharePoint 事件 2137 / 2138 :SharePoint 运行状况分析器检测到错误。驱动器的可用空间不足。 SharePoint 事件 7363:对象缓存:缓存使用的超级读者帐户没有足够的权限访问SharePoint数据库。 [转] geochart 地图控件官方示例 Outlook 2007 同步到本地的SharePoint文档库,点击不同文件夹时,总是弹出登陆框 [转]Publishing files stored in the file system through external list(使用bcs映射文件系统) SPContext.Current.Web.CurrentUser 为 null [转]Use PowerShell to Manage Lists, Views, and Items in SharePoint(使用PowerShell管理列表、视图、列表项) 连接TFS服务器记住密码。 [转]How to Handle Long PowerShell Statements(在PowerShell中使用多行模式) [转]How to use String.Format in PowerShell?(如何在PowerShell中使用string.format?) 推荐一个电子书网站,里面关于SharePoint的英文书籍有很多。 SharePoint 2010 术语表 [转]SharePoint 2010: Client Object Model for JavaScript (ECMAScript)(使用客户端对象模型) [转]Importing documents to Document Libraries with Mavention Import Document Library Contents(使用VS插件导出文档库内容定义) [转]Import List Instances and their data with Mavention Import List Instance(使用VS插件导出列表数据定义) [转]how to programatically access built-in properties of open xml word doc(如何读取open xml格式文档属性) [转]Content targeting for anonymous users with SharePoint Server 2010(给匿名用户配置外部配置文件) [转]Allowing anonymous users access to SharePoint user's profile pictures(允许匿名用户访问用户配置文件中的头像图片) [转][MS-MAVA]: Microsoft Office SharePoint Server (MOSS) Analytics View Access Protocol Specification
[转]Login over HTTPS from HTTP pages(使用https登陆)
KXLF · 2011-12-12 · via 博客园 - KXLF

Specifically we’ll have a look at how we can replace the SharePoint Welcome control with a custom control that meets the following requirements:

  • Displays username and password fields in anonymous mode.
  • Allow us to login securely (via HTTPS) from a unsecured page (e.g. the homepage).
  • Display logged in username and ‘my account’ type navigation links in logged in mode.

The screen shot below shows what this will look like to anonymous users (note login form top right):

sharepoint site with login control on masterpage

Step 1 – Create a custom login control

The first step to enable this scenario is to create a custom user control that shows us a login form to anonymous users, and a welcome message to authenticated users. We can do this really easily adding ASP.NET login controls to our master page as shown below:

<asp:LoginView ID="LoginView1" runat="server">
    <AnonymousTemplate>
        <asp:Login ID="Login1" runat="server">
        </asp:Login>
    </AnonymousTemplate>
    <LoggedInTemplate>
        Welcome <asp:LoginName ID="LoginName1" runat="server" /> |
        <a href="/my-account/">My Account</a> |
        <asp:LoginStatus ID="LoginStatus1" runat="server" />
    </LoggedInTemplate>
</asp:LoginView>

The result for anonymous users using the default login template is shown below:

sharepoint site with asp.net login control on masterpage

Step 2 – Customise the login control layout

We can then customise the layout by creating our own LayoutTemplate for the login control. A simple example is shown below:

<asp:Login ID="Login1" runat="server">
    <LayoutTemplate>
        <asp:TextBox ID="UserName" Text="username"
        runat="server"></asp:TextBox>
        <asp:RequiredFieldValidator ID="UserNameRequired" runat="server"
            ControlToValidate="UserName" ErrorMessage="User Name is required."
            ToolTip="User Name is required."
            ValidationGroup="ctl00$ctl00$Login1">*</asp:RequiredFieldValidator>
        <asp:TextBox ID="Password" Text="password" TextMode="Password"
            runat="server"></asp:TextBox>
        <asp:RequiredFieldValidator ID="PasswordRequired" runat="server"
            ControlToValidate="Password" ErrorMessage="Password is required."
            ToolTip="Password is required."
            ValidationGroup="ctl00$ctl00$Login1">*</asp:RequiredFieldValidator>
        <asp:Literal ID="FailureText" runat="server"
            EnableViewState="False"></asp:Literal>
        <asp:Button ID="LoginButton" runat="server" CommandName="Login" Text="Log 
            In" ValidationGroup="ctl00$ctl00$Login1" />
    </LayoutTemplate>
</asp:Login>

sharepoint site with login control on masterpage

At this point if we try and log on the browser is going to post the username and password back to the server using HTTP (i.e. back to the page we originally requested). We can verify this using a HTTP monitoring tool such as Fiddler as shown below:

fiddler-http-post

This shows us that the request is over HTTP and is a POST request so is sending data. We can see theusername and password and since this is not over SSL it is sent in clear text. We also see that theauthentication cookie is sent back also over HTTP (i.e. the Set-Cookie statement).

Step 3 – Configure the login control to send data securely

If we don’t want to place the homepage under HTTPS we need to configure the sending (i.e. the HTTP POST) to use SSL. The easiest way to do this is in ASP.NET is to set the PostBackUrl of the Login form to be an absolute URL to the secure version of the current page.

To do this in the code behind file for our login control we can add the following:

protected void Page_Load(object sender, EventArgs e)
{
    // ensure we send credentials over a secure connection
    if(!HttpContext.Current.Request.IsSecureConnection)
    {
        string postbackUrl = HttpContext.Current.Request.Url.AbsoluteUri.Replace("http", "https");
        Button loginBtn = (Button)Login1.FindControl("LoginButton");
        loginBtn.PostBackUrl = postbackUrl;
    }
}

This code checks whether we are already on an HTTPS page and if so no action is required. If we are not on an SSL page the code finds the LoginButton and sets the PostBackUrl property to the HTTPS version of the current page.

Step 4 – Update redirect rules

Additionally we need to allow our SSL redirection module to allow POST requests over HTTPS to all pages on the site. If  you followed the example in the previous post to configure this using the IIS Url Rewrite module you will need to edit the HTTPS to HTTP rule by adding the following condition:

  • Condition input: {REQUEST_METHOD}
  • Check if input string: Matches the pattern
  • Pattern: GET

iis-url-rewrite-condition-request-method

This updates the rule that redirects HTTPS requests to HTTP so that it only applies to GET requests (i.e. POST requests will be allowed via HTTPS). Now when we click the ‘Log In’ button shown below from an HTTP page our details are sent via SSL.

https login from http page in sharepoint

Step 5 – Verify the login credentials are sent via HTTPS

We can verify this by using a tool such as Fiddler to inspect the individual requests.

fiddler-sharepoint-http-login-https

The above diagram shows:

  • The HTTP GET request to the homepage (request number 1 top left)
  • The HTTPS POST request to the homepage (top left and right highlights)
    • Inside the HTTPS POST we can see our username and password. As this is part of an HTTPS request we know this information is encrypted.
  • The HTTPS response from the server (bottom right)
    • Inside the HTTPS response we see the Set-Cookie statement. Again as this is an HTTPS request we know this cookie is secure.

Another way to verify that the authentication was completed over a secure channel is to set the ‘requireSSL’ attribute of the ‘forms’ element in the web.config to true as shown below:

<authentication mode="Forms">
    <forms loginUrl="https://www.company.com/pages/login.aspx" requireSSL="true" />
</authentication>

This specifies that the authentication cookie should only be sent via SSL. If we had tried to login from an unsecured (HTTP) page, this would have given us the following error as it would have been trying to create the authentication cookie over an unsecure channel:

“The application is configured to issue secure cookies. These cookies require the browser to issue the request over SSL (https protocol). However, the current request is not over SSL.”

Since we have configured the authentication request to be over SSL, however, this will not occur and we can be sure our login credentials are secured. There are some other implications of requiring the authentication cookie to only be transferred via SSL we will cover in the following posts.

http://www.sharepointconfig.com/2010/04/partial-ssl-sharepoint-sites-login-over-http-from-http-pages/