yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,699 Commits 4 Branches 7 Tags
22385d40dbbc9ee92dee3fa44203497ecad37130
Commit Graph

31 Commits

Author SHA1 Message Date
Shannon
22385d40db U4-4219 Can't Preview protected pages 2016-03-09 17:35:50 +01:00
Shannon
08e9579481 U4-7863 Remove Nuget requirement: Microsoft.Net.Http - this is not used, nor is it required (it also installs a bunch of other packages we don't need) 2016-02-03 10:14:53 +01:00
Shannon
8598ab565c Fixes: U4-7536 Sign-out in back office will call all ASP.Net identity middleware sign out methods 
publicises a few things too.
 2015-12-15 10:34:11 +01:00
Shannon
555b520a0c Cleans up the usages of auth cookies. OWIN is in charge of auth cookies but because we have Webforms, WebApi, MVC and OWIN, they all like to deal with cookies differently. OWIN should still be solely in charge of the auth cookies, so the auth extensions are cleaned up, the renewal now works by queuing the renewal and we have custom middleware detect if a force renewal has been queued and we renew the auth cookie there. Have obsoleted a few methods that should not be used that write auth tickets directly (this is purely for backwards compat with webforms). All of these changes now ensure that the auth cookie is renewed consistently between Webforms, WebApi, MVC and OWIN. Some changes also include ensuring that OWIN is used to sign out. 2015-11-19 18:12:21 +01:00
Shannon
442160bb7a fixes identity conversion when it's just a generic identity and not auth'd, we can never convert to back office identity if it's not auth'd 2015-04-15 17:03:12 +10:00
Shannon
f2e319a01f Updates the UmbracoBackOfficeIdentity to have better support for claims and adds unit tests for it. Creates OwinLogger's and methods to apply them. Updates security methods to ensure that a UmbracoBackOfficeIdentity is returned even from a normal ClaimsIdentity which will be the case with bearer tokens. Updates the angular anti-forgery checker to be ignore if the auth type is not cookie based. Adds a simple token server provider that people can use if they want. Now token authentication is working. 2015-04-10 14:22:09 +10:00
Shannon
86833aa8bf Updates the back office external cookie name to be consistently cased with the other back office cookie names 2015-04-01 13:42:11 +11:00
Shannon
90b562a0a1 Update the PostLogin method to write the auth ticket the way that webapi is supposed to, not sure how this was actually working before because writing cookies directly with HttpContext and then also using WebApi normally doesn't work (maybe in very specific circumstances), so now the cookie writing is done consistently and it is working, prior to this i was getting lots of issues with the xsrf tokens. Updated some user model mappings for convenience and update naming conventions for some properties of the BackOfficeIdentityUser for consistency. 2015-04-01 13:42:07 +11:00
Shannon
8c51e8bad8 Implements IExternalLoginService and the db table, implements more logic to start enabling this to work in the back office, need to implement the rest of the userstore and then implement a way once logged in to the back office to allow users to link their accounts with external logins. Currently if an external login is detected during startup and it has not been linked we'll throw an exception. Very very close to making this all work nicely. 2015-04-01 13:41:26 +11:00
Shannon
d4b21243ca Allows external logins to be listed on login page, updates BackOfficeController with actions for invoking them. 2015-04-01 13:41:24 +11:00
Shannon
48317d7e61 massively simplifies the cookie handling, we don't use our own and just use the defaults, the trick to not validating everything is to use the cookie path. This does mean that each clientside request will also be validated but there's no way to override this behavior in identity currently, the cookie handler is internal so unless we copy/paste all of it's code can't do much about that. 2015-04-01 13:41:18 +11:00
Shannon
93df2edec2 Initial install which now uses Identity middleware to perform the back office auth (no longer done in our module). Created custom data secure classes that use the legacy Forms auth logic for backwards compat. This means that the cookie can still be written the old way and still auth the new way if required. Now need to clean a lot of this up. 2015-04-01 13:41:16 +11:00
Shannon
da778e277f Fixes: U4-6093 ContentService.SaveAndPublishDo changes Culture 2015-01-12 21:45:52 +11:00
Shannon
ad66613011 Updates ValidateCurrentUser so that it doesn't re-decrypt the cookie since that is already done, it just needs to check if the current user is authenticated and if it is a back office identity. Added lots of notes for extension points when we start looking at extending how the back office auth works. 2014-12-05 10:29:18 +11:00
Shannon
ac88da4188 Fixes: U4-4856 ApplicationContext.Current.Services.ContentService.Save throw exception 2014-05-12 14:32:34 +10:00
Shannon
d264792e18 Fixes: U4-4819 Publicize AuthenticationExtensions 2014-05-06 18:15:38 +10:00
Shannon
8926e8c7d9 ensures preview cookie is gone on logout. 2014-01-16 20:56:34 +11:00
Shannon
f4b707e928 Merge remote-tracking branch 'origin/6.2.0' into 7.0.2 
Conflicts:
	src/Umbraco.Core/Configuration/UmbracoSettings.cs
	src/Umbraco.Core/Security/AuthenticationExtensions.cs
	src/umbraco.businesslogic/StateHelper.cs
 2014-01-16 20:49:19 +11:00
Shannon
c38030def2 Fixes: U4-3855 Preview cookie should be a session cookie not persisted 2014-01-16 20:47:13 +11:00
Shannon
9d90506265 Fixes issue with authcookie on renew - need to ensure its http only and persited for a day remains, ensures the csrf cookies are set when getting the user since that is called before logging in. 2013-12-03 11:57:41 +11:00
Shannon
ea35ea1af5 getting csrf stuff coded up, it's pretty much done just need to write a couple tests and add the filter to the necessary controller/actions 2013-12-02 17:20:50 +11:00
Shannon
b2c5d7270e Fixes: U4-3286 Using a custom aspx page that inherits from UmbracoEnsuredPage seems to log you out - moves the authentication/ticket logic to one central place, now for all base page validation requests if the ticket is not already there it will attempt to authentication the request. This only occurs when a page is being loaded that requires back office authentication but is not part of the umbraco back office route (so packages mainly) 2013-11-01 15:37:59 +11:00
Shannon
2267ac4534 More work on user timeouts, have the login dialog showing when it needs to and updating the user's ticket and correct new timeout seconds value - now to get it to not re-load routes when they log back in so their data is still editable. 2013-10-16 12:00:42 +11:00
Shannon
8d9f741a6a Working on user timeouts - now have the user timeout time being nicely tracked in the back office with a bit of injector magic both on the client side and the server side with filters. Now to wire up the call to get remaining seconds if a request hasn't been made for a specified amount of time, then we can add UI notification about timeout period. 2013-10-15 18:46:44 +11:00
Shannon
1e9a17babe Fixes merge issues, fixes up some unit tests, removes the For<T> config section stuff and simplifies the singleton, refactors it with methods as per discussion with stephen. 2013-09-25 19:23:41 +10:00
Shannon
f38a6e1561 Makes some massive headway with the real config section, have got all code re-delegated to using it and have migrated the baserest config to the core project, all configs will be shared out of the UmbracoConfiguration singleton, now to get the unit tests all wired up and using mocks for the most part. 2013-09-13 18:11:20 +10:00
Shannon
7806762b80 Implemented a real .Net configuration section for umbracoSettings.config + unit tests for every property. NOTE: This isn't referenced in the codebase yet, going to start setting default values for most of the properties so that we can remove them from the config file for shipping (ship minimal config) then reference these settings in the codebase. 2013-08-31 11:28:19 +10:00
perploug
e825c08901 Added events.Service and xmlhelper.service 2013-08-12 15:17:34 +02:00
Shannon
c40084c625 updates the forms auth stuff to be more inline with how v6 operates. Cookie is always stored for 1 day and we need to ensure that https and httponly is checked. 2013-08-05 15:39:18 +10:00
Shannon
c4b44ea0e3 Fixes: U4-2577 Can't save umbraco user - without re-filling in the password 
Fixes: U4-541 Wrong dictionary key when using in backend template names
This changes the way that the value that is stored in the auth cookie. Previously we just stored a GUID which was the user's contextid stored in the db, now we store encrypted values of a few necessary user objects. In 6.2 we'll actually set a real .Net user object on the HttpContext. For now, the http module will simply just ensure that the culture is set correctly for the currently logged in user.
 2013-08-02 15:16:04 +10:00
Shannon
6f464567bb Implements real FormsAuthentication for back office cookie authentication... finally :) 2013-07-31 17:08:56 +10:00