rehansaeed.github.io
rehansaeed.github.io copied to clipboard
RehanSaeed
[Comment] ASP.NET Core Boilerplate
Hi,
Could you please post a change log, when you update the template?
Tks!
Hi,
Could you please post a change log, when you update the template?
Tks!
Hi Bruno, I already do, you can find it here.
hi, thanks for your job. I used it and it was very nice and helped me. but I had some problems such as packages reinstall and configuring IIS. if you could add some other options like membership and account pages it will be much better.
hi, thanks for your job. I used it and it was very nice and helped me. but I had some problems such as packages reinstall and configuring IIS. if you could add some other options like membership and account pages it will be much better.
Hi, Its on the list. there are still several other improvements to do before I add Identity which is a feature not everyone wants. I have to add a way to select the type of identity provider like Visual Studio does by showing a special UI.
This rocks!
- Does the template auto configure Nwebsec, can you list what are the configurations on settings.
- Can you expand on how to IOC and Open Search please
- Also which membership provider do you recommend, do you plan to include one into this VSIX, with a web UI for admin management
This rocks!
- Does the template auto configure Nwebsec, can you list what are the configurations on settings.
- Can you expand on how to IOC and Open Search please
- Also which membership provider do you recommend, do you plan to include one into this VSIX, with a web UI for admin management
Thanks Vijay,
- It configures NWebSec as much as it can. Of course, you will need to customize it to your own requirements. You can see my post on Content Security Policy for more information.
- I am planning more blog posts. I will make sure to add IoC and Open Search to the list. You can check the ReadMe.html for a link to Scott Hanselman's blog covering open Search.
- You can add the ASP.NET Identity NuGet package yourself or use Windows Authentication depending on what you need. I have not included this but I do plan to look into its feasibility. I may be able to hook into Visual Studio's Authentication dialog which is displayed for normal web projects but I'm not sure how to do this yet.
Things you can look forward to this week, is added Atom/RSS feed support and a much improved ReadMe.html with tonnes of new information and you can check things you have completed off the list. I hope that helps.
Hi there!
Thanks for the great work! One question: When receiving updates how do I implement these changes to my project? Can it automatically make the changes from each update?
Hi there!
Thanks for the great work! One question: When receiving updates how do I implement these changes to my project? Can it automatically make the changes from each update?
Thanks, I really appreciate all feedback.
I'm afraid that would not be possible. If I create some kind of code updater application, it would be very difficult to deal with edits or deletions that developers have made.
Instead, I have added a note to ReadMe.html to point developers to the GitHub changes page where they can manually see what the changes are and make fixes themselves.
This project is still fairly new. Hopefully it will settle down soon with less changes. I'm certainly running low on ideas
You saved me lot of time ! Keep rocking !
One quick question:
I'm trying to configure windows authentication using this template. I did the following steps
- Included following section in
web.configundersystem.web
authentication mode="Windows"
authorization
deny users="?"
authorization
-
Changed the project properties - Anonymous Authentication -> Disabled and Windows Authentication -> Enabled
-
I use IIS Express and when I run - It gives a login prompt which doesn't happen on Microsoft's default template.
I tried tweaking couple of settings in web.config but in vain. Can you please help ?
Rehan, what are your thoughts on implementing user access control to the boilerplate? Would you make use of the identity framework?
Rehan, what are your thoughts on implementing user access control to the boilerplate? Would you make use of the identity framework?
I've been asked this several times. I really must add this information to the ReadMe file. I recommend using the ASP.NET Identity. Please don't roll your own unless you are a security expert, you will most likely get it wrong as it's a ridiculously complicated subject that even experts get wrong.
You saved me lot of time ! Keep rocking !
One quick question:
I'm trying to configure windows authentication using this template. I did the following steps
- Included following section in
web.configundersystem.webauthentication mode="Windows" authorization deny users="?" authorization
Changed the project properties - Anonymous Authentication -> Disabled and Windows Authentication -> Enabled
I use IIS Express and when I run - It gives a login prompt which doesn't happen on Microsoft's default template.
I tried tweaking couple of settings in
web.configbut in vain. Can you please help ?
I do intend to add a section on authentication in the ReadMe file, outlining how to do Windows or OAuth authentication. I may even create new project templates with these included out of the box but I want to finish up a few features first and MVC 6 is coming out too so there is a lot to do. It looks like you have done everything right. My advice would be to create a new Web Project with Windows authentication and see what is added to the project.
hi Rehan,
I really like this template and feature you have added. While i am changing the theme by replacing the respective bootstrap file it is not working as i expected.
Do we need to do anything different to change the theme of this project ?
Regards, Chandra
hi Rehan,
I really like this template and feature you have added. While i am changing the theme by replacing the respective bootstrap file it is not working as i expected.
Do we need to do anything different to change the theme of this project ?
Regards, Chandra
You can change the theme a few different ways. The first is to edit the bootstrap site.less file to override the bootstrap settings and customize it. Some themes come as bootstrap-theme's which can be placed after the bootstrap files but most themes totally replace the bootstrap less or css files. So it depends on what theme you are using.
Could you integrate ASP.NET identity out if the box?
Could you integrate ASP.NET identity out if the box?
Its coming after the MVC 6 template. I have talked to Microsoft devs about hooking into the VS authentication selection dialog. If they allow that, then I don't need to create a special project template including identity support.
how to add asp.net boilerplate template to visual studio
how to add asp.net boilerplate template to visual studio
There are three ways:
- Download and install it from the visual studio gallery.
- Go to File -> New Project in visual studio and search for it in the online section at the bottom left.
- Go to Options -> Tools and Extensions and search for it.
I think it's a great project, but lacks authentication
I think it's a great project, but lacks authentication
Thank you for your comment. I agree with you and will add it in future. Right now, I'm focusing on the MVC 6 Boilerplate project and some more improvements to MVC 5. For now, there is a section in the ReadMe.html file which covers authentication and how it can be handled.
The dynamicIpSecurity section in web.config causes IIS below 8.0 to return a HTTP Error 500.19 - Internal Server Error with the lovely details: Config Source -1: 0: Which must be one of the most meaningless error messages microsoft ever produced.
The dynamicIpSecurity section in web.config causes IIS below 8.0 to return a HTTP Error 500.19 - Internal Server Error with the lovely details: Config Source -1: 0: Which must be one of the most meaningless error messages microsoft ever produced.
Thanks for that. I'll see if I can put a note on the ReadMe file about it.
Small issue/edge case I had with the SEO option setting LowercaseUrls = true, this appears to break the Kendo grid clienttemplate as it lowercases the Id column.
So;
Html.Kendo().Grid(Model)
.Name("grid")
.Columns(columns =>
{
columns.Bound(c => c.Id).ClientTemplate(@Html.ActionLink(" ", "Details", "RolesAdmin", new { Id = "#=Id#" },
new { @class = "viewIcon", @title = "Details" }).ToHtmlString())
.Width(25).Title(" ").Filterable(false).Groupable(false);
for example no longer works. Error is thrown in page "id not defined..." Removing the optimization fixed my issue.
If you are going to roll in Identity membership, you might want to consider rolling in Brock Allen's IdentityServer and IdentityManager. Does all the things ASP.Net Identity does currently, does them better and with increased security, and more. It's pretty awesome.
Small issue/edge case I had with the SEO option setting
LowercaseUrls = true, this appears to break the Kendo grid clienttemplate as it lowercases the Id column.So;
Html.Kendo().Grid(Model) .Name("grid") .Columns(columns => { columns.Bound(c => c.Id).ClientTemplate(@Html.ActionLink(" ", "Details", "RolesAdmin", new { Id = "#=Id#" }, new { @class = "viewIcon", @title = "Details" }).ToHtmlString()) .Width(25).Title(" ").Filterable(false).Groupable(false);for example no longer works. Error is thrown in page "id not defined..." Removing the optimization fixed my issue.
I have some experience using Kendo. This is an interesting problem, Kendo is probably adding upper-case characters instead of lower-case in the URL and I don't remember seeing an option to be able to force lower-case. You should consider the canonical meta tag instead then in _Layout.cshtml.
<link rel="canonical" href="">
If you are going to roll in Identity membership, you might want to consider rolling in Brock Allen's IdentityServer and IdentityManager. Does all the things ASP.Net Identity does currently, does them better and with increased security, and more. It's pretty awesome.
Thanks for that Richard. I'd heard of that project but not used it. I'll certainly look into it when I get to that stage. Dominick Baier (Also from ThinkTecture) trained me in WCF and I know their stuff will be good :).
Right now I'm still working on the MVC 6 project which is 60% completed, the NuGet package v1 is out already. Now I just need to get the project template finished and pushed out. There are still lots missing in MVC 6 so it's not as whole as I'd want but it's the best I can do at the moment.
I'm in the middle of a few projects right now that are not MVC but want to ask before I forget. I'm a Unity IoC user, will it be easy to swap out IoC containers and can you foresee any issues using Unity instead of autofac?
I'm in the middle of a few projects right now that are not MVC but want to ask before I forget. I'm a Unity IoC user, will it be easy to swap out IoC containers and can you foresee any issues using Unity instead of autofac?
I used to use Unity too but switched after having to use Azure Mobile Services where Microsoft ships Autofac by default. I now prefer it to Unity but all IoC containers are good these days and I realize it's about personal preference.
The Autofac code below is magical, it registers several MVC types including UrlHelper, HttpContext etc. As long as you can find a replacement for this in Unity I see no problems and the only code you need to change is in Startup.Container.cs.
builder.RegisterModule<AutofacWebTypesModule>()
I've added a comment to Startup.Container.cs in the template explaining this.
hi Rehan,
thanks for great template. how can change direction template of ltr to rtl ?
Hello! I am doing research for my Capstone project, the last piece of the puzzle necessary to graduate from college with an AAS in Computer Science. My question is, should I use MVC Boilerplate to build my project website or should I stick with ASP.NET MVC? I ask because I still heavily utilize tutorials and documentation to complete projects. I want to use best practices and challenge myself, but also do not want to get in over my head. Thank you for the feedback!
hi Rehan,
thanks for great template. how can change direction template of ltr to rtl ?
I haven't researched internationalization too deeply yet but it's a subject I'll add to my TODO list. Using RTL specifically is something that HTML provides and nothing to do with ASP.NET MVC but there are other features like date formatting, number formatting and language support which MVC can help with.
Hello! I am doing research for my Capstone project, the last piece of the puzzle necessary to graduate from college with an AAS in Computer Science. My question is, should I use MVC Boilerplate to build my project website or should I stick with ASP.NET MVC? I ask because I still heavily utilize tutorials and documentation to complete projects. I want to use best practices and challenge myself, but also do not want to get in over my head. Thank you for the feedback!
Interesting question. ASP.NET Core Boilerplate certainly has you covered with best practices, security, performance etc.
However, I hesitate to recommend it because you say you are very new to MVC. Introducing too many new concepts may overwhelm you and there certainly is a lot to learn.
There are a few things that may trip you up if you don't have enough knowledge. I'll leave you to judge if you have learned MVC thoroughly enough.
I tried to download this through Visual Studio, but it seems to have disappeared from the online templates.
I tried to download this through Visual Studio, but it seems to have disappeared from the online templates.
It seems ok at the moment. If you still can't find it get it from the Visual Studio Gallery here.
Hi, I am trying to use your template with some MVC Grid library and hit some problems:
- First I tried Grid.Mvc, I can't get the paging, sorting & filtering to work, even after I enabled Cross-Origin Request.
- Then I tried NonFactors.Grid.Mvc5, same problem, paging, sorting & filtering don't work.
There is no error in web or back-end, the page just reloaded and same data was displayed again. I am using VS2003 & VS2005 RC (ASP.Net MVC5 project)
Have anyone been facing the same problem?
Hi, I am trying to use your template with some MVC Grid library and hit some problems:
- First I tried Grid.Mvc, I can't get the paging, sorting & filtering to work, even after I enabled Cross-Origin Request.
- Then I tried NonFactors.Grid.Mvc5, same problem, paging, sorting & filtering don't work.
There is no error in web or back-end, the page just reloaded and same data was displayed again. I am using VS2003 & VS2005 RC (ASP.Net MVC5 project)
Have anyone been facing the same problem?
NOTICE TO ALL: Please raise any issues on the GitHub issues page.
Do you get any errors in your browser console or Elmah? If so, adjust your Content Security Policy (CSP) policy. The grid may use inline scripts for example.
hello, when i make changes, to the website, the changes are only seen in internet explorer, how do i make the changes visible to other browsers?
hello, when i make changes, to the website, the changes are only seen in internet explorer, how do i make the changes visible to other browsers?
I'm probably missing something but can't you just refresh the page? Perhaps you are talking about Browser Link? In that case Browser Link does not work with Content Security Policy (CSP) (See FilterConfig.cs) so you can turn off Browser Link or CSP temporarily to get one of them working. I have suggested a fix for this in MVC 6.
I'm probably missing something but can't you just refresh the page? Perhaps you are talking about Browser Link? In that case Browser Link does not work with Content Security Policy (CSP) (See
FilterConfig.cs) so you can turn off Browser Link or CSP temporarily to get one of them working. I have suggested a fix for this in MVC 6.
yea, the project i have created using visual studio as you know, but when i run the project Internet Explorer being the default browser, the project runs as it should but when i run using other browsers say fire fox or chrome, the site does not run as i want, my site has a flash image, the image is visible on IE but not visible on chrome or firefox, the same thing happens even after i have published the site to the cloud
yea, the project i have created using visual studio as you know, but when i run the project Internet Explorer being the default browser, the project runs as it should but when i run using other browsers say fire fox or chrome, the site does not run as i want, my site has a flash image, the image is visible on IE but not visible on chrome or firefox, the same thing happens even after i have published the site to the cloud
Ah! Chrome and FireFox support CSP (See FilterConfig.cs) and are blocking flash by default. You just need to add an exception to allow your site to use flash plugins.
Ah! Chrome and FireFox support CSP (See
FilterConfig.cs) and are blocking flash by default. You just need to add an exception to allow your site to use flash plugins.
okay, thank you
Hi, I cannot get this to run on IIS 7.5. However, it runs fine on IIS express. Receive error below with IIS 7.5. I have all permissions set on project folders so this cannot be a permission issue. Any ideas? HTTP Error 500.19 - Internal Server Error The requested page cannot be accessed because the related configuration data for the page is invalid.
Hi, I cannot get this to run on IIS 7.5. However, it runs fine on IIS express. Receive error below with IIS 7.5. I have all permissions set on project folders so this cannot be a permission issue. Any ideas? HTTP Error 500.19 - Internal Server Error The requested page cannot be accessed because the related configuration data for the page is invalid.
Some Web.config settings do not exist in older versions of IIS (7.5 and 8) so you must edit the Web.config file and remove the setEtag="false" attribute, as well as the dynamicIpSecurity settings. I have added a note the ReadMe.html for future reference.
Some Web.config settings do not exist in older versions of IIS (7.5 and 8) so you must edit the
Web.configfile and remove thesetEtag="false"attribute, as well as thedynamicIpSecuritysettings. I have added a note theReadMe.htmlfor future reference.
That fix cleared up the Web.conig issues for me. Thanks!!
So how do you run jquery script on the views using this template with CSP? Sorry new to CSP and trying to get a handle on it? Once I add script tags and document ready I get error: Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src http://localhost http://ajax.googleapis.com http://ajax.aspnetcdn.com").
$(document).ready(function () {...
How do I fix? Thanks
So how do you run jquery script on the views using this template with CSP? Sorry new to CSP and trying to get a handle on it? Once I add script tags and document ready I get error: Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src http://localhost http://ajax.googleapis.com http://ajax.aspnetcdn.com").
$(document).ready(function () {...How do I fix? Thanks
No need to be sorry, CSP is pretty complicated. It looks like you are using an in-line script tag in your view, which is not allowed by default in CSP because its a security risk. To fix this problem you have two options:
- Move your script into a separate JavaScript file and link to it. This will work because you have the 'self' parameter set on your 'script-src' directive in your CSP policy. This is also best practice anyway.
- You can pass the 'unsafe-inline' parameter to the 'script-src' directive, which will allow in-line scripts to run but as the name implies it is unsafe and you will not be getting the full benefit of using CSP.
I actually found your other blog about CSP and just read the piece how CSP blocks inline script. I moved it to site.js and all is fine now. I need to read more about CSP. Thanks
hi Rehan,
Thank you so much for answering my former question
Please be informed that there is a way that can turn off Custom error in web.config. that could therefore see yellow pages error in test program to localhost ?
hi Rehan,
Thank you so much for answering my former question
Please be informed that there is a way that can turn off Custom error in web.config. that could therefore see yellow pages error in test program to localhost ?
You are talking about setting the customErrors mode to 'on' or 'off'. Please be careful, it is a serious security mistake to have mode set to 'off' in a live production site. The mode should be set to 'off' only for debugging purposes on your local machine. The Web.Release.config file sets the mode to 'on' for you.
You are talking about setting the customErrors mode to 'on' or 'off'. Please be careful, it is a serious security mistake to have mode set to 'off' in a live production site. The mode should be set to 'off' only for debugging purposes on your local machine. The Web.Release.config file sets the mode to 'on' for you.
yeah you right,but i talking about debugging in local machine .In your template custom error is off but when error is happen show me error page instead of yellow page,how can be possible?
yeah you right,but i talking about debugging in local machine .In your template custom error is off but when error is happen show me error page instead of yellow page,how can be possible?
Thanks for highlighting this issue Reza! I have created a fix for the next version. the httpErrors section in Web.config has an attribute called existingResponse which needs to be set to PassThrough in debug mode and Replace in release mode. I have also updated the Web.Release.config with the above transformation.
Hi Rehan, this is an awesome template, and helpful learning.
I am running into some problem with Web Api 2 (MVC5). In WebApiConfig.cs, these two lines are broken.
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
I know now that maybe it is too early for me to use this template... But, is there anything I can, or need, to do specifically, to open my web api routes? I have kinda been stuck and my spinning wheels on this... Thanks, and great job!
G-
Hi
Do you have a link to the latest vsix? Visual Studio Gallery is slow to update
Hi Rehan, this is an awesome template, and helpful learning.
I am running into some problem with Web Api 2 (MVC5). In
WebApiConfig.cs, these two lines are broken.config.SuppressDefaultHostAuthentication(); config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));I know now that maybe it is too early for me to use this template... But, is there anything I can, or need, to do specifically, to open my web api routes? I have kinda been stuck and my spinning wheels on this... Thanks, and great job!
G-
What errors are you getting? Are you getting VS errors, browser errors, Elmah errors? A lot of people have trouble with CSP because it blocks things by default. See my blog post on CSP for more info and see your browser console for any errors.
Hope that helps.
Hi
Do you have a link to the latest vsix? Visual Studio Gallery is slow to update
I assume you are talking about the ASP.NET 5 MVC 6 release which is version 2.0.0. I have to manually submit it to the VS gallery. I'm just doing some final testing, you will see it in a day or two :).
thanks for u. very good
I have now been able able to modify your boilerplate mvc5 and have added identity 2 - Int for userId and mysql as backend I had some hiccups like RenderActions were trying to redirect - to put backslash- I now found a way out. to comment whole controllers with [NoTrailingSlash]. Is that the way to go if one does not want the backslash for the whole application?
I have now been able able to modify your boilerplate mvc5 and have added identity 2 - Int for userId and mysql as backend I had some hiccups like RenderActions were trying to redirect - to put backslash- I now found a way out. to comment whole controllers with
[NoTrailingSlash]. Is that the way to go if one does not want the backslash for the whole application?
Look at the RedirectToCanonicalUrlAttribute in FilterConfig.cs. Read the comments for the class and it will become clear.
I am running into an issue displaying a pdf file in the browser using this template. In IE it always prompting to save instead displaying in browser. It seems to be related to this template as I can create new MVC web(non-boilerplate) app and use same code to display pdf and it works fine in all browsers. Is there a setting that would block this that I am missing somewhere? Thanks
I am running into an issue displaying a pdf file in the browser using this template. In IE it always prompting to save instead displaying in browser. It seems to be related to this template as I can create new MVC web(non-boilerplate) app and use same code to display pdf and it works fine in all browsers. Is there a setting that would block this that I am missing somewhere? Thanks
Take a look at the NWebSec XDownloadOptionsAttribute. It adds the X-Download-Options HTTP header. When users save the page, stops them from opening it and forces a save and manual open. ASP.NET Core Boilerplate is all about being secure by default but if you have a specific requirement then feel free to remove this HTTP header from specific areas where you need to open the PDF directly.
I left it enabled for the site and for the one particular method I set [XDownloadOptions(Enabled=false)] and that seemed to be what I needed.
I left it enabled for the site and for the one particular method I set
[XDownloadOptions(Enabled=false)]and that seemed to be what I needed.
Cool, glad you got it sorted.
How do you allow Google analytics to the csp settings?
I can only seem to run this in IIS Express from within Visual Studio. When I publish to localhost, it only displays a blank page. I tried commenting out the filers in the FilterConfig, but no luck. I am new to this stuff and have a feeling it's something very basic, but I can't seem to figure it out. Any help would be appreciated. Thanks for providing this great template!
How do you allow Google analytics to the csp settings?
You just need to add the Google Analytics URL to script-src. You can check the Chrome browsers console and it will tell you what you need exactly.
I can only seem to run this in IIS Express from within Visual Studio. When I publish to localhost, it only displays a blank page. I tried commenting out the filers in the FilterConfig, but no luck. I am new to this stuff and have a feeling it's something very basic, but I can't seem to figure it out. Any help would be appreciated. Thanks for providing this great template!
There are certain settings in the system.webServer section of Web.config that controls IIS, that are not available for older versions of IIS. See the Compatibility section of ReadMe.html.
You just need to add the Google Analytics URL to script-src. You can check the Chrome browsers console and it will tell you what you need exactly.
Using Chrome I noticed that firebug is also being blocked: chrome-extension://bmagokdooijbeehmkpknfglimnifench/firebug-lite.js:15309 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content
Using Chrome I noticed that firebug is also being blocked: chrome-extension://bmagokdooijbeehmkpknfglimnifench/firebug-lite.js:15309 Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content
That makes perfect sense. FireBug is injecting script into the page. It's worth noting CSP blocks a lot of stuff like this e.g. evil government/ISP/router/Proxy injected scripts and browser extensions. Most of the time, this is exactly what you want...except this time.
You should stick to using the standard browser developer tools (I personally have always found FireBug to be a bit slow so I ditched it). I wouldn't recommend it but you could also disable CSP temporarily or remove it entirely.
There are certain settings in the system.webServer section of Web.config that controls IIS, that are not available for older versions of IIS. See the Compatibility section of ReadMe.html.
Works! Should've read that doc better. Thanks for replying so fast and not calling me a nitwit for missing it in the readme file!
Are you planning to make it a layered architecture or domain design, which will be a little bit cleaner I believe.
Are you planning to make it a layered architecture or domain design, which will be a little bit cleaner I believe.
I'm not sure exactly what you are asking. There is not really much code in the project templates to add any layers. I've tried to keep it as simple as possible and only writing services where I absolutely need them. All services use IoC and are fully testable.
I'm trying to break up the MVC 6 project template using a feature selection wizard so that you only get the bare minimum you want. The MVC 5 project will stay as is for now. I'm still in the process of splitting off things into features you can select.
Rob, you should probably have a look here for that.
http://www.aspnetboilerplate.com/
Rob, you should probably have a look here for that.
http://www.aspnetboilerplate.com/
Yes, my template focuses on the basics. Look at Patrik's suggestion for a fuller solution.
I think this solution is more comprehensive than the one suggested by Patrick. Although that layered breakdown is what I would like to see in this solution.
I am moving things such as services etc. to their own class library projects and that makes this template look much cleaner, hence I suggested/asked that.
Anyway, thanks for the suggestion :-)
Using your template for a 2nd time, it's nice :). My next project utilizes telerik mvc controls. I added all the kendo CDN scripts and set the domain for kendo cdn property in CspScriptSrcAttribute. Facing an error "Error: Invalid template:'" for the kendo scripts. Have you seen this? Any work around other than setting unsafeeval false?
Thanks
Using your template for a 2nd time, it's nice :). My next project utilizes telerik mvc controls. I added all the kendo CDN scripts and set the domain for kendo cdn property in
CspScriptSrcAttribute. Facing an error "Error: Invalid template:'" for the kendo scripts. Have you seen this? Any work around other than setting unsafeeval false? Thanks
If CSP is causing any problems, the browser will tell you in the F12 developer tools console. It will even tell you how to change your CSP policy to fix the problem. If this is MVC 5, you should also see an error appear in Elmah.
Valentin commented on 2015-10-22 10:34:54
Hi,
Is Boilerplate multi-model friendly? What I want to say? In real life apps, we have this kind of scenario: on views (starting with Index) we need to pull and render data from various models at a time (e.g. data from data from Candidates and Employers tables) and even mode from their "child" models. Obvious we do this with ViewModel(s) manually, but is not always as easy as we can espect and is prone to errors. Not to mention the entry/edit data scenario when we have to deal with more than the main model (e.g. an entry form with more than one "child" subforms).
Thnx.
Hi,
Is Boilerplate multi-model friendly? What I want to say? In real life apps, we have this kind of scenario: on views (starting with Index) we need to pull and render data from various models at a time (e.g. data from data from Candidates and Employers tables) and even mode from their "child" models. Obvious we do this with ViewModel(s) manually, but is not always as easy as we can espect and is prone to errors. Not to mention the entry/edit data scenario when we have to deal with more than the main model (e.g. an entry form with more than one "child" subforms).
Thnx.
It's annoying but creating your own ViewModel is the best way. Alternatively, you can sacrifice a tiny bit of performance and use the ViewBag. I don't think there is much I can do to improve this situation.
Hi,
Could you please post a change log, when you update the template?
Tks!
The correct link is under the header "Release Notes and To-Do List" above.
Hi, I ran across another issue using this template. I am using identity 2.0 and create a user and generate email confirmation token that sends to user's email for them to verify. The issue I am seeing is that when verifying the email, the token is always invalid. I noticed when debugging the confirmemail action that the token comes back as a lowered string which is why it is invalid. Would this be caused from RouteTable.Routes.LowercaseUrls and or routes.LowercaseUrls = true? Please advise?
Thanks
Hi, I ran across another issue using this template. I am using identity 2.0 and create a user and generate email confirmation token that sends to user's email for them to verify. The issue I am seeing is that when verifying the email, the token is always invalid. I noticed when debugging the confirmemail action that the token comes back as a lowered string which is why it is invalid. Would this be caused from
RouteTable.Routes.LowercaseUrlsand orroutes.LowercaseUrls = true? Please advise? Thanks
I ended up solving my issue by sitting RedirectToCanonicalUrlAttribute properties for my controller method. Might want to update read me to state that identity email confirmation tokens will fail confirmation with "invalid token" error if the lowercaseUrls is not set for the confirm email method.
Thanks
No need to be sorry, CSP is pretty complicated. It looks like you are using an in-line script tag in your view, which is not allowed by default in CSP because its a security risk. To fix this problem you have two options:
- Move your script into a separate JavaScript file and link to it. This will work because you have the 'self' parameter set on your 'script-src' directive in your CSP policy. This is also best practice anyway.
- You can pass the 'unsafe-inline' parameter to the 'script-src' directive, which will allow in-line scripts to run but as the name implies it is unsafe and you will not be getting the full benefit of using CSP.
Hello
Could you please elborate on how this "Move your script into a separate JavaScript file and link to it. This will work because you have the self parameter set on your script-src directive in your CSP policy. This is also best practice anyway." is done. I'm pretty new to js and i have added Identity framework to you solution but my log out link on the default _LoginPartial.cshtml wount execute...... Actual i can't get any script to execute on others pages as well.... what am i missing?
Hello
Could you please elborate on how this "Move your script into a separate JavaScript file and link to it. This will work because you have the
selfparameter set on yourscript-srcdirective in your CSP policy. This is also best practice anyway." is done. I'm pretty new to js and i have added Identity framework to you solution but my log out link on the default _LoginPartial.cshtml wount execute...... Actual i can't get any script to execute on others pages as well.... what am i missing?
I recommend you spend some time learning about JavaScript and CSP to save you time in the long run.
If CSP is causing any problems, the browser will tell you in the F12 developer tools console. It will even tell you how to change your CSP policy to fix the problem. If this is MVC 5, you should also see an error appear in Elmah.
Telerik Ui for MVC is opening securitiy holes. If you want to compile templates, enable "unsafe-eval". As stated here: http://docs.telerik.com/kendo-ui/troubleshoot/content-security-policy Besides that the HTML helper is gnereating inline script. you need to enable unsafe-inline too.
Added identity and owin to my project and I'm testing login page with a return url and I keep getting a login loop. I tested the same in a regular MVC project with identity installed and do not get this issue. Any setting I may have missed that would cause this?
The login loop has something to do with add seo optimization filter.
routes.LowercaseUrls = true in routeconfig will cause a login loop when using a redirect url.
One security option is missing in the template.
MvcHandler.DisableMvcResponseHeader = true;
See: http://www.acunetix.com/vulnerabilities/web/asp-net-mvc-version-disclosure
Hi Rehan,
There is a problem in MVC6 RC1 Update 1 template. RazorPreCompileModule throws missing assembly error. I've added Microsoft.AspNet.Razor.Runtime.Precompilation to dependencies and added a using line for it in RazorPreCompilation.cs. That fixed the problem.
Great template. Thanks for your efforts.
routes.LowercaseUrls = true in routeconfig will cause a login loop when using a redirect url.
Hi Matt
Did you solve it?
In Login.cshtml i changed my Html.BeginForn to:
@using (Html.BeginForm("Login", "Account", FormMethod.Post, new { @class = "form-horizontal", role = "form" }))
And added(note returnurl is lowercase):
@Html.Hidden("returnurl", new { returnurl = ViewBag.ReturnUrl })
Btw. Have you solved the problem where the logoff feature is not working(Does not fire)? The current code looks like this:
using (Html.BeginForm("LogOff", "Account", FormMethod.Post, new { id = "logoutForm", @class = "navbar-right" }))
{
@Html.AntiForgeryToken()
@Html.ActionLink("Hello " + User.Identity.GetUserName() + "!", "Index", "Manage", routeValues: null, htmlAttributes: new { title = "Manage" })
[Log off](document.getElementById('logoutForm').submit())
}
I'm sure it hase something to do with javascript:document.getElementById('logoutForm').submit() and CSP but trying to move it to site.js has not helped me... Anyone?
Telerik Ui for MVC is opening securitiy holes. If you want to compile templates, enable "unsafe-eval". As stated here: http://docs.telerik.com/kendo-ui/troubleshoot/content-security-policy Besides that the HTML helper is gnereating inline script. you need to enable unsafe-inline too.
That's sad...they should really sort that out.
routes.LowercaseUrls = true in routeconfig will cause a login loop when using a redirect url.
I've updated the NuGet package to include a new NoLowercaseQueryStringAttribute attribute. This should be applied to the AccountController if you are using ASP.NET Identity. You will then no longer have any problems.
One security option is missing in the template. MvcHandler.DisableMvcResponseHeader = true; See: http://www.acunetix.com/vulnerabilities/web/asp-net-mvc-version-disclosure
I believe, using NWebSec negates the need for this.
Hi Matt
Did you solve it? In
Login.cshtmli changed myHtml.BeginFornto:@using (Html.BeginForm("Login", "Account", FormMethod.Post, new { @class = "form-horizontal", role = "form" }))And added(note returnurl is lowercase):
@Html.Hidden("returnurl", new { returnurl = ViewBag.ReturnUrl })Btw. Have you solved the problem where the logoff feature is not working(Does not fire)? The current code looks like this:
using (Html.BeginForm("LogOff", "Account", FormMethod.Post, new { id = "logoutForm", @class = "navbar-right" })) { @Html.AntiForgeryToken() @Html.ActionLink("Hello " + User.Identity.GetUserName() + "!", "Index", "Manage", routeValues: null, htmlAttributes: new { title = "Manage" }) [Log off](document.getElementById('logoutForm').submit()) }I'm sure it hase something to do with
javascript:document.getElementById('logoutForm').submit()and CSP but trying to move it to site.js has not helped me... Anyone?
I've updated the NuGet package to include a new NoLowercaseQueryStringAttribute attribute. This should be applied to the AccountController if you are using ASP.NET Identity. You will then no longer have any problems.
Hi Rehan,
There is a problem in MVC6 RC1 Update 1 template.
RazorPreCompileModulethrows missing assembly error. I've added "Microsoft.AspNet.Razor.Runtime.Precompilation" to dependencies and added a using line for it inRazorPreCompilation.cs. That fixed the problem.Great template. Thanks for your efforts.
Thanks, that will be fixed in the next update.
I've updated the NuGet package to include a new
NoLowercaseQueryStringAttributeattribute. This should be applied to the AccountController if you are using ASP.NET Identity. You will then no longer have any problems.
Is the logoff also solved when using identity?
Hi Matt
Did you solve it? In
Login.cshtmli changed myHtml.BeginFornto:@using (Html.BeginForm("Login", "Account", FormMethod.Post, new { @class = "form-horizontal", role = "form" }))And added(note returnurl is lowercase):
@Html.Hidden("returnurl", new { returnurl = ViewBag.ReturnUrl })Btw. Have you solved the problem where the logoff feature is not working(Does not fire)? The current code looks like this:
using (Html.BeginForm("LogOff", "Account", FormMethod.Post, new { id = "logoutForm", @class = "navbar-right" })) { @Html.AntiForgeryToken() @Html.ActionLink("Hello " + User.Identity.GetUserName() + "!", "Index", "Manage", routeValues: null, htmlAttributes: new { title = "Manage" }) [Log off](document.getElementById('logoutForm').submit()) }I'm sure it hase something to do with
javascript:document.getElementById('logoutForm').submit()and CSP but trying to move it to site.js has not helped me... Anyone?
I'm not having any issues with logging off.
I am using paypal in my application buy nothing happen when im calling return Redirect("https://www.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=mytoken") (mytoken removed). If i use the link in browser paypal is called correctly
What should i do to be able to call external websites with this template?
Love the template btw.