webmatrix/razor: how to keep website anonymous but have windows authentication for gallery maintenance pages?

May 8, 2015 at 8:27 AM
I'm using webmatrix, razor, c#. I've created a web site for friends, it's on asphostportal. I've created web pages to upload or delete images for the gallery, they work ok on webmatrix on my laptop, but get an "access denied" error with asphostportal, understandably since I'm an anonymous user.

asphostportal says it is doing windows authentication and the asphostportal gui shows me the folders and the user accounts and their permissions.

Can anyone tell me please how to keep the rest of the web site anonymous but to do this with the web pages which amend the gallery: 1. some kind of authentication to get into 2. they also authenticate to asphostportal so they have permissions to create/delete files in the relevant folders

I can't see how the WebSecurity class can help. I've read that by default it creates its own database of user accounts, so this could achieve 1, but not 2. I've also read that it can be configured to use windows authentication instead of its own database, but that to do this anonymous access must be disabled.

I'd be grateful for any help, I certainly am stuck. For anyone kind enough to reply, please bear in mind I'm not a web developer, I'm a server admin!
May 8, 2015 at 2:49 PM
If you want to limit access to pages and make them available only to site owner, put the pages in rcadmin folder - it is already password protected.
May 11, 2015 at 8:15 PM
Edited May 11, 2015 at 8:23 PM
Assuming the security required can be accomplished allows everyone who logs in to have rights to everything on the site, razorC's answer is the probably the easiest. If you need more fine grained security, meaning perhaps that only the person that uploads the file can delete or replace it (plus a global admin) then you are going to have to roll your own. For a good example I would download WebPages CMS from here at Codeplex (https://webpagescms.codeplex.com/). It is another CMS built using the razor view engine but with a very different page composition model. It has some excellent role based security features built in but unfortunately appears to have arrested development as the primary developer sees no future in continuing to develop with WebMatrix as the product is getting no attention from Microsoft. The good thing is the code examples there are first class even though it is unfinished. Fortunately for us razorC continues to get updates and new features and we should give thanks for that. An implementation of additional security would take a great deal of time and effort and raise the level of complexity perhaps beyond what the code is intended for. If you decide to add on to razorC and hope to implement future updates I would recommend hosting your security in a separate SQLCE database so that future upgrades of razorC will be easier should the database change.
May 13, 2015 at 3:13 AM
One more thought - you said "Windows Authentication". Technically that term usually means the user is a "domain user" and their domain credentials are used for their authentication and authorization. I am not familiar with the hosting service but typically on third party hosting that may not be available. If it is then the directory with the pages used to manage the images will need to be protected by IIS and configured for windows authentication rather than forms based authentication