I got the marching orders to apply Azure Active Directory to an existing WebForms c# site which has 2 public facing pages. I was able to integrate the site with Azure AD using owin packages and configuring the app in Azure. The single sign-in is working as expected.
The problem I'm having is getting the public facing pages to allow anonymous access. I'm used to data annotations such as [AllowAnonymous] in MVC but I'm not sure of a good approach to implement something like that in Web Forms.
I've already tried placing the public aspx pages in a public folder along with this web.config:
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
Thanks in advance for the help!
I found the issue. In order to use:
<configuration>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</configuration>
You need to have Anonymous Authentication enabled for the project in the properties window in Visual Studio. Just editing the csproj file alone won't do it.
take a look here: https://www.codeproject.com/tips/849113/four-easy-steps-to-set-up-owin-for-form-authentica
basically for web forms apps, you set it in the configuration sections of the web.config files in either root, or etc. , you tell it which paths require what auth, which don't, etc.
as per the above link, something like
<?xml version="1.0"?>
<configuration>
<location path="About.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
so this basically says deny all anonymous users for the about.aspx page. meaning the equivalent of [authorize] in mvc
Related
I have a website that is hosted on my local machine for development. I have a virtual directory named "content" that contains the images for my website (mapped to the physical path "C:\Content" in IIS). The problem is that when a user is not logged into my website, the images don't show up. I've tried putting a web.config file in the content folder using this
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
but that doesn't work. I've also tried adding this to my website's web.config file
<location path="Content">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
but that's not working either. Any suggestions?
The <system.web><authorization> element only refers to content handled by the ASP.NET runtime, not IIS itself (which is <system.webServer> and has a totally different schema). However the Cassini/dev server in VS does use <system.web><authorization> for all resources because ASP.NET handles every request under Cassini.
Check your IIS Authentication rules, as well as your NTFS ACLs. Ensure that Anonymous Authentication is enabled and the correct user identity is set. You can do this in IIS Manager.
I have a web site with a few pages and a WebService. I am using form authentication.
I want to exclude the WebService from the form authentication, so that it will be available to all even when you did not do login.
How can I do that?
Thanks
Try to use location element for your service in your web.config and specify that all users can access the service by using:
<configuration>
<!-- rest of your web.config -->
<location path="MyService.asmx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
If this doesn't help you can also change authentication mode to none in the location element. If you have multiple services you can place them to separate folder and use single location element for whole folder.
Possibly a stupid question:
I have a site, developed by an outside company, which requires logon for all pages.
We'd like to add a single page to the site that DOESN'T require the user to be logged in...so they can click the link on the logon page to view "T&C's" type info.
Is this possible?
(ASP.Net 4.0 on IIS)
If you're using the ASP.Net membership providers you can specify this in the web.config file. Where for blocked pages you would expect:
<authorization>
<allow roles="granted"/>
<deny users ="*"/>
</authorization>
you can specify this per folder (or per page):
<location path="terms.aspx">
<system.web>
<authorization>
<allow users ="*"/>
</authorization>
</system.web>
</location>
to allow everyone access to this specific page.
Note that you can create a specific web.config in a folder in your website, these settings override the general web.config. This allows you to customize these settings per folder level.
Thanks to oɔɯǝɹ for pointing me in the right direction:
Added this after my node
<location path="terms.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Will this only have static content? Is it the asp.net application dealing with authentication?
If so you can just upload a .html file containing simple HTML (and your T&C) which will be served no problem to anyone requesting it.
I have an existing ASP.NET application that implements Forms Authentication site-wide. The application is deployed in multiple instances (e.g., customer1, customer2, test, dev, etc...), with a separate database per instance. SSL is in play. Instance configuration is via an XML config file.
I have a new requirement to allow upload/download of certain data, which I would like to implement as a public web service.
My initial thought here was to selectively disable forms authentication for a subdirectory of the application (e.g., ~/Services), and then do authentication via a SOAP header or similar.
However, I'm not finding a way to selectively disable forms auth.
Question: Is there a way to do this? I've tried the <location> tag in web config to no avail.
If not, what are your recommendations for how to set this up? I can think of the following options:
1) Create a new "Services" project in my solution, and then configure a separate IIS ASP.NET application on that directory in each instance. (Pro: easy access to instance configuration, which may be needed in the future. Con: configuration burden for each relevant instance).
2) Create a separate "Services" solution that references needed assemblies from the application solution and host it as a separate ASP.NET application. Then, lookup the db connection string based on the UserName provided in SOAP Header. (Pro: single app to configure in IIS. Con: No easy access to instance config.)
3) ??
Clarification: I did see the answer here: Override ASP.NET forms authentication for a single page, but the use of a location tag is not helping (requests for the web service are still redirected). The relevant sections in my web.config look like this:
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
<location path="~/Services/MyService.asmx">
<system.web>
<authentication mode="None" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
I would think the location tag would work, where you specify the services folder and allow all users, something like:
<location path="services">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
But you said that didn't work, have you tried putting a web.config file in the services folder and disabling forms authentication and allowing all users in that file?
You could also have a (overriding) web.config file in the services folder with the access control set to anonymous.
what worked for me was to allow users all users access in the folder where my webservices is located.
Firstly i added a configuration file in that folder and inserted the code below to allow all users.
<authorization>
<allow users="*"/>
</authorization>
</system.web>
I've got an ASP.NET application that uses the CreateUserWizard to register new users. Part of my registration process is creating a "home directory" for the user where they'll be able to upload files.
I'd like to use the ASP.NET authorization features to restrict access to the "home directory". Only the registered user assigned to the directory should have access.
I think I know how to do this declaritively with Web.config. I can do something like the following:
<?xml version="1.0"?>
<configuration>
.
.
<location path="UserHomeDirectories">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="UserHomeDirectories/MyUser">
<system.web>
<authorization>
<allow users="MyUser"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
.
.
.
This post almost answers my question, but can someone help me out with my particular situation? One more thing: doesn't modifying the Web.config restart the application? (i.e. when my code in the directory creation/authorization code in my CreatedUser event handler of the CreateUserWizard class is run?)
Thank you for your help!
Instead of using the location attribute in your app-wide web.config, you can place a new one inside the user's folder. In this new file, you specify the authorization rules for that specific folder, and they will override the app-wide rules.
As this does not change your original web.config file, your application will not restart.