I'm dealing with an issue for the last 3 hours.
I have to build a project with WebForms. I'm setting the authentication like this:
<system.web>
<authentication mode="Forms">
<forms loginUrl="Account/Login.aspx" defaultUrl="Backend/Default.aspx"></forms>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
<compilation debug="true" targetFramework="4.6"/>
<httpRuntime targetFramework="4.6"/>
</system.web>
<location path="Backend/Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Not only when executing the application, does not allow me to enter to Backend/Default.aspx (redirect the site to Account/Login.aspx, but neither allow to access to the login page. I'm getting a not authorized error.
Can anyone tell what I am missing?
Edit:
I have 2 files:
Backend/Default.aspx
Account/Login.aspx I want to be allowed to enter Default.aspx without authentication. But not only doesn't allow me, don't allow me Account/Login.aspx neither.
If I change
<location path="Account/Login.aspx">
To
<location path="Account">
It works. But I only need one file on this folder to be allowed and not the entire folder.
Please tell me if I can give more useful information
Your question is a little confusing so I'm not sure if this will work, but it might give the right approach.
You have
<authorization>
<deny users="?"/>
<allow users="*"/> <-- this allows everyone everywhere, overriding the previous line.
</authorization>
Remove the allow line, blocking everyone from everything
<authorization>
<deny users="?"/>
</authorization>
Then allow a specific folder
<location path="Backend/Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Or, you can have 2 web.config files.
Start with this in the root of your site
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
Then add another web.config file in the Account/ directory that has
<!--Block everyone from everything in this directory-->
<authorization>
<deny users="?"/>
</authorization>
<!--But allow a specific file-->
<location path="Account/Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Hth.
Related
I would like to deny anonymous users access to the folder 'test' but exclude and allow access to a file 'webform1' inside the test folder. Why does this not work?
<location path="test">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="test/webform1">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
Here is a link to a sample webforms project https://github.com/uselesshasid/StackOverflow_Question_38597397
This is probably a bug in asp.net, with the way it handles authorization when friendly url's are used.
I changed the web.config to define by versions of the file url, and it works.
<location path="test/webform1">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="test/webform1.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
I have a test site on the web that I want to block all annoymous access to except logged in users. I also want to have annoymous access to just my login page (account/login)
I don't know how to exclude one path but even the below does not work, forgetting about the path.
<location path="">
<system.web>
<authorization>
<deny users="*" />
<allow users="?" />
</authorization>
</system.web>
</location>
Ideally, the following web.config setting should work. Make sure you update two Login.aspx with your login page.
It basically does not allow anonymous access except Login page.
<configuration>
<system.web>
...
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" />
</authentication>
<authorization>
<deny users="?"/>
<allow users="*" />
</authorization>
</system.web>
<location path="~/Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
I have a folder that is restricted and only for logged in user. So I wrote these lines:
<location path="ABC">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
However there is a single file on which I do not want to put any restrictions. What settings should I configure in location tag?
Please don't tell me to move that particular file out of the folder because that is not possible because it is being referenced at many places and I don't want to get messed up.
Try adding the page you want no restrictions on, like this:
<location path="ABC">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="ABC/SomeFile.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
In project their is a folder namely customer, inside there is a file namely register.aspx. In web.config have the configuration check like follows
<location path="Customer">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Customer/Register.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
Even i have authorized the register.aspx for unauthorized users but is expecting to authorize. Can any body explain it.
You have to create a Web.Config file in Customer folder and add
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
Try switching order of those location nodes. Put allow Register first, and deny Customer second.
I have an ASP.NET app using Ajaxpro and forms authentication. First I was having trouble trying to avoid passing the ajaxpro handlers through authorization, which was resolved when I included them on separate locations on the web.config:
<location path="ajaxpro/prototype.ashx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="ajaxpro/core.ashx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="ajaxpro/converter.ashx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
However, I'm still getting 401 errors when I try to access our AjaxMethods. I event tried to put our types under the following configuration:
<location path="ajaxpro/MyType,MyAssembly.ashx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
but that didn't work properly, and I'm still getting 401 responses in some particular cases: I realized that when my requests have some query string values, this setting isn't working.
I wish I could do something like path="ajaxpro/*", but it seems like that is not possible. Does anyone have other ideas?
You should be able to specify the location with folder name only like this:
<location path="ajaxpro">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>