please bear with me: i am pretty new to all of this
i am working on integrating openid connect with a pair of applications developed by the company.
we are using custom/company specific openid connect libraries that are, i think, essentially wrappers around Microsoft.Owin.Security.OpenIdConnect and Owin.Security.OpenIdConnect.Server
in the idP application web.config, we have something like:
<location path="." inheritInChildApplications="false">
<authentication mode="Forms">
<forms loginUrl="~/Login" name="{....}" protection="All" path="/" slidingExpiration="true" requireSSL="false" defaultUrl="~/Home" cookieless="UseCookies" />
</authentication>
<authorization>
<deny users="?" />
<!-- denies anonymous users to all pages, except those defined under location nodes -->
</authorization>
</location>
plus a bunch of location nodes to allow/deny access to specific pages/resources
the problem is that when the openid connect stuff tries to access /.well-known/openid-configuration when the user is not logged in (or, it seems in the process of logging in),
the response is a 302 redirect to the login page
obviously this is causing problems when a JSON response is expected
i have tried adding a location node to the web.config:
<location path= "~/.well-known/openid-configuration">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
(i also tried with path = "~/.well-known")
but i am still getting redirected to the login page
to be clear, there is no actual directory /.well-known in the idP application; the file seems to be constructed somewhere in Owin.Security.OpenIdConnect.Server.
the file seems to be constructed somewhere in Owin.Security.OpenIdConnect.Server
Yes, it is.
Try calling app.UseStageMarker(PipelineStage.Authenticate) immediately after registering the OIDC server middleware to prevent ASP.NET from applying the authorization policies before it has a chance to be invoked:
app.UseOpenIdConnectServer(options => {
options.AllowInsecureHttp = true;
});
app.UseStageMarker(PipelineStage.Authenticate);
Note that you shouldn't need an exception for ~/.well-known/openid-configuration in your web.config when using app.UseStageMarker().
I'm fairly new too but I think you a path to a .aspx page in the location and the rest is inherited.Just change deny to allow users with the asterix. Also make sure the web.config is in the directory. Sounds like you do but in well-known should be the web.config with allow all users.
<?xml version="1.0"?>
<configuration>
<location path="Manage.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
Related
I have an ASP.NET 4.5 / C# site where I am trying to do the following. When users hit the root of the site, www.blah.com, they should be redirected to Default.aspx. This page is open and does not require login. There is a link on this page if they would like to login. However, I need to automatically redirect them to login if they try to access other pages. Some are open to all and some are not. I'm cool with assigning permissions via roles per page or per folder. The issue I have is with Default.aspx.
If a user comes to my site by typing: www.blah.com/Default.aspx then the page comes up with no redirect for a login.
If a user comes to my site by typing: www.blah.com/Admin.aspx then they are redirected to login.
My life is good so far, but...
If a user comes to my site by typing: www.blah.com then they are redirected to login instead of just loading Default.aspx. Here is the relevant web.config.
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx" requireSSL="false" protection="All" slidingExpiration="true" path="/" timeout="240" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" />
</authentication>
<authorization>
<deny users= "?"/>
</authorization>
<system.web>
I assume my specific permission on Default.aspx overrides the generalized deny. Again, this appears to work. The issue I have is the automatic redirect to Default.aspx when someone hits the root of my site, www.blah.com.
As always, thanks!
update
I have moved everything into one of 3 directories: _public, _private, _admin. Let's not worry about _admin for now. Here is how my web.config is set up:
<defaultDocument>
<files>
<clear />
<add value="~/_public/Default.aspx" />
</files>
</defaultDocument>
.
.
.
<location path="_public">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="_private">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
.
.
.
<forms name=".ASPXFORMSAUTH" loginUrl="~/_public/Login.aspx" defaultUrl="~/_private/landingPage.aspx" slidingExpiration="true" path="/" />
I am still doing something wrong. Shouldn't my users come to ~/_public/Default.aspx when they hit www.blah.com? Now it is telling me I don't have a default page specified.
Also, regarding the defaultUrl property of the forms tag. How does this tie in with the DestinationPageUrl of my login control?
Thx!
update
I updated the paths in the location tag to "~/folder" instead of "folder". Now instead of an error is just keeps taking me to the login screen. I don't have another authorization tag in the root of web.config, but I am handling the subfolders from the main web.config instead of putting a separate file in each subfolder.
Thank you all for the detailed replies. They were all very helpful and let me to a better overall solution. However, the root of my issue was something very small and annoying. Take a look at my default page again:
<defaultDocument>
<files>
<clear />
<add value="~/_public/Default.aspx" />
</files>
</defaultDocument>
Notice the path in the value. I experimented with this and found that if I lead with a tilde or a forward slash that this value is completely ignored. Once I specified it as "_public/Default.aspx" everything else fell into place and worked as expected.
I did change a few things up though. I am using three subfolders for pages: _public, _private, and _admin. _public is for anyone, _private is for anyone authenticated, and _admin is for those with special privs. I want to mention that I DO NOT have any Default.aspx file in the root of my website whatsoever. To verify the way I was specifying the path in the web.config was wrong, I have tried switching it back with exactly the same failure.
I'm curious if anyone has spotted this, and do you see it as inconsistent? Most everywhere else in my web.config I can specify a path from root by beginning with a tilde.
So, my site acts as expected...anonymous users hitting public pages works fine. Hitting private or admin pages redirects to login. Once logged in, if you were trying to get to a specific page you go there...if not, you are redirected via the defaulturl in the forms tag. Most importantly, when you type in the name of the site with no page specified, you are taken to the default page...which should have been the simplest part of it all if not for the syntax issue. So there it is....doh!
I would recommend making a landing page that will be the result of the root URL being typed in by the user.
The issue you are seeing is that default.aspx is the default document for a root URL request in IIS and is also the defaultUrl for your Forms Authentication.
Create a Landing.aspx page that has whatever message you want, link to log-in, etc.
Now make this Landing.aspx be the first default document in IIS (make sure it is before default.aspx in the list) so that a root URL request will redirect to Landing.aspx and not get involved with the Forms Authentication at all.
Also, add a <location> entry in web.config to allow all users access to the Landing.aspx page:
<location path="Landing.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
If you want to restrict users to folders, you want to create *web.config*s inside each folder (which is a lot easier to maintain than added all in main web.config).
Note: for good design practice (in traditional ASP.Net), you want to place Admin.aspx inside a separate folder. Same for user pages too which required login.
Here is an example -
Main web.config
<system.web>
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx" requireSSL="false" protection="All" slidingExpiration="true" path="/" timeout="240" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" />
</authentication>
<system.web>
Users/web.config
Deny anonymous access. In other words, user is required to login before accessing any pages inside User folder.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Admin/web.config
Deny everyone except users in Administrator role.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator" />
<deny users="*"/>
</authorization>
</system.web>
</configuration>
try the following:
Create a folder for example admin and put the Login.aspx there
Set authentication to forms
<authentication mode="Forms">
<forms name="HIVLogin" loginUrl="~/admin/Login.aspx" timeout="20" protection="All"/>
</authentication>
then under system.web
<location path="Admin">
<system.web>
<authorization>
<allow roles="Admin" />
<allow users="Admin" />
<deny users="*" />
</authorization>
</system.web>
There is no need to write any code to set a page as your default page in ASP.NET. Got to Solution Explorer and right click on the page you like to set as default and click on Set As Start Page.
You need to add following mappings under section<system.web>.
<urlMappings enabled="true">
<add url="~/" mappedUrl="~/Default.aspx" />
</urlMappings>
This will redirect to default.aspx when you browse root url i.e www.domain.com or localhost.
Thanks.
I spent about 6 hours debugging the issue. Our website was working fine, and suddenly it started redirecting to login page instead of default page (unauthenticated). Our web.config included all authentication/authorization settings correctly.
<authentication mode="Forms">
<forms name="MyAuth" path="/" loginUrl="login.aspx" protection="All" timeout="30" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="default.htm" />
</files>
</defaultDocument>
...
</system.webServer>
<location path="default.htm">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
...
SOLUTION: You need to remove Extensionless URL feature from your website. Ref: https://support.microsoft.com/en-us/help/2526854/users-may-be-redirected-to-the-login-page-of-an-asp-net-4-application
<system.webServer>
<handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
</handlers>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
After the fix, the website was back to normal.
I have a folder with several survey aspx pages. I have to set permissions on these aspx pages. There are 5 different pages and only one allows certain users to access. I have added a web.config file to allow and deny the users, but it's not working. If I allow my username and add a deny="?" I don't have access, but if I add another user, take mine out and take the deny option out I get permission to log onto the system. I can get access if I take deny out, but then all users is getting access to the page.
Adding my user credentials on and denying all anonymous users I don't get access. Can somebody please point me in the right direction of what I'm doing wrong?
Can it be that it is not reading or taking my windows logon credentials? I'm using visual studio 2012, entity framework.
This is what I've done:
//Web Config that allows and denies:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="QualityCheckSurvey.aspx">
<system.web>
<authorization>
<allow users="DomainName\User2" />
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
I have set my authentication mode to windows.
EDIT
It seems that the permissions were set incorrectly. But it's still not working. When I deny *, but allow USER1 the user don't get access even when prompted with a login request. The login windows dialog boks just keep on popping up 3times with even if the used have access. making it deny ? (anonymous) allows everybody to have access, even if I take out the deny and only have the allow tag with USER1 the rest of the users still have access... I'm running locally now, but even on the IIS when setting the authentication on there with (windows and basic authentication) does exactly the same....
EDIT
This is the actual code that I am using. Only 3 users are allowed in this path "". This web.config file is within the survey folder with the 5 different types of surveys. Only this one survey should allow certain users, the rest of the surveys anyone can access....
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="QualityCheckSurvey.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow users="OEP\kevinh, OEP\shabierg, OEP\heilened" />
<deny users="*" />
</authorization>
</system.web>
</location>
In my main web.cofin in the root of the application I have set authentication mode to windows:
<authentication mode="Windows">
<!--<forms loginUrl="~/Account/Login.aspx" timeout="2880" />-->
</authentication>
On your question you said you have a folder name but on the web.config you have given only the file name on the path. Use the foldername/filename.aspx like below. Use deny users="*" instead of deny users="?'
<location path="foldername/QualityCheckSurvey.aspx">
<system.web>
<authorization>
<allow users="DomainName\User2"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
EDIT
This looks like you have multiple web.config files in the same application. To avoid confusion just remove the one on the survey folder and on the root folder web.config add this code.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<authentication mode="Windows" />
</authorization>
</system.web>
<location path="survey/QualityCheckSurvey.aspx">
<system.web>
<authorization>
<allow users="OEP\kevinh, OEP\shabierg, OEP\heilened" />
<deny users="*" />
</authorization>
</system.web>
</location>
I am assuming the survey folder is inside the root folder.
Fixing this error if windows authentication is added to project after it's been created
That's a mouthful. I was having this issue when I added Windows authentication to an existing project. There were a couple of key things that I needed to do before it works:
In Solution Explorer, Click on the project and then push F4. This should open up the Project properties.
In Project Properties and under the Development Server, make the following changes:
Anonymous Authentication: Disabled
Windows Authentication: Enabled
Include the following in the Web.config under <system.web>:
<authorization>
<allow users="DOMAIN\user"/>
<deny users="*"/>
</authorization>
Still in the Web.config under <appSettings>:
<add key="owin:AutomaticAppStartup" value="false"/>
This is what worked for me. If I'm doing something wrong, please let me know.
Hopefully this will help future individuals who are working with windows authentication after creating the project.
<deny users="?" />
<allow users="DomainName\User2" />
<deny users="*" />
I worked long time back on a website and it has been working fine, recently a problem has been reported, which I need to go through.
In my site there is a folder named repository, which contains files like word and PDF documents and ideally only logged in users are allowed to download them but now it has been observed that anyone who is not logged into the website, can even also download them :(
Is there any wayout to handle it without moving the folder out of the web directory? Like making that folder password protected and only my pages can access the content, any code sample or link will be of high use.
My web application is in ASP.NET 2.0 with C# and server has IIS 6.0.
Thanks in Advance
Edit:
My Web.Config has these tags in it:
<authentication mode="Forms">
<forms slidingExpiration="true" loginUrl="Login.aspx" defaultUrl="HomePage.aspx" name=".ASPXMAIN" timeout="30">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
Use the <location /> tags in the web.config, http://msdn.microsoft.com/en-us/library/b6x6shw7(v=vs.71).aspx
<location path="content">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
See this answer for more links to msdn documentation: https://stackoverflow.com/a/4280257/426894
You can try with this config in your Web.config (location permit you to define path)
This sample use roles in order to design profil.
Also use users in order to design user.
<location path="~/MembersOnly" >
<system.web>
<authorization>
<allow roles="Members"/>
<deny users="?" />
</authorization>
</system.web>
</location>
Hi I'm using the authorization tag to lock down my site to anonymous people. I've put the code below
<system.web>
<roleManager enabled="true" />
<authentication mode="Forms">
<forms loginUrl="~/webPages/Login.aspx" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
However now I need to allow anonymous users to access specific other pages (register.aspx etc...) how can I open those pages without undoing the lock on the rest of the site?
Thanks Chris - I've tried this but for some reason it only works on pages in the home folder but nothing deeper. This actually causes problems because it's not even registering the css files because they're off limits
Ah I was using a path like "~/styles" now that I took the "~/" out, its working.
Thanks allot vcsJones
You can accomplish by adding location elements (outside the system.web element):
<location path="Logon.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
I wanted to use FormsAuthentication to secure my static files as well on my site, so I followed the instructions located here http://learn.iis.net/page.aspx/244/how-to-take-advantage-of-the-iis7-integrated-pipeline/ under title "Enabling Forms Authentication for the Entire Application".
Now though, when I try to visit the site by going directly to http://www.mysite.com I get redirected to http://www.mysite.com/Login.aspx?ReturnUrl=%2f instead of it using my DefaultDocument I have set. I can go to my default document by just visiting http://www.mysite.com/Home.aspx without any issues because it is set to allow anonymous access.
Is there something I need to add into my web.config file to make iis7 allow anonymous access to the root? I tried adding with anonymous access but no such luck.
Any help would be much appreciated.
Both Home and the Login form allow anonymous.
<location path="Home.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Login form is set as the loginUrl
<authentication mode="Forms">
<forms protection="All" loginUrl="Login.aspx">
</forms>
</authentication>
Default document is set as Home.aspx
<defaultDocument>
<files>
<add value="Home.aspx" />
</files>
</defaultDocument>
I have not removed any of the iis7 default documents. However, Home.aspx is first in the priority.
Take a look: Allowing anonymous access to default page
Did you try this:
<authorization>
<allow users="?" />
</authorization>
I think that will fix it.