I have asp.net web application. I want to allow only Authenticated users to this application. Any anonymous users should get access denied error or should get redirected to login page. So I added the “Authorization” element in config file to deny all anonymous users. I excluded login.aspx page so anonymous users can access it.
<system.web>
<authentication mode="None" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
NOTE: This application use Azure AD for authentication thats why you see authetication mode="None". When user access login page it just redirect user to Azure site for authentication. And this authentication piece is working fine.
Questions
1. Consider my application is hosted in local IIS. Since only
login.aspx is excluded from Authorization, if I type
http://localhost I get access denied error. I have to explicitly
type http://localhost/login.aspx to for login. How do I change this
so when I type http://localhost IIS will redirect to
http://localhost/login.aspx (I have already tried setting
login.aspx as first page under default document in IIS)
2. What configuration I need to do, so if anonymous user try to
access any resource under http://localhost he would get redirected
to http://localhost/login.aspx (This would also take care of 1st
question)
Add your Startup page name in Default document option like the below snagit:
Open IIS(Internet Information Service) Manager
Select “Default Document”
Add your file path to be homepage
Related
I am working on ASP.NET web application hosted on IIS 7.
I have to provide access to only authenticated users to a particular list of pdf kept in a folder "PdfFiles" in root directory.
I was trying below configuration settings in web.config, but it did not work, with this setting still this folder is accessible to all the users. I have form authenticated enabled for this site.
<location path="PdfFiles">
<system.web>
<authorization>
<deny users="?" />
<allow users="*"/>
</authorization>
</system.web>
</location>
Also I noticed that anonymous authentication was enabled for "PdfFiles" folder in IIS. If I disable this, it does not allow authenticated or anonymous, any of the user to access the pdfs.
So configuration change or IIS change, none of them worked. Can any one help me out on this issue?
I have these settings in my web.config file. Only two authorization tags. One to deny anonymous users and another for the register page so anyone can access it. How can I achieve that?
<configuration>
<system.web>
<authorization>
<deny users="?"/>
<!--Deny access to unauthorized users-->
</authorization>
...
</system.web>
<location path="Account/Register.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
These settings above give me the following error when I click on the Register button.
Access is denied.
Description: An error occurred while accessing the resources required
to serve this request. The server may not be configured for access to
the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server
configuration. Verify that you have permission to view this directory
or page based on the credentials you supplied and the authentication
methods enabled on the Web server. Contact the Web server's
administrator for additional assistance.
The login page is accessible. I have a user in the web.config to test and it works fine. I can login and access all pages. But how can I make register page accessible?
You are right #Seyed Morteza Mousavi, my problem was in the register link!
The default looked like this when I created the site.
<asp:HyperLink runat="server" ID="RegisterHyperLink" ViewStateMode="Disabled">Register</asp:HyperLink> if you don't have an account.
I changed it to be this.
<asp:LinkButton runat="server" ID="lnkRegister" PostBackUrl="~/Account/Register.aspx" CausesValidation="false">Register</asp:LinkButton> if you don't have an account.
It works now. I don't know why default one doesn't work but I don't care anymore. Also, the Register link in the Site.Master next to Login link does not work. It keeps redirecting to Login page! Again not sure why. But this is OK for now.
I'm working on restricting access of static PDF files to only logged-in users. I only want to use a server-side redirect from the resource when a request comes that doesn't have the proper credentials.
I could use an IHttpHandler and set the path value, but I don't want to have to hand-serve the file. I would like requests from logged-in users to pass straight through, more like an IHttpModule, except I can't set a path to restrict the files that the module will act on.
Is there a way to pass requests through a handler, or limit the path of a module?
EDIT
It may also be useful to note that I want to redirect the user to a login page with a specific query string parameter redirecting the user back to the resource if login is successful.
If these are really static resources (exist on disk) then you could just stick them in a folder and restrict that folder using a location element in the web.config
<location path="MyPDFs">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
This will prevent any unauthorized users from being able to access any files located in the MyPDFs folder within your site.
If you only want a subset of those files, then you can create a sub directory, and secure it in a similar fashion.
<location path="PDF/SecureSubDirectory">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
UPDATE:
It may also be useful to note that I want to redirect the user to a
login page with a specific query string parameter redirecting the user
back to the resource if login is successful.
This is all handled for you by default when using Forms Authentication in ASP.Net
Any request for a resource that fails because a user is not yet authenticated will automatically be redirected to the configured login page defined in your web.config.
<system.web>
<authentication mode="Forms">
<forms loginUrl="Logon.aspx" name=".ASPXFORMSAUTH">
</forms>
</authentication>
</system.web>
It appends a query string parameter that referes to the originally requested resource. Once the user successfully authenticates, they are redirected back to the URL they originally requested.
All this is baked into the framework :)
I have an asp.net web site, I want restrict all users to access a folder named "log" and I have this element in web.config:
<location path="log">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
and this element before it in system.web:
<authorization>
<allow users="*"/>
</authorization>
but still I have access to this url: http://www.mydomain.com/log/log.txt
Any ideas?
Thanks.
.txt files are not handled by ASP.NET by default. You'll have to block access to the folder from within IIS.
If you're using IIS 7 you can use Request Filtering to achieve this.
to avoid this confusions I usually create one web.config file at the directories i need to set different permissions.
If you place a web.config file inside your log folder it will work ok (and it will become easier to check the applied permissions at the folder)
Example:
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
I typed up a summary since many were facing the same situation regarding subfolder authentication.
Subfolder Authorization
ASP.NET can only have a single
authentication mode for one
application.
The different
applications CANNOT share resource
among them.
Scenario
Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.
The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.
1 In IIS, configure Authentication as follows:
Enable Anonymous Authentication,
Enable Windows Authentication
2 Add the followings in Web.Config.
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
We have an existing publicly accessible web application with user controls, data access libraries, graphics, etc. We want to create a new secure section of the site that accesses some of the already existing resources.
Initially we created the new section of the site as a virtual directory which (we hoped) would allow us to access the parent site's resources. We added the appropriate location information to the base web.config (authentication and authorization) but we continue to see the following error "Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS."
In response to that error we created the directory as a new application. This allows us to authenticate properly but has the drawback of not being able to access any of the resources in the parent directory (since it's outside the application scope).
Is there any way to secure the new section of the site while at the same time utilize the already existing resources?
In your web.config file in the root of your site, if you add:
<location path="relativePathToDir">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
This is working for me using FormsAuthentication, the user gets redirected to the default login page if not authenticated
I typed up a summary since many were facing the same situation regarding subfolder authentication.
Subfolder Authorization
ASP.NET can only have a single
authentication mode for one
application.
The different
applications CANNOT share resource
among them.
Scenario
Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.
The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.
1 In IIS, configure Authentication as follows:
Enable Anonymous Authentication,
Enable Windows Authentication
2 Add the followings in Web.Config.
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Remove the application, then add this to the top-level web.config:
<configuration>
<system.web>
<!-- applies application wide -->
</system.web>
<location path="securedirectory" allowOverride="false">
<system.web>
<!-- applies only to the path specified -->
</system.web>
</location>
</configuration>
MSDN Reference