I have created 2 folders in my asp.net project. (Account and AdminFolder)
I want to restrict the Register.aspx page to Admin users only.
My Login.aspx page is in the Account folder and I have included a web.config in that folder with the following code;
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
I have placed the Register.aspx file in the AdminFolder with the following web.config code.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
In testing this approach out, I have tried to launch the application by going directly to the Register.aspx file. As expected, I am redirected to the Login.aspx page.
The url showing up in the browser is
http://localhost:49319/Account/Login.aspx?ReturnUrl=%2fAdminFolder%2fRegister.aspx
I login as an Admin user and I can see that I am logged in as my header hyperlink changes to logout. (I can also navigate to other files in Account to confirm I am logged in) However, the application remains at the login page instead of redirecting to the Register.aspx page.
I expected to be redirected to the Register.aspx page when login was successful.
Even once I am logged in as Admin user, I am unable to navigate directly to the Register.aspx page. I am redirected to Login.aspx.
I confirmed (by way of my Sql Server database) that the user in my test case is in the Admin role.
Can anyone nudge me in the right direction here? Thanks in advance for you time and consideration.
Try Changing your web.config in AdminFolder to:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Typically that is the RoleName as it appears in the DB.
I see my error. I was allowing Admin role and then denying all roles (which would include Admin). I should have used the following in AdminFolder
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Thanks for all the feedback.
Related
I'm using asp.net identity and have problem in Unauthorize user redirect to login page.
I mean Unathorize user don't redirect to login page.
pleas help
Seeing as you haven't provided much info I'm assuming you've got a folder SomeFolder which contains Member only pages. In that folder have a web.config file and use the code below
So you want something like
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<deny users="?"/> means deny unauthenticated users
I am baffled by this. I have a master page on top of a few pages, one of them is a login page. Here is a sample of web.config
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
...
<location path="~/Account/Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
From Default.aspx, I access About.aspx which requires a login. The About.aspx never gets hit, instead Login.aspx gets hit, then Site.master, then login again, then site.master again, and finally login.aspx, and master.aspx. Three times! ... Login-> Master are being hit 3 times! ... now... if I change the line of code from Web.config from
<location path="~/Account/Login.aspx">
to
<location path="Account">
Login->Master only get hit once. There is nothing else besides login.aspx/cs/designer in the Account folder. Why is this happening? I would like to control pages in the Account folder when I add more and not just lift the access to them all, but even
<location path="Account/Login.aspx">
(removed "~/") didn't do anything. Any help would be greatly appreciated.
You should allow all access to your MasterPage similar to how you allow anyone access to your Login page.
It will not be served up on it's own and doesn't need to be secured since the page that uses it should be locked down. Normally I have the root unsecured which has the login pages, master pages, about etc. I then have a secured area that has pages that use the master page from the root.
I am creating a login page using forms authentication method.
I have inserted a image in login page but image is not visible in Browser.As it is viewed in design view in Visual Studio.
I think there is a issue in accessing image directory by anonymous user.I have used the following code in Web.config
<location path="/images">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
I have solved it. I have added Web.cofig with following code in images and css folder to give them anonymous access.
<?xml version="1.0" encoding="UTF-8" ?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
I have a folder inside my web application which requires a login. In web.config I have the following:
<location path="Admin">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
I can't login, it displays always the login dialogbox even the credentials are correct.
Anyone any ideas ?
Here was the answer:
iis 7 disable windows auth
In my web application I want the anonymous user to browse only the login page, and It's OK now but it appears without style!
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
<location path="Style">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
Any help!
From this article:
Images and CSS files
Say you have all your images and CSS in a seperate folder called images and you are denying anonymous access to your website. In that case you might see that on your login page you cannot see images(if any) and css(if any) applied to your login page controls.
In that case you can add a web.config to the images and css folder and allow access to everyone to that folder. So your web.config in images folder should look as below:
<configuration>
<system.web>
<authorization>
<allow users="*"/> //Allow everyone
</authorization>
</system.web>
</configuration>
The most popular answer of:
<configuration>
<system.web>
<authorization>
<allow users="*"/> //Allow everyone
</authorization>
</system.web>
</configuration>
..is correct.. but if this fails to work then you need to verify that the Authentication is setup as you expect and that the user under which Anonymous is configured to run has read access to all of the folders you need.
NOTE: If you have multiple web.configs you may need to check each folder with its own web.config.
Check the Web Application
Open the "IIS/Authentication" for your web application and click "edit" on the entry marked "Anonymous Authentication".
If a specific user is specified then ensure that the specified user has access to your folders.
If "Application pool identity" is set then you will need to check the application pool configuration.
Check the Application Pool
Find the Application Pool for your app and click on "Advanced Settings" and search for the item named "Identity".
If the identity is "ApplicationPoolIdentity" then the group you will need to give access to your files to "IIS_IUSRS".
For more information on "IIS_IUSRS" please see: http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis/
use
<allow users="*" />
for styles folder, so every user can use the style.
using
<location path="admin">
<system.web>
<authorization>
<deny users="*" />
<allow users="?" />
</authorization>
</system.web>
</location>
you can allow access to Admin folder for only authenticated users.