I have a web.config file, which I want to transform using SlowCheetah. The relevant fragment looks like this:
<configuration>
<location path="ui/cms">
<system.web>
<authorization>
<allow roles="AAA" />
</authorization>
</system.web>
</location>
<location path="WebServices">
<system.web>
<authorization>
<allow roles="BBB" />
</authorization>
</system.web>
</location>
</configuration>
I want to transform value BBB to CCC, so I wrote my Web.CCC.config transformation file:
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location path="WebServices">
<system.web>
<authorization>
<allow roles="CCC" xdt:Transform="Replace" />
</authorization>
</system.web>
</location>
</configuration>
Unfortunately, it results in CCC being inserted into <location path="ui/cms"> instead of <location path="WebServices"> - probably because it is the first one it locates in my web.config file.
How can I make SlowCheetah notice the different path parameter, and replace the correct node in my xml file?
As it turns out, this can be obtained using xdt:Locator in a transformation file.
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location path="WebServices" xdt:Locator="Match(path)>
<system.web>
<authorization>
<allow roles="CCC" xdt:Transform="Replace" />
</authorization>
</system.web>
</location>
</configuration>
Hope it helps anyone. Rubber duck debugging seems to work even with SO.
Related
I'm probably missing something easy here, but I have an ASP.NET website that uses Identity and roles, and I'm trying to restrict access to a folder containing some MP4 videos so that anonymous users cannot see direct links to those videos.
I had this in my web.config for the folder:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<allow roles="User"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>
The asp:LoginView control works fine with this setup, but the videos return a 401 error.
I tried this as well with the same result:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
If I remove everything from the authorization tag, then it works so I know all the paths are right and something about the authorization setup is preventing it from serving that video.
I also tried calling out the Files directory individually like this:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<allow roles="User"/>
<deny users="*" />
</authorization>
</system.web>
<location path="Files">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
Unfortunately, this makes it so that I can access the video link even when not logged in (which is what I am trying to prevent).
If I try to do a role based setup for the Files subfolder like this (which I don't think should be any different from the first version) then I'm back to getting a 401 on the video, even when logged in:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<allow roles="User"/>
<deny users="*" />
</authorization>
</system.web>
<location path="Files">
<system.web>
<authorization>
<allow roles="Admin"/>
<allow roles="User"/>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
What am I missing here?
I modified my answer. I think the following is what you are looking for:
How to prevent anonymous users from accessing a file using forms authentication?
when i use:
<deny users="?"/>
in "authorization" tags, CSS stop working for unauthorized visitors. how can i define a exception for css files. i want them to apply to all visitors.
this is my web.config file:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
<roleManager enabled="true"/>
<authentication mode="Forms">
<forms loginUrl="welcome.aspx" defaultUrl="Default.aspx"/>
</authentication>
<compilation debug="true" targetFramework="4.0"/>
</system.web>
</configuration>
i did edit my web.config to this:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
<roleManager enabled="true"/>
<authentication mode="Forms">
<forms loginUrl="welcome.aspx" defaultUrl="Default.aspx"/>
</authentication>
<compilation debug="true" targetFramework="4.0"/>
</system.web>
<location path="styles">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="styles/welcome.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
and it's working.
thank you.
Add the location of your CSS to your web.config. You can put it completely at the end, just before the </configuration>
<location path="css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Of course, change "css" to the real folder of your css file... It is the easiest to put it in a separate folder where all items are public. Just like your images etc.
You are probably blocking access to the folder where you store css files.
Try to allow everybody to access your css-folder even if they are not autorized.
You can use the Location element to define which part of your site the configuration applies to:
(from MSDN)
<location allowOverride="True|False" path="path" />
Heey Stackoverflowers
My question is: how do I protect a Page using web.config or Global.asax?
Example:
Direct url www.Yoururlhere.com/Account/Edit.aspx is currently accesible from url bar, but that is not what I want. I have a login page already with database etc working, only it's missing the protection to remove direct access or by Login.
Can you help me? My second web.config for Folder Account is as following:
<?xml version="1.0"?>
<configuration>
<system.web>
<location path="Edit.aspx"/>
</system.web>
<system.web>
<authorization>
<allow users="*"/>
<deny users="?" />
</authorization>
</system.web>
</configuration>
You are writing in the wrong way. It should be like...
<configuration>
<location path="Account/Edit.aspx">
<system.web>
<authorization>
<allow users="*"/>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
In my ASP.NET's Web Config file I have the following location elements defined:
<location path="">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="dir1">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="dir2">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
The example above is specifying that all directories will be locked down to anonymous users except the two directories dir1 and dir2.
I'm curious if there is a syntax that I can use that will allow me to define more than one directory within one location element. For example, it would be convenient if we could do something like this...
<location path="dir1,dir2,etc">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
You cannot specify multiple elements in the path attribute, but you can make use of the configSource attribute.
For example, the following original web.config file:
<?xml version="1.0"?>
<configuration>
<location path="form1.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="form2.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="form3.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="form4.aspx">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="form5.aspx">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="form6.aspx">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Can be replaced by the following equivalent web.config, allow.config, and deny.config files:
web.config
<?xml version="1.0"?>
<configuration>
<location path="form1.aspx">
<system.web>
<authorization configSource="allow.config" />
</system.web>
</location>
<location path="form2.aspx">
<system.web>
<authorization configSource="allow.config" />
</system.web>
</location>
<location path="form3.aspx">
<system.web>
<authorization configSource="allow.config" />
</system.web>
</location>
<location path="form4.aspx">
<system.web>
<authorization configSource="deny.config" />
</system.web>
</location>
<location path="form5.aspx">
<system.web>
<authorization configSource="deny.config" />
</system.web>
</location>
<location path="form6.aspx">
<system.web>
<authorization configSource="deny.config" />
</system.web>
</location>
</configuration>
allow.config
<?xml version="1.0"?>
<authorization>
<allow users="*"/>
</authorization>
deny.config
<?xml version="1.0"?>
<authorization>
<deny users="*"/>
</authorization>
The usefulness of this approach increases as the number of allow/deny rules in each section increases.
sorry, but path property doesn't allow to use ","
so you must write tag for all path,
Or you can create web.config in each directory.
it is possible to set path to a specific folder.
For example we have some aspx pages:
/data/pages/form1.aspx
/data/pages/form2.aspx
/data/pages/form3.aspx
By creating this rule in web.config:
<location path="data/pages">
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Frame-Options" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>
</location>
All resources in data/pages will be affected.
I had a similar issue. so went with the normal way of creating separate tags, no other BETTER solution.
Does anyone know of a good link to explain how to use the web.config......
For example, i am using forms authentication... and i notice there is a system.web and then it closed /system.web and then below configuration there are additional location tags
here is an example, if you ntoice there is an authentication mode=forms with authorization i presume this is the ROOT....... It is also self contained within a system.web .... Below this there are more location= with system.web tags....
I have never really understand what i am actually doing.. I have tried checkign the MSDN documentation but still i don't fully understand up....
Can anyone help?
If you notice with my example.... everything is stored in 1 web.config... i thought the standard waas create a standard web.config and then create another web.config in the directory where i wish to protect it..???
<configuration>
<system.web>
<compilation debug="true" strict="false" explicit="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms loginUrl="Login.aspx" defaultUrl="Login.aspx" cookieless="UseCookies" timeout="60"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="Forms">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Forms/Seguridad">
<system.web>
<authorization>
<allow roles="Administrador"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
Standard entries (web.config is extensible) are well documented therein.
http://msdn.microsoft.com/en-us/library/aa719558.aspx
is a good start.
It is - as should be obvious - XML based, btw.
You can place following web.config file in Forms/Seguridad:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
</configuration>