Can someone please tell me why my IIS subdirectory authorization rules are not working?
I suspect it's something to do with using a custom membership and role provider.
All users, anonymous AND users who are logged in get a 401.2 Unauthorized error for all files in the /users subdirectory.
I'm trying to restrict access to static files and asp.net pages in a subdirectory. I used the Authorization Rules button in IIS7 manager.
In /users it has created a web.config file with this section:
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Deny" users="?" />
<add accessType="Allow" roles="auth_users" />
</authorization>
</security>
</system.webServer>
In the web.config of the site root are these custom role and membership settings. The membership and role providers are working fine - user are added to the role, it's just the authorization rules that aren't working.
<roleManager enabled="true" defaultProvider="MyRoleProvider">
<providers>
<remove name="AspNetSqlRoleProvider" />
<add name="MyRoleProvider" type="System.Web.Security.SqlRoleProvider" applicationName="MyUsersApp" />
</providers>
</roleManager>
<membership defaultProvider="MyMembershipProvider">
<providers>
<remove name="AspNetSqlMembershipProvider" />
<add name="MyMembershipProvider" type="System.Web.Security.SqlMembershipProvider" applicationName="MyUsersApp" />
</providers>
</membership>
Still playing with this, it looks promising.. but I'm thinking there's probably a more elegant solution out there.
<location path="users">
<system.web>
<authorization>
<allow roles="auth_users" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<handlers>
<add name="HTML" path="*.html" verb="GET, HEAD, POST, DEBUG" type="System.Web.StaticFileHandler" />
<add name="JS" path="*.js" verb="GET, HEAD, POST, DEBUG" type="System.Web.StaticFileHandler" />
<!--More static file types...-->
</handlers>
</system.webServer>
</location>
Related
For security reasons i want to disable some http methods(e.x. OPTIONS,TRACE,HEAD) through application level. I want to do this for all files in directory "bundles/"
But this path is actually created by this
bundles.Add(new Bundle("~/bundles/Something").Include("~/Contents/Scripts/file.js"));
bundles.Add(new Bundle("~/bundles/Anything").Include("~/Areas/Import/Scripts/App/anotherfile.js"));
Fow now I tried this (in Web.config)
<system.web>
<httpHandlers>
<add path="bundles/" verb="OPTIONS,TRACE,HEAD" type="System.Web.HttpMethodNotAllowedHandler" />
</httpHandlers>
</system.web>
but it doesn't work
So, I want user gets 405 Method Not Allowed when making OPTIONS, TRACE, HEAD requests for any link like myapp.com/bundles/example
Thank you
I'd do this like that:
<system.web>
<authorization>
<deny verbs="OPTIONS" users="*" />
<deny verbs="TRACE" users="*" />
<deny verbs="HEAD" users="*" />
</authorization>
...
<httpHandlers>
<add path="bundles" verb="OPTIONS" type="System.Web.DefaultHttpHandler" validate="true"/>
<add path="bundles" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
<add path="bundles" verb="HEAD" type="System.Web.DefaultHttpHandler" validate="true"/>
</httpHandlers>
</system.web>
Try this
<add path="bundles" verb="OPTIONS" type="System.Web.DefaultHttpHandler" validate="true"/>
<add path="bundles" verb="TRACE" type="System.Web.DefaultHttpHandler" validate="true"/>
<add path="bundles" verb="HEAD" type="System.Web.DefaultHttpHandler" validate="true"/>
I am assigned in a new ASP.Net MVC 4.0 project. Traditionally, we used to add configuration values, when testing team raise new new issues (E.g. globalization, maxQueryStringLength, machineKey). For this project, I am planning to take a new route.. All the frequently used configuration values, I am planning to add upfront… I created the following config values.. What are the other most frequently used \ common config values that are needed in an ASP.Net project?
system.web
<system.web>
<!--Culture-->
<globalization culture="en-US" uiCulture="en" />
<!--Remove Custom Errors Mode in Production-->
<customErrors mode="Off"/>
<!--Impersonate-->
<identity impersonate="true"/>
<!--Session Mode and Timeout-->
<sessionState mode="InProc" timeout="60" />
<!--maxQueryStringLength-->
<httpRuntime maxQueryStringLength="6000" />
<!--machineKey-->
<machineKey/>
<!--authentication-->
<authentication mode="Windows">
</authentication>
<!--authorization-->
<authorization>
<allow users="?" />
</authorization>
</system.web>
system.webServer
<system.webServer>
<security>
<requestFiltering>
<!--maxQueryString-->
<requestLimits maxQueryString="6000" />
</requestFiltering>
<!--IIS Setting for Authentication-->
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication>
<providers>
<clear />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
It is a good practice to add connection strings to web.config as well. Not sure whether you require accessing data in this project, but if you do then you need to add the following to the web.config file as well.
<connectionStrings>
<add name="myConnectionString" connectionString="server=localhost;Database=myDb;uid=myUser;password=myPass;" />
</connectionStrings>
I am trying to use the default ASPNetWindowsToken provider to authorize users in an application that I am using Windows impersonation to log users in. If I add a IsInRole to the code behind the page in the page load, I can see the user is in the proper roles, but when I add the authorization to the web.config, I am getting 401 unauthorized errors. Not sure if I am missing something or not, but any help you can give would be appreciated. Below is my web.config.
<system.web>
<compilation debug="true" targetFramework="4.0" />
<customErrors mode="Off" defaultRedirect="Error.aspx" redirectMode="ResponseRewrite" />
<profile>
<providers>
<clear />
<add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/" />
</providers>
</profile>
<authentication mode="Windows" />
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />
<authorization>
<deny users="?" />
<allow roles="DOMAIN\Group" />
</authorization>
</system.web>
I'm developing a MVC2 application and using Forms Authentication on it.
The scripts, images and styles are all blocked to unlogged users and, consequently, the login page looks awful.
It works well local, the problem is when I publish to the server.
Does anyone has any idea WHY????
PS: The server IIS is version 7.5
My Web.config:
<configuration>
<system.web>
<globalization culture="pt-BR" uiCulture="pt-BR" />
<httpRuntime requestValidationMode="2.0"/>
<customErrors mode="Off" />
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</assemblies>
</compilation>
<pages>
<namespaces>
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Routing" />
<add namespace="Admin.Models" />
</namespaces>
</pages>
<authentication mode="Forms">
<forms name="AGAuth" loginUrl="~/Home/Login" timeout="120" />
</authentication>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0" newVersion="2.0.0.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>
<connectionStrings>
<add name="DBContainer" connectionString="metadata=res://*/Database.DB.csdl|res://*/Database.DB.ssdl|res://*/Database.DB.msl;provider=System.Data.SqlClient;provider connection string="Data Source=thewebserver.com,5158;Initial Catalog=thedatabase;Persist Security Info=True;User ID=theuser;Password=thepassword;MultipleActiveResultSets=True"" providerName="System.Data.EntityClient" />
</connectionStrings>
</configuration>
Add a web.config to the scripts, images and styles folders telling asp.net to allow access to all users (make sure you you don't have anything in there that you don't want anonymous users to have access to):
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
As for the reason, the following is telling IIS to let asp.net process all the requests:
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
I had exactly the same problem.
The cause turned out to be the IIS authentication configuration. By enabling Anonymous Authentication (and enabling Forms Authentication and disabling Windows Authentication) the scripts, styles and images became accessible when logged off.
You can set permission to required folders like this:
<location path="App_Themes">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="images">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
Take a look at the documentation for the location element. I think the first example will give you what you need.
For convenience, here is the example mentioned:
<configuration>
<location path="Logon.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
The group IIS_WPG need read access to the fold. Now it works fine... hope this helps someone else
You can set the permission to required folders like this
<location path="App_Themes">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
This is a complete stab in the dark but what are the rights on the image and css folders? If they are set so that only authorised people can get to them then you have a problem. You might try setting the rights on those folders to everyone, or for the .net default user and see what you get.
Did you accidentally copy or create a Web.config file in your Content folder that has an <authorization> element that may be denying access?
I had the same problem too and I tried what Scott H suggested but it didn't work...
It turns out the user assigned to Anonymous Authentication was set to IUSR (right-click 'Anonymous Authentication' -> Edit), which didn't have access to my code. I had given access to the Application pool identity, so I selected that option, clicked 'OK', and bingo it worked.
I'm working on a ASP.NET 3.5 application running on IIS7 (Server '08) using the stock MS Forms Authentication and SqlRolesProvider. (I used the aspnet_regsql tool to generate the tables).
We have three roles: SysAdmins, AppAdmins, and Users. All users are in Users, and a user can be in either SysAdmins, AppAdmins or both.
I can't seem to get an Admin directory to block access to users not in SysAdmins and AppAdmins. Either it lets in all logged-in users, or no one.
Here are the relevant bits of my current configuration:
<configuration>
...
<system.web>
<authentication mode="Forms">
<forms loginUrl="/client/security/login.aspx" timeout="480" />
</authentication>
<authorization>
</authorization>
<roleManager defaultProvider="SqlRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName="EquityTouch.Roles" cookieProtection="All" cookieSlidingExpiration="true" cookieTimeout="60">
<providers>
<clear />
<add name="SqlRoleProvider" applicationName="EquityTouch" connectionStringName="SQLProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
...
</system.web>
<system.webServer>
<security>
<authorization>
<add accessType="Deny" users="?" />
</authorization>
</security>
...
</system.webServer>
<location path="admin">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs=""/>
<add accessType="Allow" roles="SysAdmins,AppAdmins" />
</authorization>
</security>
</system.webServer>
<system.web>
<authorization>
<deny users="*"/>
<allow roles="SysAdmins,AppAdmins"/>
</authorization>
</system.web>
</location>
</configuration>
I believe this configuration currently blocks everyone. I've done similar configurations that block no one.
I suspect the issue lies in using both system.web and system.webserver sections. Any help with getting this configuration working correctly would be greatly appreciated.
UPDATE
Removing the <system.webServer> section from the <location> element makes the .aspx pages in that folder return correctly! Unfortunately, the .js files in that folder are still blocked to all users... Ideally I would like to lock the .js files as well from unpriviledged eyes. So I'm still looking for help.
Even in IIS7 Integrated Pipeline mode, I am successfully using the old IIS6-style authorization blocks. Please try the code below, which includes the following changes:
Added <deny users="?" /> to the first authorization block
Switched the order of <allow> and <deny> in location-specific authorization block
Removed <system.webServer> location-specific authorization blocks
To allow js files through, my best advice is to move them to a separate folder and allow all but anonymous to access that folder (see below). Alternately, you can name each js file in the location's path attribute. That solution is less maintainable, however.
Please let me know if that works for you!
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="/client/security/login.aspx" timeout="480" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<roleManager defaultProvider="SqlRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName="EquityTouch.Roles" cookieProtection="All" cookieSlidingExpiration="true" cookieTimeout="60">
<providers>
<clear />
<add name="SqlRoleProvider" applicationName="EquityTouch" connectionStringName="SQLProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
</system.web>
<location path="admin">
<system.web>
<authorization>
<allow roles="SysAdmins,AppAdmins"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="js">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>