I want to block access to /admins/setting.txt and to /user_N/setting.txt from browsers.
Where can I control these requests?
You can easily add such settings to your web.config file, like this:
For a specific file:
<location path="admins/setting.txt">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
For a folder
<location path="user_N">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
Move the folder to one under App_Data.
e.g.
example.com/App_Data/admins/setting.txt
This will prevent the files from being served.
Related
I'm dealing with an issue for the last 3 hours.
I have to build a project with WebForms. I'm setting the authentication like this:
<system.web>
<authentication mode="Forms">
<forms loginUrl="Account/Login.aspx" defaultUrl="Backend/Default.aspx"></forms>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
<compilation debug="true" targetFramework="4.6"/>
<httpRuntime targetFramework="4.6"/>
</system.web>
<location path="Backend/Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Not only when executing the application, does not allow me to enter to Backend/Default.aspx (redirect the site to Account/Login.aspx, but neither allow to access to the login page. I'm getting a not authorized error.
Can anyone tell what I am missing?
Edit:
I have 2 files:
Backend/Default.aspx
Account/Login.aspx I want to be allowed to enter Default.aspx without authentication. But not only doesn't allow me, don't allow me Account/Login.aspx neither.
If I change
<location path="Account/Login.aspx">
To
<location path="Account">
It works. But I only need one file on this folder to be allowed and not the entire folder.
Please tell me if I can give more useful information
Your question is a little confusing so I'm not sure if this will work, but it might give the right approach.
You have
<authorization>
<deny users="?"/>
<allow users="*"/> <-- this allows everyone everywhere, overriding the previous line.
</authorization>
Remove the allow line, blocking everyone from everything
<authorization>
<deny users="?"/>
</authorization>
Then allow a specific folder
<location path="Backend/Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Or, you can have 2 web.config files.
Start with this in the root of your site
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
Then add another web.config file in the Account/ directory that has
<!--Block everyone from everything in this directory-->
<authorization>
<deny users="?"/>
</authorization>
<!--But allow a specific file-->
<location path="Account/Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Hth.
I would like to deny anonymous users access to the folder 'test' but exclude and allow access to a file 'webform1' inside the test folder. Why does this not work?
<location path="test">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="test/webform1">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
Here is a link to a sample webforms project https://github.com/uselesshasid/StackOverflow_Question_38597397
This is probably a bug in asp.net, with the way it handles authorization when friendly url's are used.
I changed the web.config to define by versions of the file url, and it works.
<location path="test/webform1">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="test/webform1.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
How does one specify root location in web.config to allow unauthenticated users access it?
The root location is served by default.aspx, but users normally don't see default.aspx, they just see http://mysite.com/.
So I've added
<location path="~/default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Which works if user hits mysite.com/default.aspx, but if user hits mysite.com/ - he is still redirected to login page.
I've tried <location path="~"> (does not help) and also <location path="~/">, <location path=""> (site fails completely) and could not make it work.
Any ideas?
Try this one:
<system.web>
<urlMappings enabled="true">
<add url="~/" mappedUrl="~/default.aspx" />
</urlMappings>
<authorization>
<allow roles="admin"/>
<deny users="*" />
</authorization>
</system.web>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
only use
<location path=".">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
or don't write path,because the default path is root(.)
You can achieve by 2 method
Method 1:
You can set redirect path to http://mysite.com/default.aspx in IIS if any user directly comes to your site.in IIS7 you can do that by clicking on Default Document. Here i attached image for your reference
Method 2
You can go through this URL ASp.NET Membership to set your web config settings.
Let me know if you need more detail on this.
The way we done it in the past was to create a folder for all functionality that requires login and set require auth for that folder. All aspx go to that folder. The root of the site stays open.
You probably use a forms authentification no?
<authentication mode="Forms">
<forms loginUrl="~/Default.aspx" />
</authentication>
This will solve your problem. An alternative is:
<location path="~/Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
If you only want to let unauthenticated users to access default.aspx you can use
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
before <system.web> and set that page as default in your web server.
In Visual Studio you can select the page and "Set As Start Page".
If you want to allow access to all the files in the root you have to create folders where you put your pages which need to be accessed by authenticated users.
You can create a Secure folder where you can put all your protected pages and change your web.config this way:
<location path="Secure">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
removing
<authorization>
<deny users="?"/>
</authorization>
To specify root directory you have to set it outside the location block.
<configuration>
<system.web>
<authorization>
<allow users=“*“/>
</authorization>
</system.web>
</configuration>
and then secure your other folder using location block
<location path=“AccessDenied.aspx“>
<system.web>
<authorization>
<deny users=“?“/>
</authorization>
</system.web>
</location>
Use this :
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="~">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
It works for me.
Merk was right!
I used
<location path="">
<system.webServer>
<httpRedirect enabled="true" destination="http://www.newpathdestination.com" exactDestination="true" httpResponseStatus="Permanent" />
</system.webServer>
</location>
on Windows netserver (don't ask), making sure to put nothing in between the quotes for location path. Redirects a request for the old home page to the new home page.
If you want to specify the root of the directory, use <location path="" >
In project their is a folder namely customer, inside there is a file namely register.aspx. In web.config have the configuration check like follows
<location path="Customer">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Customer/Register.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
Even i have authorized the register.aspx for unauthorized users but is expecting to authorize. Can any body explain it.
You have to create a Web.Config file in Customer folder and add
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
Try switching order of those location nodes. Put allow Register first, and deny Customer second.
<authentication mode="Forms">
<forms loginUrl="Login.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
I am using forms authentication, and when i place the arguments cited above, the css formatting I have done for the whole document is not being implemented, it's vanishing. what should i be doing so that the CSS remains intact.
I assume that your login form has an external CSS file, and that you're using Cassini or IIS 7 integrated mode.
Your <deny users="?"/> is preventing anonymous users from seeing the login form's CSS files.
You need to use the <location> element to allow anonymous users to see the CSS files, like this:
<location path="CSS">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
Use the location element to allow access to your css:
<configuration>
<location path="style.css">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
<location path="Images">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
**
please add this code in web config file
<globalization requestEncoding="utf-8" responseEncoding="utf-8"
culture="en-GB"/>