I have a website contains following structure, it will be deploy to Azure Web App:
~\Home\Files\(kk.jpg) (ff.pdf) (aa.xls)....
~\Home\Download.aspx
~\LogIn.aspx
~\Web.config
Rules:
Only login users can see anything in the "Home" directory.
Especially, I want to restrict any un-login users access any file in the "\Home\Files\" directory.
Here is my web.config file:
<system.web>
<authentication mode="Forms">
<forms name=".SCKi" loginUrl="LogIn.aspx" protection="All" path="/" timeout="30" requireSSL="true" />
</authentication>
<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>
</system.web>
Can any one help me apply the rules?
You need to lock access on specific folders using location tag in web.config.
<location path="Home/Files">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
This will come under configuration tag
You are allowing everyone in:
Change to this:
<allow users="?" />
E remove the deny option
Related
I have created default master page site with login and register option.
When you create default page you get three menu option i.e HOME ABOUTUS CONTACTUS.
I have added one more menu option i.e ADMIN.
whenever someone clicks ADMIN they are suppose to login mandatory.
How can I do it?
currently anyone can surf all menu pages without login.
I want to make it compulsory.
please help, basically I need member only page
You can use the location config to specify the path of either a folder or page, see below for example and link to Microsoft details.
http://msdn.microsoft.com/en-us/library/ff648345.aspx
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="https://myserver/mywebapp/secure/Login.aspx"
protection="All"
timeout="30"
name="AppNameCookie"
path="/FormsAuth"
requireSSL="true"
slidingExpiration="true"
defaultUrl="default.aspx"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
<!-- Deny access to unauthenticated users -->
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</configuration>
<!-- Allow unrestricted access to the folder with the login page -->
<location path="secure">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Add this section in your application web.config file, to deny access to all unauthenticated users to the location admin_page.aspx
<configuration>
<location path="admin_page.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
Read this for more information about Control Authorization Permissions in an ASP.NET Application
I am using ASP.Net Forms Authentication. My Web.config looks like this.
<authentication mode="Forms">
<forms loginUrl="login.aspx"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>
So currently every aspx page requires authentication.
I want to allow access to even unauthenticated users to a specific page named special.aspx.
How can I do this?
Take a look at the example on MS Support
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this
application except for those that you have not explicitly
specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated
user access to the ThePageThatUnauthenticatedUsersCanVisit.aspx
page only. It is located in the same folder
as this configuration file. -->
<location path="ThePageThatUnauthenticatedUsersCanVisit.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated
user access to all of the files that are stored
in the TheDirectoryThatUnauthenticatedUsersCanVisit folder. -->
<location path="TheDirectoryThatUnauthenticatedUsersCanVisit">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
Put the following in your web.config:
<location path="special.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="register.aspx"> //path here is path to your register.aspx page
<system.web>
<authorization>
<allow users="*"/> // this will allow access to everyone to register.aspx
</authorization>
</system.web>
</location>
For more detail follow the below link
http://weblogs.asp.net/gurusarkar/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config
Allow everyone to access a particular page
Sometimes you want to allow public access to some page and want to restrict access to rest of the site only to logged / authenticated users .i.e. do not allow anonymous access. Say your special.aspx is in your site's root folder. In the web.config of your website's root folder you need to have following setup.
<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization> <deny users="?"/> //this will restrict anonymous user access
</authorization>
</system.web>
<location path="special.aspx"> //path here is path to your special.aspx page
<system.web>
<authorization>
<allow users="*"/> // this will allow access to everyone to special.aspx
</authorization>
</system.web>
</location>
</configuration>
I am developing a web application which has form based authentication. All pages needs to be authenticated except AboutUs and ContactUs pages.
I configured everything correct except AboutUs and ContactUs pages. Since I am denying all users in authorization section, application is redirecting even if the customer browse AboutUs and ContactUs pages.
Configuration Rules
<authentication mode= "Forms">
<forms name=".ASPXAUTH" loginUrl="Login.aspx" timeout="20" protection="All" slidingExpiration="true" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
Could you please let me know how can I tell asp.net to remove these pages for authorization??
Thanks,
Mahesh
Try this:
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH"
protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this application except for
those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated user access to the AboutUs.aspx page
only. It is located in the same folder as this configuration file. -->
<location path="AboutUs.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated user access to the ContactUs.aspx
page only. It is located in the same folder as this configuration file. -->
<location path="ContactUs.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
For the most part, my webapp requires authentication to do anything. There are a few pages, namely the homepage, that I'd like people to be able to access without authenticating.
Specifically, I'd like to allow anonymous access to these urls:
/home
/default.aspx
I'm using asp.net MVC and FormsAuthentication. Both urls point to the same view:
/home/index.aspx
Here is my current configuration in web.config.
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
Reading the documentation for the authorization tag, it says "Configures the authorization for a Web application, controlling client access to URL resources." It seems like I should be able to use the authorization tag to specify a url and allow access.
Something like:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<authorization url="/default.aspx">
<allow users="?" />
</authorization>
<authorization url="/home">
<allow users="?" />
</authorization>
I hate to answer my own question, but since I did end up figuring it out, I figure I'd share the knowledge.
Use the location tag and put the allow and deny tags in the correct order.
The location tag can be used to configure a specific url resource. In my case I wanted to configure a few urls and folders specifically.
This didn't work at first because I didn't have the allow/deny in the correct order. According to MSDN, "the authorization module grants or denies access to a URL resource depending on whether the first access rule found is an allow or a deny rule."
In my case I needed to put all my public stuff first (default.aspx, home,styles, images, scripts) and then I put a deny on everything else. I left out the path on the last location tag. That makes it apply to all files and subfolders.
End result, a user can get to the homepage, pull up images and styles, but for everything else must log in.
Here's my web config file now:
<!--AUTHORIZATION AND AUTHENTICATION RULES-->
<location path="default.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="Home">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="Styles">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="Scripts">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="images">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location allowOverride="true">
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" slidingExpiration="true" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<!--END AUTHORIZATION AND AUTHENTICATION RULES-->
Redirect user to Login Page dependent on the Folder they are in. I have a web application with the root directory which is used by all users and the admin site.
For people that would require the authenticated functionality of the site, they would require to login and be redirected to root/login.aspx. However, when an Admin needs to login to the root/admin/ section of the site, I want them to be redirected to the login form on root/admin/login.aspx
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
I have this file in the root/admin directory. I have tried adding the following line but it is giving an error.
<authentication>
<forms defaultUrl="default.aspx" loginUrl="default.aspx"></forms>
</authentication>
Basically I am trying to overwrite the defaulturl and loginurl that exists in the main app.
You need to use the <location> element in your web.config. You can use the <location> tag to apply authorization settings to an individual file or directory.
<location path="/root">
<system.web>
<authentication mode="Forms" >
<forms name="LoginForm" defaultUrl="default.aspx"
loginUrl="/root/login.aspx" protection="Encryption"
timeout="30" path="/"/>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="/root/admin">
<system.web>
<authentication mode="Forms" >
<forms name="formName" defaultUrl="login.aspx"
loginUrl="/root/admin/login.aspx" protection="Encryption"
timeout="30" path="/"/>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
MSDN
For centralized administration,
settings can be applied in the
Machine.config file. The settings in
the Machine.config file define
machine-wide policy and can also be
used to apply application-specific
configuration using <location>
elements. Developers can provide
application-configuration files to
override aspects of machine policy.
For ASP.NET Web applications, a
Web.config file is located in the
application's virtual root directory
and optionally in subdirectories
beneath the virtual root.
If you would like 1 login location and different access levels you might want to use roles.
<location path="/root">
<system.web>
<authorization>
<allow roles="admin,root" />/*admin, root is allowed */
<deny users="*" />
</authorization>
<system.web>
</location>
<location path="/root/admin">
<system.web>
<authorization>
<allow roles="admin" />/*admin is allowed */
<deny users="*" />
</authorization>
<system.web>
</location>
Users can belong to more than one
role. For example, if your site is a
discussion forum, some users might be
in the role of both Members and
Moderators. You might define each role
to have different privileges on the
site, and a user who is in both roles
would then have both sets of
privileges.
You can access all these element at
the code level if you would like to
manipulate the roles/authentication
programmatically
Page.User.Identity.Name
Page.User.Identity.IsAuthenticated
Page.User.Identity.AuthenticationType
Page.User.IsInRole("string");
Tutorials
4 Guys From Rolla Tutorial
The ASP.NET web.config File Demystified