I am using ASP.NET 4.5 OWIN Identity and attempting to block access to a directory for all but authenticated users. The directory contains raw files, so it isnt possible to wrap them in the ASP LoggedInTemplate tag.
When I try and prevent access to the directory to anonymous users, it fails.
I have tried adding the following to the main Web.config file:
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="/docs">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Doing this gives server 500 errors and highlight the location path="/docs" line as the source of the error. This is a hosted solution, so options for changing the IIS server config to allow overrides arent available to me, though that does seem one potential solution for anyone experiencing this issue.
I have now removed the above from the main web.config and added a separate web.config file in the directory that I want to protect. The new web.config contains this:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
This gives no errors, but allows unauthenticated users access to the folder, which is what I am trying to prevent.
Any ideas or pointers to any article that describes how to resolve this would be much appreciated.
The solution to this for my environment was to use the web.config file in the sub directory, but to add a custom handler definition for the file types in question.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<system.webServer>
<handlers>
<add name="PDFHandler" verb="*"
path="*.pdf"
type="System.Web.StaticFileHandler"
resourceType="Unspecified" />
</handlers>
</system.webServer>
</configuration>
The web server then allows authenticated users only to access the files in the sub directory.
This article led my to the solution: http://www.primaryobjects.com/CMS/Article112
Related
As a test, I'm trying to use the web.config to control security in the following ways:
Deny access to all files in a directory, except for a specific file
Allow access to all files in a directory, except for a specific file
So I set up the web.config as follows:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<!-- Deny access to all files in a directory, except for a specific file -->
<location path="NonAccessibleDirectory">
<system.web>
<authorization>
<deny users="?"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="NonAccessibleDirectory/AccessibleFile.html">
<system.web>
<authorization>
<allow users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
<!-- Allow access to all files in a directory, except for a specific file -->
<location path="AccessibleDirectory/NonAccessibleFile.html">
<system.web>
<authorization>
<deny users="?"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
</system.web>
</configuration>
As expected:
If I browse to the non accessible directory and do not specify a file, I get access denied
If I browse to the accessible directory and do not specify a file, I can see the list of files
The problems I'm having are:
If I browse to the non accessible directory and specify a file, I can view it, and I would have expected not to be granted access
If I browse to the accessible directory and specify a file I have denied access to via the web.config, I can still view it, and I would have expected not to be granted access
Amy I configuring things wrong?
You may be running in to the difference between ASP.NET URL Authorization and IIS URL Authorization. A detailed summary on this is at http://www.iis.net/learn/manage/configuring-security/understanding-iis-url-authorization#Differences
Briefly, what happens with ASP.NET by default with web.config is that it only apply the allow and deny rules to files handled by the managed handler.
Files such as .txt and .html files are handled by IIS and not ASP.NET, so the authorization rules aren't applied to them.
You can test this out by adding this to your main web.config to use the IIS version.
<system.webServer>
<modules>
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
</modules>
</system.webServer>
I tested this with your same security and same directories and files, and all appears to work
A more complete version if you use other authentication methods such as forms could be this
<system.webServer>
<modules>
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
</system.webServer>
In my asp.net MVC application I have tried to deny unauthorized users from an html file inside a sub folder. But it is not working as expected. Below is the web.config section which used right now.
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<authentication mode="Forms">
<forms loginUrl="~/" defaultUrl="~/" slidingExpiration="true" timeout="60">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="Docs/help/index.html">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
I think the global deny users will block all unauthorized access for all the pages, otherwise we should give specific permission. Please correct me If I am wrong.
But in my case even http://siteurl.com/Docs/help/index.html still able to access for an unauthorze user.
IIS - 7.5 , .NET - 4.5, MVC - 4
Please help me to resolve this issue.
MG
You have two ways to achieve it.
1st: <modules runAllManagedModulesForAllRequests=“true” /> Meaning
Add <modules runAllManagedModulesForAllRequests="true" /> in your web.config
(IIS < v7)
2nd: Global.asax Events in IIS 6 and IIS 7 for Static Resources
Add an wildcard managed handler to serve each request (inlucding static files which are handled by iis directly)
You can put a new Web.config in the folder that needs the permissions applied. Inside it do something like this
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
Or you might need to wrap the <authorization> tag with a <security> tag.
If that doesn't work for you, try to do it via IIS Manager and see how it does it, then copy that.
on local machine ,i created sample project on mvc4 (razor) and create directory named "x" and put a text file "a.txt" in it.
http://localhost:64471/x/a.txt
in my web config i deny all user to access to "x" folder by this config:
<location path="x">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
Now if user send this request :
http://localhost:64471/x/
it works and return user to URL that defined in forms tag in web config.
but when user send this request :
http://localhost:64471/x/a.txt
can read text file in browser(browser shows contents of text file).
i want to know how to deny user to access all files and subfolders in "x" folder?
I know this is an old question, but if you are having issues and dealing with text or html files, you might want to refer to this stackoverflow question.
In short, you might need to add this to your web.config:
<system.webServer>
<modules>
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
</modules>
</system.webServer>
As kirk points out, files such as .txt and .html files are handled by IIS and not ASP.NET, so the authorization rules aren't applied to them.
I tested with path="x" in root web.config. It restrict everything under x folder; it won't even let me browse ~/x. I get redirected to login page.
Could you try full path to a.txt like this in root web.config?
<location path="x/a.txt">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
If it still doesn't work, you can try creating a web.config inside x folder with the following content.
<?xml version="1.0"?>
<configuration>
<location path="a.txt">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
I have a folder with several survey aspx pages. I have to set permissions on these aspx pages. There are 5 different pages and only one allows certain users to access. I have added a web.config file to allow and deny the users, but it's not working. If I allow my username and add a deny="?" I don't have access, but if I add another user, take mine out and take the deny option out I get permission to log onto the system. I can get access if I take deny out, but then all users is getting access to the page.
Adding my user credentials on and denying all anonymous users I don't get access. Can somebody please point me in the right direction of what I'm doing wrong?
Can it be that it is not reading or taking my windows logon credentials? I'm using visual studio 2012, entity framework.
This is what I've done:
//Web Config that allows and denies:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="QualityCheckSurvey.aspx">
<system.web>
<authorization>
<allow users="DomainName\User2" />
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
I have set my authentication mode to windows.
EDIT
It seems that the permissions were set incorrectly. But it's still not working. When I deny *, but allow USER1 the user don't get access even when prompted with a login request. The login windows dialog boks just keep on popping up 3times with even if the used have access. making it deny ? (anonymous) allows everybody to have access, even if I take out the deny and only have the allow tag with USER1 the rest of the users still have access... I'm running locally now, but even on the IIS when setting the authentication on there with (windows and basic authentication) does exactly the same....
EDIT
This is the actual code that I am using. Only 3 users are allowed in this path "". This web.config file is within the survey folder with the 5 different types of surveys. Only this one survey should allow certain users, the rest of the surveys anyone can access....
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="QualityCheckSurvey.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow users="OEP\kevinh, OEP\shabierg, OEP\heilened" />
<deny users="*" />
</authorization>
</system.web>
</location>
In my main web.cofin in the root of the application I have set authentication mode to windows:
<authentication mode="Windows">
<!--<forms loginUrl="~/Account/Login.aspx" timeout="2880" />-->
</authentication>
On your question you said you have a folder name but on the web.config you have given only the file name on the path. Use the foldername/filename.aspx like below. Use deny users="*" instead of deny users="?'
<location path="foldername/QualityCheckSurvey.aspx">
<system.web>
<authorization>
<allow users="DomainName\User2"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
EDIT
This looks like you have multiple web.config files in the same application. To avoid confusion just remove the one on the survey folder and on the root folder web.config add this code.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<authentication mode="Windows" />
</authorization>
</system.web>
<location path="survey/QualityCheckSurvey.aspx">
<system.web>
<authorization>
<allow users="OEP\kevinh, OEP\shabierg, OEP\heilened" />
<deny users="*" />
</authorization>
</system.web>
</location>
I am assuming the survey folder is inside the root folder.
Fixing this error if windows authentication is added to project after it's been created
That's a mouthful. I was having this issue when I added Windows authentication to an existing project. There were a couple of key things that I needed to do before it works:
In Solution Explorer, Click on the project and then push F4. This should open up the Project properties.
In Project Properties and under the Development Server, make the following changes:
Anonymous Authentication: Disabled
Windows Authentication: Enabled
Include the following in the Web.config under <system.web>:
<authorization>
<allow users="DOMAIN\user"/>
<deny users="*"/>
</authorization>
Still in the Web.config under <appSettings>:
<add key="owin:AutomaticAppStartup" value="false"/>
This is what worked for me. If I'm doing something wrong, please let me know.
Hopefully this will help future individuals who are working with windows authentication after creating the project.
<deny users="?" />
<allow users="DomainName\User2" />
<deny users="*" />
How to restrict folder access in asp.net
like I don't want any other to see my Uploads folder in browser by link http://www.example.com/Uploads
For the future generation the answer which works for me is to use hidden segments.
If you want to secure e.g. Uploads folder go to your root Web.config and add into <system.webServer> following element:
<security>
<requestFiltering>
<hiddenSegments>
<add segment="Uploads"/>
</hiddenSegments>
</requestFiltering>
</security>
This will prevent all users from direct access to Uploads folder and its content.
You can do like #klausbyskov mentions, to add <authorization />'s to the root web.config, like:
<location path="Admin">
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
or you can add a web.config to the folder where you want to allow/deny access with the following content:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>
Of course replace the <allow /> and <deny /> with you own rules
You should add a web.config file to said folder and put an <authorization> tag in the file, as described here.
You can manage folder browsing in IIS settings.,
Open IIS Manager and navigate to the folder you want to manage.
In Features View, double-click Directory Browsing.
In the Actions pane, click Enable/Disable.
This is for IIS7.
you can also use commandline for this.
appcmd set config /section:directoryBrowse /enabled:true|false
Hope this helps...
Happy Programming,