I am trying to get the simplest example of allowing access by default, denying access unless authenticated to specific directories in IIS, to work. When you Google around, everyone says it's as simple as this:
<location path="~/pages">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Somehow it hasn't been for me.
Here's the project structure:
Here's the Web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/" />
</authentication>
<authorization>
<!--<deny users="*"/>-->
</authorization>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
<location path="~/pages">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
The goal is to allow all users to access index.html and to deny access to everything in pages.
Here's my observations:
<!--<deny users="*"/>--> works when un-commented.
It doesn't work at all without <modules runAllManagedModulesForAllRequests="true" />. Remove this, deny doesn't work anywhere.
The deny in <location path="~/pages"> doesn't work. Setting the path to pages or pages/secure.html or ~/pages/secure.html also doesn't work.
What's the problem here?
it doesn't like the path "~/pages" . The following works for me
<configuration>
<system.web>
<authentication mode="Forms"/>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"></modules>
</system.webServer>
<!-- note the change below -->
<location path="pages" >
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
Related
I want to configure the application and prevent the user from going directly to any page in the application without signing in but any user can access the websites homepage.
But when I run the homepage ,login page or any page of the website, I am getting this error:- The requested page cannot be accessed because the related configuration data for the page is invalid.
I can't find out where I am making mistake. I have posted my web.config file . have a look over it .show me where I am making mistake and what is the solution.
web.config
<?xml version="1.0"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<connectionStrings>
<add name="ConnectionString" connectionString="Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=|DataDirectory|\Database.mdf;Integrated Security=True"
providerName="System.Data.SqlClient" />
</connectionStrings>
<authentication mode="Forms">
<forms loginUrl="/Registration/LoginPage.aspx">
</forms>
</authentication>
<system.web>
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
</system.web>
<location path="FIRST PAGE">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Registration">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="AdminHome">
<system.web>
<authorization>
<allow users="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Student">
<system.web>
<authorization>
<allow roles="Student"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Teacher">
<system.web>
<authorization>
<allow roles="Teacher"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<appSettings>
<add key="ValidationSettings:UnobtrusiveValidationMode" value="None"/>
</appSettings>
</configuration>
ERROR
the homepage of the website is under the folder FIRST PAGE and login and register page is under the folder Registration
The <authentication> part of your configuration should be inside the <system.web> section
MSDN authentication Element
Just edit your web.config:
<system.web>
<authentication mode="Forms">
<forms loginUrl="/Registration/LoginPage.aspx">
</forms>
</authentication>
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
</system.web>
How can I restrict access to the root folder and all sub folders of my website? I have an ASP.Net Webforms application using Identity for authentication. Users will have accounts created for them. When a user goes to the website the first thing they should see is the login page. I've tried "/", "~/", "", values in the Location tag, as well as simply not having the location tag in the web.config file but none of these produces the desired result.
<location path="/">
<system.web>
<authorization>
<allow users="user1#mydomain.com"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="None"/>
<compilation debug="true" targetFramework="4.5.2"/>
<httpRuntime targetFramework="4.5.2"/>
<pages>
<namespaces>
<add namespace="System.Web.Optimization"/>
<add namespace="Microsoft.AspNet.Identity"/>
</namespaces>
<controls>
<add assembly="Microsoft.AspNet.Web.Optimization.WebForms" namespace="Microsoft.AspNet.Web.Optimization.WebForms" tagPrefix="webopt"/>
</controls>
</pages>
<membership>
Remove the <location> element and try the following config:
<system.web>
<authentication mode="Forms">
<forms name="FormsAuth" loginUrl="/your-login-path" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
....
</system.web>
There may be further adjustments you'll need to make on the <forms> element depending on your enviroment/setup etc, but this should get you going.
EDIT
The above doesn't work for ASP.Net Indentity. The only way I could get this to work was creating individual <location> elements for every page, in the root and subfolder web.config, explicitly denying or allowing users as needed.
<location path="Default.aspx">
<system.web>
<authorization>
<deny users ="?"/>
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="None"/>
...
</system.web>
In your Root Web.Config Add:
<authorization>
<deny users ="?"/>
</authorization>
In your Account/Web.Confing Add:
<system.web>
<authorization>
<allow users="*"/>
</authorization>
That worked for me
Parallel Plesk is not opening default page on my domain name which I've set in the default directories, instead it is opening a login page of my ASP.NET web application. However it opens default page on my domain name once I logged in by giving right credentials.
Here is my web.config file:
<system.web>
<compilation debug="true" targetFramework="4.5" />
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH"></forms>
</authentication>
<httpRuntime targetFramework="4.5" maxRequestLength="20896" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="UserPanel.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
If you are hosting on IIS (7 or later), inside the <system.webServer> (of your web.config) add:
<defaultDocument>
<files>
<clear/>
<add value="UserPanel.aspx" />
</files>
</defaultDocument>
when i use:
<deny users="?"/>
in "authorization" tags, CSS stop working for unauthorized visitors. how can i define a exception for css files. i want them to apply to all visitors.
this is my web.config file:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
<roleManager enabled="true"/>
<authentication mode="Forms">
<forms loginUrl="welcome.aspx" defaultUrl="Default.aspx"/>
</authentication>
<compilation debug="true" targetFramework="4.0"/>
</system.web>
</configuration>
i did edit my web.config to this:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
<roleManager enabled="true"/>
<authentication mode="Forms">
<forms loginUrl="welcome.aspx" defaultUrl="Default.aspx"/>
</authentication>
<compilation debug="true" targetFramework="4.0"/>
</system.web>
<location path="styles">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="styles/welcome.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
and it's working.
thank you.
Add the location of your CSS to your web.config. You can put it completely at the end, just before the </configuration>
<location path="css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Of course, change "css" to the real folder of your css file... It is the easiest to put it in a separate folder where all items are public. Just like your images etc.
You are probably blocking access to the folder where you store css files.
Try to allow everybody to access your css-folder even if they are not autorized.
You can use the Location element to define which part of your site the configuration applies to:
(from MSDN)
<location allowOverride="True|False" path="path" />
When i tried to implement form authentication in various subfolders i am getting an error as follows:it is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
implementation in my webconfig was as follows
<location path="HelpDesk">
<system.web>
<authentication mode="Forms">
<forms loginUrl="Helpdesk/Default.aspx" />
</authentication>
</system.web>
</location>
You have forget/copy a web.config inside a subdirectory on your project that contains commands that is only for the main web.config.
If this is not your main config, then you need to change it for sub folder users... for example something like:
<configuration>
<system.web>
<authorization>
<allow roles="whatever" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
This is what I had to do to make my WFC service to use form authentication
<modules runAllManagedModulesForAllRequests="true"/>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" minFreeMemoryPercentageToActivateService="0"/>
<authorization>
<allow roles="itvserver" />
<deny users="?"/>
</authorization>
<system.web.extensions>
<scripting>
<webServices>
<authenticationService enabled="true" />
</webServices>
</scripting>
</system.web.extensions>