I have this configuration below to hide a folder from users in a specific group. It works on one domain but when I trying to deploy it to another one it doesn't.
I know that the settings is in the right place in the web.config and right formatted because if I change to deny users="*" no one will see it the folder (almost like I want but I want only hide for a specific AD group) and I know for a fact that I have the right AD group for it too since I'm using it in my code (doing a IsInRole check).
<location path="Folder">
<system.web>
<authorization>
<deny roles="domain\group"/>
</authorization>
</system.web>
</location>
Using Windows Athentications
What can I have missed on the second IIS/Domain? (Don't forget that it works on the "first" Domain/IIS)
I was trying to make the first iis that worked to have the same settings as the one that didn't but obviously I failed. When I found the problem it was that Anonymous - was enabled and Windows Authentications was disabled, I switch those and It now works. (I'm sure I trided to set the "working" iis in the same Authentication state but since that was of an older version I may have failed)
Related
I've got an ASP.NET MVC 4 application that I run under the site level of an IIS web site.
So the dir structure looks like this:
\IIS
\Site
\bin
\Content
\Views
The MVC 4 app uses Forms Authentication via Username and Password, but I have a requirement to lock down the full site and turn off anonymous authentication at the IIS level.
The goal of this requirement is to allow users only to land on a home page and logon page. The problem is if I turn off anonymous authentication then users can't even get to home or login.
Another thing we want to prevent a user from being able to go to /Content/Scripts/MyScript.js in their browser.
I'm using bundling so those file are there and don't get used by me besides when I bundle things up.
Is this even possible since IIS and MVC 4 auth are at completely different level? If it is possible what options do I have?
Chris Pratts answer is correct. You can successfully turn of anonymous authentication and let MVC4 handle all of that for you.
Make sure in your web.config you have the following
<modules runAllManagedModulesForAllRequests="true"></modules>
In your system.webserver section.
Another thing you can do is make use of the locations tags in IIS to prevent user access to different parts of the site.
For example, you could put this in your web.config
<location>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
This ensures that only authenticated users can access the site. You can then further refine this.
<location path="External">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Basically, now any request to /External will be allowed for all users (regardless of authentication). You will probably want to put all your scripts in here that you need unauthenticated users to access.
If there was a specific directory you didn't want anyone to access, you could do something like
<location path="/Content/Scripts">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
Now any access to that location will be prevented by default in IIS. Give that a try, it should satisfy your requirement to have the scripts available for bundling, but not accessible if someone browses directly to it.
I only halfway got what I wanted, but here is what I ended up doing. I have anonymous authentication enabled at the site level and used Forms authentication for specific controllers. This was how I originally had it so nothing changed here.
Since I am using bundles the users never really need to look at the .js so I used Request Filtering by file extension so block any .js and even .css I don't want exposed.
This works because the bundling doesn't make http requests to those files and the bundles themselves don't have the normal JavaScript and CSS file extensions.
You don't handle this at the IIS-level. You simply allow Anonymous Auth and then add [Authorize] to every controller. Then only on your home and login actions add the attribute [AllowAnonymous].
As to the second part of your question, you can't really stop this. MVC bundles on the fly, so it needs the actual files to be there. If they're never referenced, though, they're black holes: the user would have no way of knowing what file to request, so it's kind of security by obscurity.
I created deployment package of my site when I try to use it I get the following error:
The length of the query string for this request exceeds the configured maxQueryStringLength value.
and the adress bar looks like this.this doens't happen in visual studio
http://localhost/MyServer/Login.aspx?ReturnUrl=%2fMyServer%2fLogin.aspx%3fReturnUrl%3d%252fMyServer%252fLogin.aspx%253fReturnUrl%253d%25252fMyServer%25252fLogin.aspx%25253fReturnUrl%25253d%2525252fMyServer%2525252fLogin.aspx%2525253fReturnUrl%2525253d%252525252fMyServer%252525252fLogin.aspx%252525253fReturnUrl%252525253d%25252525252fMyServer%25252525252fLogin.aspx%25252525253fReturnUrl%25252525253d%2525252525252fMyServer%2525252525252fLogin.aspx%2525252525253fReturnUrl%2525252525253d%252525252525252fMyServer%252525252525252fLogin.aspx%252525252525253fReturnUrl%252525252525253d%25252525252525252fMyServer%25252525252525252fLogin.aspx%25252525252525253fReturnUrl%25252525252525253d%2525252525252525252fMyServer%2525252525252525252fLogin.aspx%2525252525252525253fReturnUrl%2525252525252525253d%252525252525252525252fMyServer%252525252525252525252fLogin.aspx%252525252525252525253fReturnUrl%252525252525252525253d%25252525252525252525252fMyServer%25252525252525252525252fLogin.aspx%25252525252525252525253fReturnUrl%25252525252525252525253d%2525252525252525252525252fMyServer%2525252525252525252525252fLogin.aspx%2525252525252525252525253fReturnUrl%2525252525252525252525253d%252525252525252525252525252fMyServer%252525252525252525252525252fLogin.aspx%252525252525252525252525253fReturnUrl%252525252525252525252525253d%25252525252525252525252525252fMyServer%25252525252525252525252525252fLogin.aspx%25252525252525252525252525253fReturnUrl%25252525252525252525252525253d%2525252525252525252525252525252fMyServer%2525252525252525252525252525252fLogin.aspx%2525252525252525252525252525253fReturnUrl%2525252525252525252525252525253d%252525252525252525252525252525252fMyServer%252525252525252525252525252525252fLogin.aspx%252525252525252525252525252525253fReturnUrl%252525252525252525252525252525253d%25252525252525252525252525252525252fMyServer%25252525252525252525252525252525252fLogin.aspx%25252525252525252525252525252525253fReturnUrl%25252525252525252525252525252525253d%2525252525252525252525252525252525252fMyServer%2525252525252525252525252525252525252f
Seems that you have circular navigation. Please give code of page load event of login.aspx and the 2nd page which you are accessing.
Just a hunch: it might be that your login page is not accessible for anonymous users. So it redirects to the login page, that in turn redirects to the login page.
Have a look at the web.config to set the proper access rights.
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
It looks like your solution in Visual Studio has been built from one of the templates that has some sort of forms - based authentication built in. I'm pretty sure that you can disable this in the web.config.
<authentication mode="Windows"/>
<authorization>
<allow users="USERS"/>
<allow roles="ROLES"/>
<deny users="*"/>
</authorization>
Is there a way to write an if statement in here to detect what url I am on so I can allow a certain role for that certain URL.
Example code in my head of what I kind of want to see:
If (UCase(Url) = UCase("URL")) Then
<allow roles="ROLES"/>
ElseIF(UCase(Url) = UCase("URL")) Then
<allow roles="ROLES"/>
ElseIF (UCase(Url) = UCase("URL")) Then
<allow roles="ROLES"/>
End If
<deny users="*"/>
Is this even allowed in the web.config? If it isn't how could I go about doing this?
I have 3 websites. One for Dev, UAT and PROD. Now for each sites I have different user groups for each set up. I just want to find a way that I can just find what URL i'm at and point it at the certain user group. I'm guessing I have to make a web.config for each because you can't do conditional statements but I'm just making sure. If I have to make a web.config for each how can I go about setting that up?
Edit (changed the whole answer as I think your issue is now different)
Your best option is to have different configuration settings in each web.config which is what web.config files are for. You might have to look at your deployment process if you deploy the web.config each time (either manually or automatically).
Another option would be to instead have your application do the authorisation by knowing what environment it is running in and denying access using code. That path is obviously more work than something that has already been provided, but is an option.
Alternatively (and most of the time better) you should place additional web.config files in your subfolders - then the folder itself defines who can access it.
In these web.configs all you need to have is the authentication section that will override parent folder authentication.
In general this only works properly in webforms, as MVC got rid of meaningful folders and supports different security model entirely (the one where Controller has to figure out the access via new security attributes)
If you are deploying the same web application to different environments, then you can consider using web.config transformations. With this approach you can have a special file for each environment that will take the default development web.config and change only certain values, in your case the <authorization> tag (or maybe also the <connectionStrings> or <appSettings> tags if you want to).
In Visual Studio it looks like this:
This only works for Web Application Projects, not for Web Site Projects (), and only with Visual Studio 2010 and later.*
You need to create a solution configuration for each environment first. From the main menu, select Build > Configuration Manager. Here you can manage each configuration. By default you will have Debug and Release, you can add UAT and Production configurations for your solution for example.
Then you can right-click the web.config file in your Web Application project and click Add config transforms and you will find a new transform for each configuration:
web.config
web.Debug.config
web.Production.config
web.Release.config
web.UAT.config
Now you must write the transformation, in your case, it would look like this (for web.UAT.config):
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<authorization xdt:Transform="Replace">
<allow roles="USER-ACCEPTANCE-TEST" />
<deny users="*" />
</authorization>
<system.web>
</configuration>
Notice how we instruct the transformation to replace the <authorization> tag completely. This will happen when you publish the web application (right click and select Publish...), for example to a folder on your desktop for transferring by FTP to the UAT server.
See here for some tutorials:
http://blogs.msdn.com/b/webdevtools/archive/2009/05/04/web-deployment-web-config-transformation.aspx
http://msdn.microsoft.com/en-us/gg454290
http://msdn.microsoft.com/en-us/library/ie/dd465318.aspx
Although you can technically use it in a Web Site project, it's not easy. You will have to use the Visual Studio command line to run msbuild.exe. See some of the tutorial above for how to do that as well).
Replace on your roleManager like this:
<roleManager enabled="true" defaultProvider="DefaultRoleProvider">
When I run my website through debug mode in visual studio everything looks great and all the images on the page show up fine. But once I deploy my website to an IIS7 web server (doubt that other versions would make any difference, but you never know) then users can't see the images on the site until they log in.
The website is an asp.net MVC site and I'm new to MVC, though I do have lots of experience with asp.net forms. It seems that only authenticated users are allowed to access the images folder, and there is an authorization section in my web.config saying that only admins can access the site, so how do I make it so that all users, authenticated or otherwise can view the images?
-- Update --
I tried putting in the configuration block suggested, which from everything I can tell makes perfect sense, but it didn't seem to make a difference. The sample below has Content/Images for the path but before that I tried just Content, since it's OK for everything in there to be accessible. I also tried setting the allowOverride setting to false, which also didn't seem to make a difference.
<location path="Content/Images">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
--Update 2--
Funny thing is that I don't even see any explicit deny entries in my web.config, just an allow for admin's, and when I went into IIS 7 and used the UI to allow all users access to the Content directory it didn't show any deny's on the list either. But then again, this project works fine when I just debug it from my personal computer, it's only after I deploy it that I have problems...
<authorization>
<allow roles="admin" />
</authorization>
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
In your web.config file, after the </system.web> tag, add the following
<location path="images">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
where path="images" is the name of the folder with your images/css.
Update:
If you're using ASP.NET MVC, I would remove the authorization declaration in the web.config file and use the [Authorize] attribute on the controllers that need to be locked down.
You can also specify the roles you want to grant access to using [Authorize("admin")].
By default, the configuration you define in a Web.config file, applies to every subdirectory of its containing folder. If you have a Web.config in the application root, that configuration will propagate to every subdirectory, including those where you have images and Css style sheets. So, if you have in your root Web.config a rule like this one:
<system.web>
...
<authorization>
<deny users="?"/>
</authorization>
...
</system.web>
anonymous users will not be able to access the resources needed to display the page like you would expect it.
To fix it, you need to include another Web.config in every subdirectory that has presentation resources, and apply the rules you want to override. In your case, this should do the work:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
If you are using Themes, place a single Web.config file in the theme folder.
Just ran into the same problem. We noticed it on our Login page. The CSS and images weren't loading (they were under the content directory). Adding IUSR to the folder with Read privileges fixed it for us.
Old question but I came across the same problem and found the answer.
I had created a new folder for the Membership pages that I wanted logged-in users to have access to, but the images wouldn't show up in them!
It turns out that no matter what I tried I couldn't set a relative path to the images from within the Members folder.
The problem was the html image (as far as I could tell anyway, correct me if I'm wrong).
I swapped it out for an asp:image with a relative path and now it works great.
My new code: asp:image runat="server" id="Logo" ImageUrl="~/Images/logo.jpg"
Notice the ' ~/ ', that wouldn't work for me with
I tried: img src="../Images/logo.jpg", img src="~/Images/logo.jpg", img src="/Images/logo.jpg", etc. to no avail.
Hope this answer helps someone solve this problem more quickly in the future.
Try browsing the image file directly and see if that comes up for an anonymous user. In IIS 7, there is a way in which you can authorize anonymous users directly from your UI [which in turn would create the web.config if it doesn't exist].
Folder -> .NET Authorization Rules -> Add Allow Rule
Are you using membership framework. I suspect that you have misconfigured your permission settings in web.config and your images folder is only allowing authorised requests. This can be easily change via web.config. Just remove the folder name from your authorised section and this should solve the problem.
For your reference this should be the section in web.config if you are using membership framework :
<authorization>
<deny roles="xyz" />
</authorization>
We came across the same problem in our project and found a solution, although we are not sure about the reasons of this behaviours.
We had a similar scenario, with a folder containing all our png images. Our marketing colleague wanted to rename some of them, so to make it easier for her, we shared (this might be the key) that folder, granting read/writer rights to her.
From this point, the images started behaving as you describe, requiring authorization for being accessed. No unauthorized user could see them any more.
We realized that the problem was related to sharing the folder because it started happening at that point of time. Otherwise we still don't see any relationship among ASP.NET MVP user authorization/login and hard disk user rights. We could have expected an IO Exception or something similar, but not this behaviour.
After checking the folder, and comparing with other folders, we realized that after sharing, the permissions on the folder had slightly changed. Mainly they did not inherit from its parent folder anymore and some permissions such as CREATOR OWNER and MACHINE_NAME\Users had dissapeared (although IUSR and the app pool user were still there).
So, we renamed that folder, created a new one with the same name, and copied the content from the old folder to the new one. The new folder had the permissions inherited from its parent and everything started to work perfectly again.
It solved our problem, but we are still not sure why this all happened this way.
Regards
I have an location element in my web.config like so:
<location path="Admin">
<system.web>
<authorization>
<allow roles="Domain\Development"/>
<deny users="*" />
</authorization>
</system.web>
</location>
This works to only allow members of the development group access to this folder.
I was wondering if there is a way to simply test if a user has access to this folder?
One scenario is creating menu items. I'd simply like to hide or not render links to pages in this folder if the user does not have the proper rights.
Is there a way to do this in code. I don't want to have to hard code a check for membership in Domain\Development rather I'd like to use asp.net to tell me if this current user has access.
This would be nice if the rules get more complicated etc. Also having this in one place enforces DRY (Don't Repeat Yourself).
Through a related question I found the answer. Call UrlAuthorizationModule.CheckUrlAccessForPrincipal. (Documentation is here.) You can give it a path and a user (such as Page.User for the current user), and it will tell you if the user can access that path.
I like this for exactly the reason you mentioned: You can put your access logic in one place.