How to prevent users from accessing files in folder? - asp.net

I'm using Asp.Net Identity. I need to allow admins and deny users to access all pages in my management folder, so I've put a web.config file in that folder.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>
But anybody can still access all files in folder. I've also tried to put it into main config file with location tag,but no results. Have you any ideas where to start looking for a problem?
Update: I've found a question on asp.net forum which explains a lot:
http://forums.asp.net/t/1955560.aspx?ASP+NET+Identity+Are+web+config+files+no+longer+acting+in+the+capacity+of+a+security+guard+for+our+ASP+NET+applications+files+and+folders+
There also one thing to mention. When creating new web application project with asp.net Identity. Visual Studio 2013 sets these parameters:
<system.web>
<authentication mode="None"/>
</system.web>
and
<system.webServer>
<modules>
<remove name="FormsAuthenticationModule" />
</modules>
<system.webServer>

change your code to ** ** it prevent any user that aren't authenticated:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="?" />
</authorization>
</system.web>
</configuration>

try this
<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="[mymanagementfolder]">
<system.web>
<authorization>
<deny users ="?" />
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
MSDN SOURCE
If Directory Browsing Is enabled in IIS then you should turn it OFF
EDIT:
I Think You Should Enable Form/windows authentication. Above code is working fine on My Computer as It redirects to ReturnUrl

Related

location path deny does not block in system.web for static folder

What I am trying to deny users to access to static folder:
<location path="log4">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
But this fails.
I found this Q&A for my question:
First answer is solution to my question:
<security>
<requestFiltering>
<hiddenSegments>
<add segment="Uploads"/>
</hiddenSegments>
</requestFiltering>
</security>
That's good.
But when I look closer to my web config, I have other sections that may restrict or allow users to access folder such as images or css, but below are not considered for input requests it allows any one access them.
<location path="images">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
In the same thread second most upvoted answer, I would exprect it works but not.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>
This might be a solution to my second part of question:
<modules runAllManagedModulesForAllRequests="true"></modules>
However as noted here this cause performance issue.
Here is also mentioned set up handler for example .xml files but I need at folder level.
My question how to deny/allow access to static folder content with location path with out seting runAllManagedModulesForAllRequests to true.
My application works with form authentication and on applicaton pool .net 2.0 with integrated mode.
You could set deny users in web.config as below:
<location path="s3">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
You could also refer below article for more detail:
Setting authorization rules for a particular page or folder in web.config
Regards,
Jalpa.

How to allow access to a web folder only to authenticated users

My web application uses forms authentication mode.
<authentication mode="Forms">
<forms loginUrl="Logon.aspx" protection="All" path="/" timeout="60" slidingExpiration="false" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
There is a folder in my web application, named "Documentos", that has a lot of PDF files.
My program allow the user to load a PDF file using its URL address:
http://MyHost/MyWebApp/Documentos/1.pdf
However, I need to restrict that functionality only to authenticated users.
For that, I put in my web.config:
<location path="Documentos">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
But it doesn't make any difference. Any one can still load any PDF file in folder Documentos doing:
http://MyHost/MyWebApp/Documentos/1.pdf
Can I accomplish what I'm looking for or should I approach it in a different way?
EDIT
Win's solution and Richard's solution are correct. This is the way to put those settings in web.config:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
<location path="Documentos">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Yo have two options -
Option 1
Use ~/ if your web application is not root level.
<location path="~/Documentos">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Option 2
Create a web.config with following content, and place it inside Documentos folder.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
The problem is that by default, the auth section only applies to requests that go through the pipeline, not to static files. To do what you want, add the following attribute to your modules section:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
...

Allow anonymous authentication for a single folder in web.config?

So here is the scenario, I have an Asp.Net application that is using a custom authentication & membership provider but we need to allow completely anonymous access (i.e.) to a particular folder within the application.
In IIS manager, you can set the authentication mode of a folder, but the settings are saved within C:\Windows\System32\inetsrv\config\applicationHost.config file as described here
To make installation easier, it would be great if I could set this within my web.config but after a couple of attempts I think this may not be possible.
Does anyone know otherwise?
Many thanks
The first approach to take is to modify your web.config using the <location> configuration tag, and <allow users="?"/> to allow anonymous or <allow users="*"/> for all:
<configuration>
<location path="Path/To/Public/Folder">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
If that approach doesn't work then you can take the following approach which requires making a small modification to the IIS applicationHost.config.
First, change the anonymousAuthentication section's overrideModeDefault from "Deny" to "Allow" in C:\Windows\System32\inetsrv\config\applicationHost.config:
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
overrideMode is a security feature of IIS. If override is disallowed at the system level in applicationHost.config then there is nothing you can do in web.config to enable it. If you don't have this level of access on your target system you have to take up that discussion with your hosting provider or system administrator.
Second, after setting overrideModeDefault="Allow" then you can put the following in your web.config:
<location path="Path/To/Public/Folder">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
Use <location> configuration tag, and <allow users="?"/> to allow anonymous only or <allow users="*"/> for all:
<configuration>
<location path="Path/To/Public/Folder">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
<location path="ForAll/Demo.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
In Addition: If you want to write something on that folder through website , you have to give IIS_User permission to the folder
To make it work I build my directory like this:
Project
Public
Restrict
So I edited my webconfig for my public folder:
<location path="Project/Public">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
And for my Restricted folder:
<location path="Project/Restricted">
<system.web>
<authorization>
<allow users="*"/>
</authorizatio>
</system.web>
</location>
See here for the spec of * and ?:
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/authorization/add
I hope I have helped.
I added web.config to the specific folder say "Users" (VS 2015, C#)
and the added following code
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Initially i used location tag but that didn't worked.

How do you protect a page using a web.config file?

Heey Stackoverflowers
My question is: how do I protect a Page using web.config or Global.asax?
Example:
Direct url www.Yoururlhere.com/Account/Edit.aspx is currently accesible from url bar, but that is not what I want. I have a login page already with database etc working, only it's missing the protection to remove direct access or by Login.
Can you help me? My second web.config for Folder Account is as following:
<?xml version="1.0"?>
<configuration>
<system.web>
<location path="Edit.aspx"/>
</system.web>
<system.web>
<authorization>
<allow users="*"/>
<deny users="?" />
</authorization>
</system.web>
</configuration>
You are writing in the wrong way. It should be like...
<configuration>
<location path="Account/Edit.aspx">
<system.web>
<authorization>
<allow users="*"/>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>

View images in the login page

All the users have to do the login before access to my site.
So i insert this code in web.config file:
<authentication mode="Forms">
<forms name="login" loginUrl="~/Login.aspx" defaultUrl="~/index.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
It works but the login page is rendered without images..
How can i do?
thanks
You need to modify the security on your image directory to allow unauthenticated users access. You can do that one of two ways:
1) You can add another Web.Config to the image directory that contains:
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
2) Update the Web.Config in your root directory with a location-specific rule:
<location path="images/">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Either change should fix the problem.

Resources