I have web.config's spread throughout my app that sets authorization like this:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Authors" />
<allow roles="Editors" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
I need to provide access to all *.sitemap files regardless of the authorization permissions in the web.config's. Is this possible, hopefully just set once from the root web.config?
Related
I'm probably missing something easy here, but I have an ASP.NET website that uses Identity and roles, and I'm trying to restrict access to a folder containing some MP4 videos so that anonymous users cannot see direct links to those videos.
I had this in my web.config for the folder:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<allow roles="User"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>
The asp:LoginView control works fine with this setup, but the videos return a 401 error.
I tried this as well with the same result:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
If I remove everything from the authorization tag, then it works so I know all the paths are right and something about the authorization setup is preventing it from serving that video.
I also tried calling out the Files directory individually like this:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<allow roles="User"/>
<deny users="*" />
</authorization>
</system.web>
<location path="Files">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
Unfortunately, this makes it so that I can access the video link even when not logged in (which is what I am trying to prevent).
If I try to do a role based setup for the Files subfolder like this (which I don't think should be any different from the first version) then I'm back to getting a 401 on the video, even when logged in:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<allow roles="User"/>
<deny users="*" />
</authorization>
</system.web>
<location path="Files">
<system.web>
<authorization>
<allow roles="Admin"/>
<allow roles="User"/>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
What am I missing here?
I modified my answer. I think the following is what you are looking for:
How to prevent anonymous users from accessing a file using forms authentication?
I'm using Asp.Net Identity. I need to allow admins and deny users to access all pages in my management folder, so I've put a web.config file in that folder.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>
But anybody can still access all files in folder. I've also tried to put it into main config file with location tag,but no results. Have you any ideas where to start looking for a problem?
Update: I've found a question on asp.net forum which explains a lot:
http://forums.asp.net/t/1955560.aspx?ASP+NET+Identity+Are+web+config+files+no+longer+acting+in+the+capacity+of+a+security+guard+for+our+ASP+NET+applications+files+and+folders+
There also one thing to mention. When creating new web application project with asp.net Identity. Visual Studio 2013 sets these parameters:
<system.web>
<authentication mode="None"/>
</system.web>
and
<system.webServer>
<modules>
<remove name="FormsAuthenticationModule" />
</modules>
<system.webServer>
change your code to ** ** it prevent any user that aren't authenticated:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="?" />
</authorization>
</system.web>
</configuration>
try this
<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="[mymanagementfolder]">
<system.web>
<authorization>
<deny users ="?" />
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
MSDN SOURCE
If Directory Browsing Is enabled in IIS then you should turn it OFF
EDIT:
I Think You Should Enable Form/windows authentication. Above code is working fine on My Computer as It redirects to ReturnUrl
Heey Stackoverflowers
My question is: how do I protect a Page using web.config or Global.asax?
Example:
Direct url www.Yoururlhere.com/Account/Edit.aspx is currently accesible from url bar, but that is not what I want. I have a login page already with database etc working, only it's missing the protection to remove direct access or by Login.
Can you help me? My second web.config for Folder Account is as following:
<?xml version="1.0"?>
<configuration>
<system.web>
<location path="Edit.aspx"/>
</system.web>
<system.web>
<authorization>
<allow users="*"/>
<deny users="?" />
</authorization>
</system.web>
</configuration>
You are writing in the wrong way. It should be like...
<configuration>
<location path="Account/Edit.aspx">
<system.web>
<authorization>
<allow users="*"/>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
I am having problems allowing a specific Role access to a specific page in a subdirectory.
My ASP.NET application has a directory, ~/Forms/Administration that has limited access. There is a specific file, ~/Forms/Administration/Default.aspx that I want to give 1 additional user role access to, as well as the Admin role.
In ~/Forms/Administration, I have a web.config file that looks like this:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator, User" />
<deny users="*"/>
</authorization>
</system.web>
<location path="Forms/Administration/Default.aspx">
<system.web>
<authorization>
<allow roles="Administrator, User, AdditionalUser" />
</authorization>
</system.web>
</location>
</configuration>
The Admin user works just fine, but AdditionalUser always fails. I've tried a number of things - listing the location as
<location path="Forms/Administration/Default.aspx">
And as
<location path="~/Forms/Administration/Default.aspx">
Is the deny="*" from the first generic rule taking precedent? I tried changing
<deny users="*"/>
To
<deny users="?"/>
But that ends up giving AdditionalUser access to everything. Suggestions?
EDIT: I tried putting the location specific allow before the generic deny rule, in case order mattered. Same problem.
UPDATE: I am clearly missing something here: I removed the deny * config, and left only the location specific section. Then, instead of allowing on certain roles, I set that one to deny all (*). However, it is not denying me at all when I login. I even reduced the rule to not be file specific, but apply to the whole directory, and it's not denying me anything. However, the original non-location specific rules do work, so I know this config file is being read.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="Forms/Administration">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
Two things:
The location is relative to the web.config file, so if your web.config is already in /Forms/Administration it should be corrected to be:
<location path="Default.aspx">
<system.web>
<authorization>
<allow roles="Administrator, User, AdditionalUser" />
</authorization>
</system.web>
</location>
To clarify about the order of Allow and Deny, authorization is going to apply based on the first match it finds, so order is very important. For instance:
<deny users="*" />
<allow users="Administrator" />
Administrator will be denied since it matched the first entry of deny... even though you specified to allow the Administrator user on the next line. So to only allow the Administrator, the correct syntax would be:
<allow users="Administrator" />
<deny users="*" />
In Summary
If I am reading what you want correctly, this is probably the final product you want:
<configuration>
<system.web>
<authorization>
<allow roles="Administrator, User" />
<deny users="*"/>
</authorization>
</system.web>
<location path="Default.aspx">
<system.web>
<authorization>
<allow roles="AdditionalUser" />
</authorization>
</system.web>
</location>
</configuration>
I have implemented forms authentication using the below mentioned code. My login URL is "Login.aspx". With these settings my site images do not get loaded on login.aspx.
However if I comment the authorization section the images are displayed.
<authentication mode="Forms">
<forms name="TBHFORMAUTH" defaultUrl="~/User/Default.aspx" loginUrl ="~/Login.aspx" cookieless="AutoDetect" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
Why this behaviour?
You can add a separate Web.config file to the Images folder that does not need user control. The Web.config file should only contain the following to give full access:
<?xml version="1.0" encoding="UTF-8" ?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
Another approach is if all pages that are limited by usercontrol are located in a sub folder (i.e. Users), then you can give full access in the main Web.config. and have a separate Web.config in the Users folder containing:
<?xml version="1.0" encoding="UTF-8" ?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>