I have built an ASP.NET website for my companies intranet. It is utilizing windows authentication, we use active directory. What I want to do is restrict certain pages of this website (add, delete) so only a few people can access it. Any ideas on how to do this? I want to create groups in active directory so I can just add people to them and they automatically can access these restricted pages.
Thanks for any help
You just need to tell ASP.NET what to protect and how. This is done through your web.config settings. For example, if you change your web.config for your ASP.NET application to reflect the following:
<system.web>
<authentication mode=“Windows“ /> = Windows AD Auth
<identity impersonate=“true“/>
<authorization>
<allow users=“*“/> = Only allow authenticated users into the web site
<deny users=“?“/> = Deny unauthenticated users
</authorization>
</system.web>
Then add location config sections that only allow certain roles to visit certain parts of the application. Roles translate to Active Directory Groups, for instance:
<location path="Admin">
<system.web>
<authorization>
<allow roles=“BUILTIN\Administrators“ /> = only allow users of this AD Group
<deny users=“*“/> = Deny everyone else
</authorization>
</system.web>
</location>
This tells ASP.NET to only allow users within the Active Directory Group called "Administrators" to get access to the pages within that folder.
Also, the "path" setting of the location node in the web.config file can be set to individual files of your application if they are not separated out into a folder.
If your app is MVC, the location "path" variable corresponds to the path taken to invoke your endpoints. These are usually specified in your RouteConfig.cs file. For instance, if you have an MVC urls "website.com/viewA/show" vs "website.com/AdminView/show". To restrict access to viewA the path would be "viewA" and "AdminView" for restricting access to AdminView urls.
You would use the file/folder permissions to restrict users to those pages. So if you have a folder called HR with some pages in it, you would set the folder permissions on the HR folder to allow Read access to the HR group in Active Directory.
Related
Hello Im Having a domain
www.xxxx.com/folder/folder/default.aspx
inside the second folder im having lot of sub folders
i want to restrict access for unauthorized user
can any one explain how to do using Web
i want to check the User name[session ] from the Cookies
if session is there need to allow access other wise deney
can any one pls help
<system.web>
<authorization>
<deny users="?"/>
<allow users="xxxx"/>
</authorization>
</system.web>
Now its blocking all users its not allowing for user xxxx
Please help
The best way for doing this is setting the authentication mode to Windows. By doing this the server will use the domain accounts or the local user accounts to allow access. You just have to set the appropriate permissions to these users or to their user groups directly in this folder (by using the security tab in Windows folder properties).
Our client has a virtual file server setup which contains some PDF's he wanted to restrict. He thought they would be restricted from non-logged in users, however they've somehow turned up in google search results.
So my question is, if I setup forms authentication (he currently doesn't have any authentication) on his website, can I restrict access to any directory I want? For example, the path of the PDF's is on another server, mapped to the "S" drive like this:
S:\Files\PDFs\
Can I list this path somewhere in a config file to restrict it to only authenticated users?
Thanks
you can put this kind of web.config in the folder where pdf files are located , this will not allow unauthnicated user to access you files
<location path="FolderNameAuthenticationNeed" allowOverride="true">
<system.web>
<authorization>
<deny users="?"/>
</authorization> </system.web>
</location>
In ~/tools/ I have a webconfig file that contains the following:
<system.web>
<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>
</system.web>
Requests to ~/tools/mypage.aspx require the user to be in the admin role. If I use URL routing and have requests to ~/categories/mytools route to that above page, forms authentication does not require the user to be in the admin role. How do I use forms authentication on a virtual routed url?
So I need to add this to my webconfig:
for every virtual url that needs forms authentication? Seems repetitive if this has to be done with every url that is directed to a 'protected' destination page. Is there another solution?
Since ~/categories/mytools is not explicitly ~/tools the web.config authorization does not get called. Even with virtual routing. You will need to replicate the web.config files across the directories to achieve this affect. To avoid doing double duty, you might want to put these entries into the root web.config listing their specific directories or files for exact permissions.
I am building an ASP.NET 3.5 Web Application and I am NOT using the membership provider for security. In the application I have a role named Admin and all the files for this role are inside the Security folder in the project. Currently for all the pages inside the security folder I am checking to see if the logged in user's role is an Admin or not. This to me seems very redundant, can do something like "If the user is requesting a page inside the security folder then check his role". Is this possible?
You can place a separate web.config file in the Security folder that will deny access to every request to that folder if the user isn't in the Admin role.
Here's a quick walkthrough.
It would basically look like this:
<location path="Security">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
We have an existing publicly accessible web application with user controls, data access libraries, graphics, etc. We want to create a new secure section of the site that accesses some of the already existing resources.
Initially we created the new section of the site as a virtual directory which (we hoped) would allow us to access the parent site's resources. We added the appropriate location information to the base web.config (authentication and authorization) but we continue to see the following error "Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS."
In response to that error we created the directory as a new application. This allows us to authenticate properly but has the drawback of not being able to access any of the resources in the parent directory (since it's outside the application scope).
Is there any way to secure the new section of the site while at the same time utilize the already existing resources?
In your web.config file in the root of your site, if you add:
<location path="relativePathToDir">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
This is working for me using FormsAuthentication, the user gets redirected to the default login page if not authenticated
I typed up a summary since many were facing the same situation regarding subfolder authentication.
Subfolder Authorization
ASP.NET can only have a single
authentication mode for one
application.
The different
applications CANNOT share resource
among them.
Scenario
Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.
The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.
1 In IIS, configure Authentication as follows:
Enable Anonymous Authentication,
Enable Windows Authentication
2 Add the followings in Web.Config.
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Remove the application, then add this to the top-level web.config:
<configuration>
<system.web>
<!-- applies application wide -->
</system.web>
<location path="securedirectory" allowOverride="false">
<system.web>
<!-- applies only to the path specified -->
</system.web>
</location>
</configuration>
MSDN Reference