In my /scripts folder, I have an "admin" subfolder (/scripts/admin).
How can I prevent anonymous access to this folder? I need only logged in admins to have access to this folder/files (and its subfolders).
I've tried this in web.config, but it doesn't work...
<location path="scripts/admin" allowOverride="false">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Any idea?
I'm not sure if this is a good idea but you could try the following
move the content of your scripts/admin to App_Data, content of this
folder will never gets served by the web server.
create a new controller with just the one action method that accepts
a filename argument and returns the file with the matching name from
the App_data folder
make sure this controller can only be accessible by an admin using
the Authorize attribute.
Related
I am trying to limit folder access to allow only users with the admin role access using the following Web.config file:
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
This file is located under the sub-directory "Views/Admin/". I have another file located under "Views/Admin/Main/" that only the admin should have access to (based on the above rules), however all test cases allow any anonymous user to access the file. I am currently only working with localhost, in case that makes a difference.
The problem is that any users are being granted access to these files. Are there any extra steps that must be taken in order for the Web.config file to be recognized?
I currently access the page through an "Admin" button, and this wrongly allows any user to access the admin page (Note that I also have code here that hides this admin button when the user is not an admin that seems to work):
<li>#Html.ActionLink("Admin", "Admin", "Admin")</li>
Using the following Web.config file still allows users access to the web page which makes me think there is simply an extra step that I missed along the way (Note that not even the admin should be able to access the page with these rules):
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
Any idea what I'm doing wrong?
Why aren't you using the [Authorize] attributes in your controllers, using the built-in ASP.Net identity mechanisms?
https://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api
Or did I completely misunderstand the question?
I have a directory contains some documents,
i would like to allow access to files on this directory only if the user successfully logged in to a website.
the login users and passwords managed by aspNet Membership tables and stored at the DB.
if the directory was sitting on the website is would be easy since it restricted by default
but physical path of the directory is not inside the website
and i prefer to leave it that way, since this directory can be access from another website
how to solve this?
thanks
You should add the runAllManagedModulesForAllRequests attribute to the modules tag in your web.config like so:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
...
</system.webServer>
This will impose your dotnet security on all files like word documents and such. Then you can secure the folder using the location section in web.config like so:
<location path="SomeVirtualDirectory">
<system.web>
<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
Its not possible to navigate outside of a website directory as it is outside scope of your website and no way depends on the website credentials.
The file directory doesn't have to be a physical subdirectory of your site. If you add it as a virtual directory inside your application, you can just set authentication appropriately.
Alternatively you can just issue something like this:
string filename = #"F:\SomeDirectory\Foo.txt";
Response.TransmitFile(filename);
Then you can just set authentication on this page, for example called DownloadFile.aspx.
How to restrict directory level access to only authenticated users? I need www.testpage.net/help to be accessible only for authenticated users + help folder contains only pure html files.
Can I do this?
Currently uses can log into www.testpage.net.
You can have a web.config file with the access list defined there. So, in other words, in your Help directory, have a web.config file that contains something like:
....
<authorization>
<deny users="?" />
</authorization>
....
i have one subfolder called MySubFolder in my web form project and i want that all the page in that folder will be protected by form authentication. so i search google to do it. i got a xml snippet which i need to put in my main web.config file. the xml snippet as follows
<location path="MySubFolder">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
so i want to know that does it protect all files in my subfolder? plzz let me know. thanks
Yes, it protects all folder content. And sub-folders' content too (except case when you allow access to sub-folder manually). I.e. with you configuration and next project structure
only authorized users will have access both to MySubFolder/Test.aspx and MySubFolder/MySubFolder2/Test2.aspx.
On my Login.aspx page, before the user is authenticated I need to run some javascript that is defined in a file. The javascript file doesn't seem to be found. I believe this is a problem caused from the user not being allowed to access this content and when the server attempts to download this file it is redirected to login. So I added this to my web.config:
<location path="Scripts">
<system.web>
<authorization>
<allow users="*" />
<deny roles="none"/>
</authorization>
</system.web>
</location>
However, still not working. I get redirected when I take the path to the js file and put it in URL, as well.
If you're using IIS 7 the reason can be the same as with CCS and image files. You will have to give access to IUSR Anonymous user account to your folder that contains your css or images or js files. Check this post for more info.