I have added a web application to an existing site. The existing site uses basic authentication over https, but the new web application is running in a subfolder where I disabled basic authentication and enabled anonymous authentication (which is disabled for the rest of the site).
So a straight html page works as expected, you can access it without credentials. You can even see it yourself here: https://csssreg.fhcrc.org/physicianSurvey/faq.html
But I placed the new application's aspx page in this folder and I get the 401.2, as you can see here: https://csssreg.fhcrc.org/physicianSurvey/physicianPathologySurvey.aspx
I've been wracking my brain and straining my fingers googling this issue, but nothing solid has turned up. Does anyone have any suggestions as to how I can allow anonymous access to the aspx page? Any help would be greatly appreciated.
This:
<authorization>
<allow users="*" />
</authorization>
Grant access to any authenticated user.
To grant anonymous access you need to use
<authorization>
<allow users="?" />
</authorization>
It turns out there was an error in the global.asax that was causing the page to be redirected to a default error page, and that page was the 401 culprit. Go figure! But thanks to both commenter for at least helping me change my perspective just enough to get the thing.
Related
I am having the following issue happening randomly and am hoping someone can point me in the right direction.
My website is using Identity for logging in and the deny element in my application folder web.config to disallow unauthenticated users:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
99% of the time when a user logs in successfully they are allowed access to the applications start page BUT once in a while they are not allowed access and are returned instead to the sites home page which contains the "Login" link. I can tell the application recognizes the user as logged in because they are not returned to the login page which is what happens if someone tries to directly access a page via the URL that requires authentication. This is preventing users from accessing the application and the only thing that gets it working again is a restart of the web server at which point the logins work exactly as they should.
Does anyone have any ideas as to what could be happening here?
Thanks in advance for any ideas.
I have written a blog in basic of wif .. which also contain a small 3 page project too with web config setting .. I hope this will help you..
I've got an ASP.NET MVC 4 application that I run under the site level of an IIS web site.
So the dir structure looks like this:
\IIS
\Site
\bin
\Content
\Views
The MVC 4 app uses Forms Authentication via Username and Password, but I have a requirement to lock down the full site and turn off anonymous authentication at the IIS level.
The goal of this requirement is to allow users only to land on a home page and logon page. The problem is if I turn off anonymous authentication then users can't even get to home or login.
Another thing we want to prevent a user from being able to go to /Content/Scripts/MyScript.js in their browser.
I'm using bundling so those file are there and don't get used by me besides when I bundle things up.
Is this even possible since IIS and MVC 4 auth are at completely different level? If it is possible what options do I have?
Chris Pratts answer is correct. You can successfully turn of anonymous authentication and let MVC4 handle all of that for you.
Make sure in your web.config you have the following
<modules runAllManagedModulesForAllRequests="true"></modules>
In your system.webserver section.
Another thing you can do is make use of the locations tags in IIS to prevent user access to different parts of the site.
For example, you could put this in your web.config
<location>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
This ensures that only authenticated users can access the site. You can then further refine this.
<location path="External">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Basically, now any request to /External will be allowed for all users (regardless of authentication). You will probably want to put all your scripts in here that you need unauthenticated users to access.
If there was a specific directory you didn't want anyone to access, you could do something like
<location path="/Content/Scripts">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
Now any access to that location will be prevented by default in IIS. Give that a try, it should satisfy your requirement to have the scripts available for bundling, but not accessible if someone browses directly to it.
I only halfway got what I wanted, but here is what I ended up doing. I have anonymous authentication enabled at the site level and used Forms authentication for specific controllers. This was how I originally had it so nothing changed here.
Since I am using bundles the users never really need to look at the .js so I used Request Filtering by file extension so block any .js and even .css I don't want exposed.
This works because the bundling doesn't make http requests to those files and the bundles themselves don't have the normal JavaScript and CSS file extensions.
You don't handle this at the IIS-level. You simply allow Anonymous Auth and then add [Authorize] to every controller. Then only on your home and login actions add the attribute [AllowAnonymous].
As to the second part of your question, you can't really stop this. MVC bundles on the fly, so it needs the actual files to be there. If they're never referenced, though, they're black holes: the user would have no way of knowing what file to request, so it's kind of security by obscurity.
I created deployment package of my site when I try to use it I get the following error:
The length of the query string for this request exceeds the configured maxQueryStringLength value.
and the adress bar looks like this.this doens't happen in visual studio
http://localhost/MyServer/Login.aspx?ReturnUrl=%2fMyServer%2fLogin.aspx%3fReturnUrl%3d%252fMyServer%252fLogin.aspx%253fReturnUrl%253d%25252fMyServer%25252fLogin.aspx%25253fReturnUrl%25253d%2525252fMyServer%2525252fLogin.aspx%2525253fReturnUrl%2525253d%252525252fMyServer%252525252fLogin.aspx%252525253fReturnUrl%252525253d%25252525252fMyServer%25252525252fLogin.aspx%25252525253fReturnUrl%25252525253d%2525252525252fMyServer%2525252525252fLogin.aspx%2525252525253fReturnUrl%2525252525253d%252525252525252fMyServer%252525252525252fLogin.aspx%252525252525253fReturnUrl%252525252525253d%25252525252525252fMyServer%25252525252525252fLogin.aspx%25252525252525253fReturnUrl%25252525252525253d%2525252525252525252fMyServer%2525252525252525252fLogin.aspx%2525252525252525253fReturnUrl%2525252525252525253d%252525252525252525252fMyServer%252525252525252525252fLogin.aspx%252525252525252525253fReturnUrl%252525252525252525253d%25252525252525252525252fMyServer%25252525252525252525252fLogin.aspx%25252525252525252525253fReturnUrl%25252525252525252525253d%2525252525252525252525252fMyServer%2525252525252525252525252fLogin.aspx%2525252525252525252525253fReturnUrl%2525252525252525252525253d%252525252525252525252525252fMyServer%252525252525252525252525252fLogin.aspx%252525252525252525252525253fReturnUrl%252525252525252525252525253d%25252525252525252525252525252fMyServer%25252525252525252525252525252fLogin.aspx%25252525252525252525252525253fReturnUrl%25252525252525252525252525253d%2525252525252525252525252525252fMyServer%2525252525252525252525252525252fLogin.aspx%2525252525252525252525252525253fReturnUrl%2525252525252525252525252525253d%252525252525252525252525252525252fMyServer%252525252525252525252525252525252fLogin.aspx%252525252525252525252525252525253fReturnUrl%252525252525252525252525252525253d%25252525252525252525252525252525252fMyServer%25252525252525252525252525252525252fLogin.aspx%25252525252525252525252525252525253fReturnUrl%25252525252525252525252525252525253d%2525252525252525252525252525252525252fMyServer%2525252525252525252525252525252525252f
Seems that you have circular navigation. Please give code of page load event of login.aspx and the 2nd page which you are accessing.
Just a hunch: it might be that your login page is not accessible for anonymous users. So it redirects to the login page, that in turn redirects to the login page.
Have a look at the web.config to set the proper access rights.
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
It looks like your solution in Visual Studio has been built from one of the templates that has some sort of forms - based authentication built in. I'm pretty sure that you can disable this in the web.config.
i created some pages in asp.net. but i want to allow the users only if he is login. how to do that. is there any controls available for that one.
Thank you
In the web.config there is a section below <system.web> where you can add:
<authorization>
<deny users="?" />
</authorization>
It is normal that you put pages that requires login in a certain sub-directory and thus you can put a new web.config in that folder with the above lines inside <system.web>, this will prevent unauthorized access.
MSDN has a great section about Forms Authentication that I recommend you to read.
Yes, you need a login page that uses Forms Authentication.
See details here
When using a gridview and not logged into a asp.net website, the java scrpit does not appear to work.
If I am logged in as a user, any pages with gridviews work fine.
The only error I'm getting when checking the javascript with Firebug is
'ReferenceError: DES_ValOnSubmit is not defined.'
This is a reference to a Peter Blum javascript function, but have no idea why it would fail for anonymous users, and it does for logged in users.
Thanks for any help.
I'm not sure what your authentication scheme might be, but if you are using the authorization tags in the web.config file, you might need to make an explicit exception for your javascript if you are denying the anonymous user to sections of your web site. Something like this:
<location path="MyScriptFolder/MyPeterBlumJS.js">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
You can also just set the path to "MyScriptFolder" to allow all users access to your javascript as needed.