I googled a lot but did not find an answer:
I have a webservice which requires windows-authentication.
part of my web.config
<!-- added for security reasons, in case of archiving from unix-clients remove it -->
<location path="Archive.asmx">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
All windows-users can access this webservice normally.
BUT there is a service on a linux-server which should also use this webservice. So I want to allow the IP-Address of the Linux-server to call this webservice without authentication.
I don't want to remove the need to authenticate for all IPs (or users), only users from the linux-server should be able to access the webservice without authentication.
Related
Working on custom authentication module for ASP.NET WebForms application. Almost finished but have one not implemented issue yet... how to check that authorized user has permission to get access to the page?
The application has web.config with:
<location path="SomePage.aspx">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
How to check from the custom HttpModule the page, that was just requested, allowed to be shown to authorized user?
UrlAuthorizationModule.CheckUrlAccessForPrincipal
http://msdn.microsoft.com/en-us/library/system.web.security.urlauthorizationmodule.checkurlaccessforprincipal.aspx
I have some created web forms and I need to check whether the user is authenticated or not, before displaying the other web forms. All the users can access Default.aspx and About.aspx pages.
And I have three types of users namely- Admin,User and Super User. Also, I keep the authentication details in my own SQL server db.
How can I do this?
Thanks in advance!
First establish membership and role provider. There is whole story about it. I will give a help here.
Here is link to SqlMembershipProvider (one of the options you can take):
http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.aspx
Here is link to SqlRoleProvider (again only one of the options you can take)::
http://msdn.microsoft.com/en-us/library/system.web.security.sqlroleprovider.aspx
After you have established this you can limit user/role access on folder level. Put this code to web.config (inside configuration tag):
<location path="AdminPages">
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="UserPages">
<system.web>
<authorization>
<allow roles="Administrator,User"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Here is little explaination. Root folder "AdminPages" will be alowed only to users in role "Administrators". Root folder "UserPages" to users in role "Administrator" and "User". In both cases unknown users will not be allowed to access folders. This is all you need. Alternative to this is to create class that inherits from Page and then there handle page access... however I would not go that way.
I have a directory on the root of my website which contains some files(usually html). These files should be accessed only for the logged-in user. How can I achieve this? I believe this could be done using impersonation but I don't have any idea about how exactly I can implement it. Could you please guide me on right direction?
Currently, I have added these settings to my Web.config file:
<location path="TestData"> <!-- 'TestData' is the directory which I want to deny access for -->
<system.web>
<identity impersonate="true"/>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Is there anything that I have to do in coding?
PS: This is a webservice application.
Update: It works partially!!! to be specific:
It denies only the .aspx pages and even the logged-in user too cannot access the files.
I'm using Windows authentication.
You don't need to impersonate. If you have forms or windows authentication, your <deny users="?"/> will deny all anonymous users. To answer your question: no, you don't have to explicitly deny any users within your code.
How to: Implement Simple Forms Authentication
In order to secure non-ASP.NET files, you will need to register an HttpHandler that will do this. Please see this reference on how to register the handler.
you don't need impersonate. Impersonate is for making the app run as a different user from the user of the app pool in iis. source
If you're using forms/windows authentication then
<authorization>
<deny users="?"/>
</authorization>
should be enough and will block users who are not logged in
You need to add
<authorization>
<deny users="?"/>
</authorization>
in <system.web></system.web>
And use form authentication like
[Update] : As you use windows authentication see
MSDN
I have an app with two pages: pagein.aspx and pageout.aspx. Pagein.aspx must be accessible ONLY to intranet users of my company, but pageout.aspx must be accessible to extranet users (world). My last option is to use the authorization (user and password), but I prefer to use the logic I described. Is this possible in asp.net? If yes, how?
You can do this via web.config
<location path="Pagein.aspx">
<system.web>
<authorization>
<allow users="*" allow role="YourDomain\Domain Users" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="PageOut.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
The simpler solution is to have two websites (two virtual directories), in one enable windows authentication: http://msdn.microsoft.com/en-us/library/ff647405.aspx
In the other, use ASP.NET membership, or leave it public and accessible by anonymous users.
If you need both in the same application, then use the various authorization techniques to require authorization for some pages and leave other pages open to the public.
I have a web application and I want to provide anonymous access to a couple of the web services in it so that we can access the web services from computers without a windows login on our network.
I've tried the stuff here Disable authentication on subfolder(s) of an ASP.NET app using windows authentication. I've done this:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
...
<location path="Tests/QService.asmx">
<system.web>
<authorization>
<allow users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
These both "work" in that they allow access to the web service for anonymous users. However, it seems that IIS still sends an authorization challange because when I access the service from a browser I get a box to enter my username and password. If I hit cancel I get access to the page anonymously. However, some of our clients don't handle this well and just fail because of the 401 return code.
Is there a way to completely disable the windows authentication on that single location such that IIS will not try and establish a windows authentication?
You need to disable Windows Authentication on the Virtual Directory for that single location. Then you shouldn't be challenged.