I have an authorization error in my asp.net mvc4 application. My account admin of my machine is this one
my session properties:
in my web.config file i put this snippet:
<authentication mode="Windows" />
<authorization>
<allow users = "Lamloumi" />
<deny users="?"/>
</authorization>
when i launch the application, i can't access to it.
What is the reason of this error? how can i fix my code?
Try to add domain name to allow:
<allow users="DomainName\UserName" />
Try to use this:
<configuration>
<authentication mode="Windows" />
<system.web>
<authorization>
<allow users = "Lamloumi" />
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Related
My web application uses forms authentication mode.
<authentication mode="Forms">
<forms loginUrl="Logon.aspx" protection="All" path="/" timeout="60" slidingExpiration="false" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
There is a folder in my web application, named "Documentos", that has a lot of PDF files.
My program allow the user to load a PDF file using its URL address:
http://MyHost/MyWebApp/Documentos/1.pdf
However, I need to restrict that functionality only to authenticated users.
For that, I put in my web.config:
<location path="Documentos">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
But it doesn't make any difference. Any one can still load any PDF file in folder Documentos doing:
http://MyHost/MyWebApp/Documentos/1.pdf
Can I accomplish what I'm looking for or should I approach it in a different way?
EDIT
Win's solution and Richard's solution are correct. This is the way to put those settings in web.config:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
<location path="Documentos">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Yo have two options -
Option 1
Use ~/ if your web application is not root level.
<location path="~/Documentos">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Option 2
Create a web.config with following content, and place it inside Documentos folder.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
The problem is that by default, the auth section only applies to requests that go through the pipeline, not to static files. To do what you want, add the following attribute to your modules section:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
...
I'm using Asp.Net Identity. I need to allow admins and deny users to access all pages in my management folder, so I've put a web.config file in that folder.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>
But anybody can still access all files in folder. I've also tried to put it into main config file with location tag,but no results. Have you any ideas where to start looking for a problem?
Update: I've found a question on asp.net forum which explains a lot:
http://forums.asp.net/t/1955560.aspx?ASP+NET+Identity+Are+web+config+files+no+longer+acting+in+the+capacity+of+a+security+guard+for+our+ASP+NET+applications+files+and+folders+
There also one thing to mention. When creating new web application project with asp.net Identity. Visual Studio 2013 sets these parameters:
<system.web>
<authentication mode="None"/>
</system.web>
and
<system.webServer>
<modules>
<remove name="FormsAuthenticationModule" />
</modules>
<system.webServer>
change your code to ** ** it prevent any user that aren't authenticated:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="?" />
</authorization>
</system.web>
</configuration>
try this
<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="[mymanagementfolder]">
<system.web>
<authorization>
<deny users ="?" />
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
MSDN SOURCE
If Directory Browsing Is enabled in IIS then you should turn it OFF
EDIT:
I Think You Should Enable Form/windows authentication. Above code is working fine on My Computer as It redirects to ReturnUrl
I am using ASP.NET forms authentication for my web app. I have a folder to which I would like to grant access to unauthenticated users. I am using IIS 7 and the app pool is in the integrated mode. As a test, I created hello.txt inside ScriptsHandlers folder. When I try to browse it using IIS, I get redirected to the login page despite the location element. Also, when I am running my application, I get 401 Unauthorized errors when querying asmx web services stored in the folder.
Here is a snippet of my web.config:
<location path="ScriptsHandlers">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location allowOverride="true">
<system.web>
<authentication mode="Forms">
<forms loginUrl="Views/Login.aspx" name=".ASPXFORMSAUTH" cookieless="UseUri" slidingExpiration="true" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*"/>
</authorization>
</system.web>
</location>
Allow access to everything inside ScriptsHandlers folder
ScriptsHandlers Or /ScriptsHandler depending on where you keep this web.config
<location path="ScriptsHandlers">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Thanks for any help.
Edit
this has been altered from the initial question, as no answers had been posted, and the problem evolved in more detail
I am trying to complete an asp.net 4.0 web application. I am struggling to manage folder based authorization.
a sample of the XML from the web.config:
<location path="~/drugAdmin">
<system.web>
<authorization>
<allow roles="drugAdmin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="~/wardAdmin">
<system.web>
<authorization>
<allow roles="wardAdmin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="~/websiteAdmin">
<system.web>
<authorization>
<allow roles="websiteAdmin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="~/personalAccount">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
The authorization works beautifully when the web application is started via visual studio.
when I publish to a local directory on my machine with the same web.config file, the authorization allows anonymous users into the wardAdmin and personalAccount folders ONLY (ie works appropriately for the other folders).
Has anyone come accross a similar problem and know a solution? thanks
replacing the tildes fixed the problem
<location path="drugAdmin">
<system.web>
<authorization>
<allow roles="drugAdmin" />
<deny users="*" />
</authorization>
</system.web>
</location>
I am using ASP.Net Forms Authentication. My Web.config looks like this.
<authentication mode="Forms">
<forms loginUrl="login.aspx"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>
So currently every aspx page requires authentication.
I want to allow access to even unauthenticated users to a specific page named special.aspx.
How can I do this?
Take a look at the example on MS Support
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this
application except for those that you have not explicitly
specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated
user access to the ThePageThatUnauthenticatedUsersCanVisit.aspx
page only. It is located in the same folder
as this configuration file. -->
<location path="ThePageThatUnauthenticatedUsersCanVisit.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated
user access to all of the files that are stored
in the TheDirectoryThatUnauthenticatedUsersCanVisit folder. -->
<location path="TheDirectoryThatUnauthenticatedUsersCanVisit">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
Put the following in your web.config:
<location path="special.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="register.aspx"> //path here is path to your register.aspx page
<system.web>
<authorization>
<allow users="*"/> // this will allow access to everyone to register.aspx
</authorization>
</system.web>
</location>
For more detail follow the below link
http://weblogs.asp.net/gurusarkar/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config
Allow everyone to access a particular page
Sometimes you want to allow public access to some page and want to restrict access to rest of the site only to logged / authenticated users .i.e. do not allow anonymous access. Say your special.aspx is in your site's root folder. In the web.config of your website's root folder you need to have following setup.
<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization> <deny users="?"/> //this will restrict anonymous user access
</authorization>
</system.web>
<location path="special.aspx"> //path here is path to your special.aspx page
<system.web>
<authorization>
<allow users="*"/> // this will allow access to everyone to special.aspx
</authorization>
</system.web>
</location>
</configuration>