ASP.NET Roles and Membership - asp.net

I am quite new to ASP.NET technologies
<configuration>
<system.web>
<authorization>
<allow roles="Agency,Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
I have the above web.config for a folder, there is a requirement to give an elevated priviledge to some users in Agency role to access a page called AddOrganisation.aspx.
To solve this, I think I can add the following markup to the web.config but this will be static
<location path="AddOrganization.aspx">
<system.web>
<authorization>
<allow users="wale, etc, etc"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
How can I enable adding users programmatically instead of updating the web.config for each change?
I will be grateful for your responses. Thank you

You should not make changes the web config at runtime, this will restart your application, every time you add a user. MSDN says this
Configuration Changes Cause a Restart of the Application Domain
Changes to configuration settings in Web.config files indirectly cause
the application domain to restart. This behavior occurs by design. You
can optionally use the configSource attribute to reference external
configuration files that do not cause a restart when a change is made.
For more information, see configSource in General Attributes Inherited
by Section Elements.
Instead you should give those users a different role, so that only those users can access the
"AddOrganisation.aspx" page.
Or else you can also do another thing if you dont want to create another role for these users. You keep on adding these users to a table and whenever a request is made to the page you can check if the users name is present in the table or not and then allow/deny the user.

Related

Web.config file does not seem to affect server

I am trying to limit folder access to allow only users with the admin role access using the following Web.config file:
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
This file is located under the sub-directory "Views/Admin/". I have another file located under "Views/Admin/Main/" that only the admin should have access to (based on the above rules), however all test cases allow any anonymous user to access the file. I am currently only working with localhost, in case that makes a difference.
The problem is that any users are being granted access to these files. Are there any extra steps that must be taken in order for the Web.config file to be recognized?
I currently access the page through an "Admin" button, and this wrongly allows any user to access the admin page (Note that I also have code here that hides this admin button when the user is not an admin that seems to work):
<li>#Html.ActionLink("Admin", "Admin", "Admin")</li>
Using the following Web.config file still allows users access to the web page which makes me think there is simply an extra step that I missed along the way (Note that not even the admin should be able to access the page with these rules):
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
Any idea what I'm doing wrong?
Why aren't you using the [Authorize] attributes in your controllers, using the built-in ASP.Net identity mechanisms?
https://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api
Or did I completely misunderstand the question?

How to restrict unlogged/unauthorized users from viewing web pages in ASP.NET

I have some created web forms and I need to check whether the user is authenticated or not, before displaying the other web forms. All the users can access Default.aspx and About.aspx pages.
And I have three types of users namely- Admin,User and Super User. Also, I keep the authentication details in my own SQL server db.
How can I do this?
Thanks in advance!
First establish membership and role provider. There is whole story about it. I will give a help here.
Here is link to SqlMembershipProvider (one of the options you can take):
http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.aspx
Here is link to SqlRoleProvider (again only one of the options you can take)::
http://msdn.microsoft.com/en-us/library/system.web.security.sqlroleprovider.aspx
After you have established this you can limit user/role access on folder level. Put this code to web.config (inside configuration tag):
<location path="AdminPages">
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="UserPages">
<system.web>
<authorization>
<allow roles="Administrator,User"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Here is little explaination. Root folder "AdminPages" will be alowed only to users in role "Administrators". Root folder "UserPages" to users in role "Administrator" and "User". In both cases unknown users will not be allowed to access folders. This is all you need. Alternative to this is to create class that inherits from Page and then there handle page access... however I would not go that way.

Need to show pages without logging in (asp.net)

I am using
<authentication mode="Forms" >
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH" />
</authentication>
Every thing works fine except that, there are some pages like About Us, Contact Us, Privacy Policy etc, which do not need to login to view them.
In my case i need to login to view all pages. I want these common pages to be viewable without having to log on.
I have tested my application on local IIS as well as on deployment server, but same problem occurs.
Please help!
Thanks for sharing your valuable time.
You need to create exceptions to your security policy:
<!-- files in the "Public" folder don't require authorization -->
<location path="Public">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Alternately, you can make page-specific exceptions:
<location path="AboutUs.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Appearantly you want some pages to be available without logging in. The way to go about this is to set permission on subdirectories instead of the website root, and put these pages in the web root (usually they are in teh root)
If thats too much work, put your pages in a directory and allow anonymous users to access it.
There could be a large number of possible answers to such an open question. We will need more specifics to answer. Here are just a few places to look:
Have you checked your web.config file to see if anonymous authentication is off?
Have you checked the web.config to see if you are denying anonymous users access to your root directory?
Have you checked IIS to see if anonymous authentication is off?
Have you checked the pages' source code files to see if you are doing manual denial of service to anonymous users?

Authorization settings for a folder in ASP.NET

I have an asp.net web site, I want restrict all users to access a folder named "log" and I have this element in web.config:
<location path="log">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
and this element before it in system.web:
<authorization>
<allow users="*"/>
</authorization>
but still I have access to this url: http://www.mydomain.com/log/log.txt
Any ideas?
Thanks.
.txt files are not handled by ASP.NET by default. You'll have to block access to the folder from within IIS.
If you're using IIS 7 you can use Request Filtering to achieve this.
to avoid this confusions I usually create one web.config file at the directories i need to set different permissions.
If you place a web.config file inside your log folder it will work ok (and it will become easier to check the applied permissions at the folder)
Example:
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
I typed up a summary since many were facing the same situation regarding subfolder authentication.
Subfolder Authorization
ASP.NET can only have a single
authentication mode for one
application.
The different
applications CANNOT share resource
among them.
Scenario
Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.
The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.
1 In IIS, configure Authentication as follows:
Enable Anonymous Authentication,
Enable Windows Authentication
2 Add the followings in Web.Config.
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

ASP.NET Web Service inside Forms Authentication Application

I have an existing ASP.NET application that implements Forms Authentication site-wide. The application is deployed in multiple instances (e.g., customer1, customer2, test, dev, etc...), with a separate database per instance. SSL is in play. Instance configuration is via an XML config file.
I have a new requirement to allow upload/download of certain data, which I would like to implement as a public web service.
My initial thought here was to selectively disable forms authentication for a subdirectory of the application (e.g., ~/Services), and then do authentication via a SOAP header or similar.
However, I'm not finding a way to selectively disable forms auth.
Question: Is there a way to do this? I've tried the <location> tag in web config to no avail.
If not, what are your recommendations for how to set this up? I can think of the following options:
1) Create a new "Services" project in my solution, and then configure a separate IIS ASP.NET application on that directory in each instance. (Pro: easy access to instance configuration, which may be needed in the future. Con: configuration burden for each relevant instance).
2) Create a separate "Services" solution that references needed assemblies from the application solution and host it as a separate ASP.NET application. Then, lookup the db connection string based on the UserName provided in SOAP Header. (Pro: single app to configure in IIS. Con: No easy access to instance config.)
3) ??
Clarification: I did see the answer here: Override ASP.NET forms authentication for a single page, but the use of a location tag is not helping (requests for the web service are still redirected). The relevant sections in my web.config look like this:
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
<location path="~/Services/MyService.asmx">
<system.web>
<authentication mode="None" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
I would think the location tag would work, where you specify the services folder and allow all users, something like:
<location path="services">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
But you said that didn't work, have you tried putting a web.config file in the services folder and disabling forms authentication and allowing all users in that file?
You could also have a (overriding) web.config file in the services folder with the access control set to anonymous.
what worked for me was to allow users all users access in the folder where my webservices is located.
Firstly i added a configuration file in that folder and inserted the code below to allow all users.
<authorization>
<allow users="*"/>
</authorization>
</system.web>

Resources