I converted an existing website from ASP.NET 2.0 to ASP.NET 4.0.
Now when I see the network tab in Firebug I see the css files in my root/css folder are retrieved upon each request with 200 OK response. So they are not cached.
Although the css files I have in my aspnet Theme are getting cached. So I moved the /css folder files in Themes folder and those files are now cached.
Why are styles in folder other than Themes aren't cached? I wonder if I am missing some configuration setting?
P.S.: I am running the new website from VS2010/DevServer/FireFox.
The reason the files in css folder were retrieved on every request was because my website required login and has anonymous access denied.
In my web.config I had explicitly allowed all users to App_Themes folder and that is why it seemed to be cached. So I added the following to my web.config and no more additional request for those files.
<location path="css">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Those css files weren't used on the home login page so never occurred it could be the access issue.
Related
I have this following section in my web.config file in ASP.Net 4.5 project.
I've added couple of .doc files into that folder.
Whenever I run the project (either logged in or logged out) through VS 2012, It allows me the direct access to the files inside that folder. I need to protect the anonymous users from accessing to the files.
HTTP://localhost/Test/Test1.doc
But when the URL is HTTP://localhost/Test it redirects me to login page.
<location path="Test">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
I wonder how it was working before in .Net Framework 4 on VS 2010.
It prevents the anonymous users from accessing to the content of the folder.
Did I miss any settings in my web.Config file using . Net Framework 4.5?
The problem with this is that ASP.net is not servicing the .doc files.
The web requests for those files are not being handled by.net so IIS allows the access directly.
This issue was answered by Joel on a similar thread: Here
Many Thanks to Joel!
I'm using asp.net mvc 2 and vs 2008.
I'm trying to make website with forms authorization. When i'm trying to restrict access to some pages, i'm using asp.net administration tool. There i create rule, for example, to deny access to anonimous users to whole web site. Administration tool, as expected, adds following section in the root web.config file:
<authorization>
<deny users="?" />
</authorization>
When i do same thing in some subfolder, as example %ApplicationRoot%/View/Protected, administration tool, as expected too, adds web.config file in mentioned subfolder, with following code:
<configuration>
<system.web>
<authorization>
<deny users="UserName" />
</authorization>
</system.web>
Prime difference between theese files is that root web.config authorisation section has some effect(generally speaking, it works as planned - denies all unauthenticated users from whole website). But subfolder web.config authorisation section have no effect at all.
I found that then added to root config file, following code
<location path="Protected">
<authorization>
<deny users="UserName" />
</authorization>
</location>
does the work greatly - it, as planned, denies %UserName% acces to all views, located in %ApplicationRoot%/View/Protected Folder.
This behavoir is simmilar with cassini and iis, i tried both.
The main problem is that i need kind administration tool to do the work, so i'm asking for any help with issue - why doesn't authorisation section works when web.config is located in subfolder?
P.S. I tried to place incorrect code in between <authorization> and </authorization> in subfolder's web.config:
<authorization>
asdfg
</authorization>
No effect. Probably the whole section is ignored due to some issue?
P.P.S. Incorrect code out of the authorization section in the same file causes an error
Your problem is that your application is not a classical ASP.NET Web Forms application.
What you're trying to do would work perfectly in Web Forms, but not in MVC.
In MVC world when browser requests page /People/SmartList it's not necessarily that it would be shown the /People/SmartList.cshtml from your project. In fact, your project could not even have the /People/ folder at all. The view (.cshtml file) which will be shown by MVC engine is determined by routes. And that MVC routing engine doesn't look at all at your web.config files, when it accesses those .cshtml files. Now, you can see, why your web.conig files are ignored.
But you're still able to do the authorization. Instead of using web.config files you should use the [Authorize] attribute and apply it to appropriate controller's action methods, or even to a whole controller class.
[Authorize(Users="UserName")]
public ActionResult ShowRestrictedData()
...
On the root of my webservice application, I have a directory which contains some html and txt files. These files should be accessed only to the authenticated user. How can I achive this?
This is the follow-up of my question: ASP.Net Directory Security
I implemented HttpHandler as suggested by Shark on that post. It allows html and txt files to handle but I can't show these files to the authenticated user too.
Update: I solved this issue by checking session on the handler. While hosting this on the server I faced another problem. i.e. my custom handler was not getting called. I got the cause and solution for that issue on: http://msdn.microsoft.com/en-us/library/bb515343.aspx
Cause:
By default, Internet Information Services (IIS) passes requests for
only certain file types to ASP.NET to service. Files with file-name
extensions such as .aspx, asmx, and .ashx are already mapped to the
ASP.NET ISAPI extension (Aspnet_isapi.dll).
Solution:
To have IIS pass other file-name extensions to ASP.NET, you must
register the extensions in IIS.
Whole Story: http://www.naveenbhat.in/2012/06/directory-security-on-webservice-with.html
If you are using ASP.Net Security (Forms/Windows authentication), you can simply control it by web.config settings. Like so:
<system.web>
<authentication mode="Forms">
</authentication>
<location path="directoryPath">
<system.web>
<authorization>
<deny users="?"/> // this will deny access to anonymous users
</authorization>
</system.web>
</location>
</system.web>
I have ASP.NET application with forms authentication. It works well but I have one directory with olly .txt files (no aspx files) that I want users not to access (or only logged in users).
I added web.config to this directory:
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
EDIT:
This works only for .aspx files. It does not work for .txt files and similar. Users cannot browse this directory nor subdirectories however knowing .txt file name they can access it.
I tries IIS6 and IIS 7.5. On IIS6 .txt files are also restricted but on IIS 7.5 not so it may be IIS configuration issue.
Your question depends on the web server you are using. ASP.NET authorization works only with file types that are handled by ASP.NET. If you have IIS 5 or 6, this is normally not true for .txt files or even for .jpg, .gif and pure .html files, but only for aspx, asmx etc.
No problem if you have IIS7 and integrated mode, because ASP.NET is integrated and will be called for every type of file. So if you have IIS5 or 6 you have to register the mime types such as the aspnet.isapi is called for .txt files as well.
UPDATE:
The configuration of
<deny users="*">
locks out all users. It would work only in combination with allow, e.g.
<allow roles="administrators" />
<deny users="*">
like this all users but administrators will be locked out. If a user is authenticated but not adminstrator, he will be redirected to the login page.
The other option is to lock out anonymous users only:
<deny users="?">
Add location section to the web.config with appropriate settings location Element (ASP.NET Settings Schema)
If you use IIS 7+, then you can use the system.webServer/security/authorization http://www.iis.net/ConfigReference/system.webServer/security/authorization section, and have that automatically work for any kind of content in any pipeline mode.
IF you still want to use system.web seciton, then you will need to use Integreated Mode and do the changes that are mentioned in the modules to run for all content, but by far, the simplest is use system.webServer/security/authorization instead.
I have just noticed a problem accessing a CSS file using forms authentication from an ASP.NET application.
Until I have logged in, then any styles I have set in my login page are not used, as IIS seems to be preventing the login page from accessing this file.
Is there an easy solution for this?
Place the css file in a publicly accessible folder. This will require a change in your web.config that will look something like this:
<location path="css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Granted, this shouldn't be how you setup the permissions in the first place. The css folder ought always to be publicly accessible.
My CSS didn't display in the login page as well.
I noticed that Anonymous Access was using the IUSR account not the IIS_IUSRS account so I just added IUSR to the website folder and everything got back to normal.