ASP.NET web.config restrict access - asp.net

So,
Not done anything in ASP.NET in a long time, I'm restricting a specific page if the user isn't logged in. I've done this a thousand times and have no idea why it's not working.
Root:
file: web.config.
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0"/>
<authentication mode="Forms">
<forms loginUrl="restricted.aspx"/>
</authentication>
</system.web>
</configuration>
In the folder containing restricted file:
file: web2.config
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>`
Any idea's what I'm missing?
Cheers.

Related

Restrict access to entire website

How can I restrict access to the root folder and all sub folders of my website? I have an ASP.Net Webforms application using Identity for authentication. Users will have accounts created for them. When a user goes to the website the first thing they should see is the login page. I've tried "/", "~/", "", values in the Location tag, as well as simply not having the location tag in the web.config file but none of these produces the desired result.
<location path="/">
<system.web>
<authorization>
<allow users="user1#mydomain.com"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="None"/>
<compilation debug="true" targetFramework="4.5.2"/>
<httpRuntime targetFramework="4.5.2"/>
<pages>
<namespaces>
<add namespace="System.Web.Optimization"/>
<add namespace="Microsoft.AspNet.Identity"/>
</namespaces>
<controls>
<add assembly="Microsoft.AspNet.Web.Optimization.WebForms" namespace="Microsoft.AspNet.Web.Optimization.WebForms" tagPrefix="webopt"/>
</controls>
</pages>
<membership>

Remove the <location> element and try the following config:
<system.web>
<authentication mode="Forms">
<forms name="FormsAuth" loginUrl="/your-login-path" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
....
</system.web>
There may be further adjustments you'll need to make on the <forms> element depending on your enviroment/setup etc, but this should get you going.
EDIT
The above doesn't work for ASP.Net Indentity. The only way I could get this to work was creating individual <location> elements for every page, in the root and subfolder web.config, explicitly denying or allowing users as needed.
<location path="Default.aspx">
<system.web>
<authorization>
<deny users ="?"/>
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="None"/>
...
</system.web>

In your Root Web.Config Add:
<authorization>
<deny users ="?"/>
</authorization>
In your Account/Web.Confing Add:
<system.web>
<authorization>
<allow users="*"/>
</authorization>
That worked for me

Setting start page in web hosting ASP.NET

Parallel Plesk is not opening default page on my domain name which I've set in the default directories, instead it is opening a login page of my ASP.NET web application. However it opens default page on my domain name once I logged in by giving right credentials.
Here is my web.config file:
<system.web>
<compilation debug="true" targetFramework="4.5" />
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH"></forms>
</authentication>
<httpRuntime targetFramework="4.5" maxRequestLength="20896" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="UserPanel.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

If you are hosting on IIS (7 or later), inside the <system.webServer> (of your web.config) add:
<defaultDocument>
<files>
<clear/>
<add value="UserPanel.aspx" />
</files>
</defaultDocument>

IIS, denying access to static files; What is wrong with this example?

I am trying to get the simplest example of allowing access by default, denying access unless authenticated to specific directories in IIS, to work. When you Google around, everyone says it's as simple as this:
<location path="~/pages">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Somehow it hasn't been for me.
Here's the project structure:
Here's the Web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/" />
</authentication>
<authorization>
<!--<deny users="*"/>-->
</authorization>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
<location path="~/pages">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
The goal is to allow all users to access index.html and to deny access to everything in pages.
Here's my observations:
<!--<deny users="*"/>--> works when un-commented.
It doesn't work at all without <modules runAllManagedModulesForAllRequests="true" />. Remove this, deny doesn't work anywhere.
The deny in <location path="~/pages"> doesn't work. Setting the path to pages or pages/secure.html or ~/pages/secure.html also doesn't work.
What's the problem here?

it doesn't like the path "~/pages" . The following works for me
<configuration>
<system.web>
<authentication mode="Forms"/>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"></modules>
</system.webServer>
<!-- note the change below -->
<location path="pages" >
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>

ASP.NET Login system

I have created a login system to my website. This login system is supposed to protect one page only (Meaning that there is one page that requires users to login to see it).
My problem is:
Since I created this login system, all my other 8 pages now require validation. This is not my intention, and I have been searching like crazy for a solution, but no luck.
My web.config file looks like this:
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="MySql.Data, Version=5.0.9.0, Culture=neutral, PublicKeyToken=C5687FC88969C44D"/>
</assemblies>
</compilation>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH" timeout="30" /> <!--name =".ASPXFORMSAUTH"-->
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
The only page that requires log in is called Default.aspx
The rest of my pages should be public to all users. How can I achieve this?
Thanks

You can do it by using location element within web.config file.
<location path="Default.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

Use "location" in your web.config and specify the directory you want to be protected. Here's a nice example:
http://www.codefixer.com/asp-net/tutorials/protecting-folders-with-forms-authentication.asp

ASP.NET web.config authorization settings ignored

I was searching for some solution but can't find one. There is this and this ones but can't found and answer there. Im developing an asp.net application on ASP.NET development server. I have the following web.config in my root asp.net folder:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms name="4df5d465h"
loginUrl="~/login.aspx"
protection="All"
timeout="30" path="/" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
My image folder is together my main web.config at root asp.net application folder.
Inside the image folder I put the following web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="*"/>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
I put role attribute after to see if its work.
I wrote the main web.config in this way too:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms name="3D45C7D8B0B0C"
loginUrl="~/login.aspx"
protection="All"
timeout="30" path="/" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="~/image">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
But the login page never can load the images
In design mode, inside visual studio editor, the image load in login.aspx page then image tag must be ok.
What I'm doing wrong?? Thanks a lot.
#nico, thanks a lot for format my question. No im not rewriting nothing. Its most simple and default asp.net application possible. Its default template asp.net application with an link on Default.aspx and a simple login.aspx page, its a test project, the login form works but the image doesn't load.
#Chris_Lively, yes there is a web.config in image folder, its web.config with <'allow roles='*'>, i checked, the folder is named image\ , the src of image tag point to image\ its getting me crazy

Your config file contains error - 'roles'-tag cannot use asterisk, you should define specific role name (allow element) or dont use it at all.
You'll see error message 'Parser Error Message: Authorization rule names cannot contain the '*' character' in fiddler.
I think it was reason of your problem.

Resources