I have a file called index.asp in my application under the below structure MyApp/Admin/index.asp
This file has an entry
<!--#INCLUDE VIRTUAL="/dbinfo/MyFile.asp"-->
I have a virtual Directory created at the MyApp level in IIS7.5 and I can see the MyFile.asp in the dbinfo virtual directory. However when I access it in the code I am getting the below error in the IIS Logs:
GET /MyApp/Admin/index.asp |30|ASP_0126|Include_file_not_found 80
This code works just fine in IIS6.0. We need to upgrade to 7.5 now and are running into this issue. When I place the file in the same directory as my code and access it as below it works just fine.
<!--#INCLUDE FILE="MyFile.asp"-->
Below is my web.config fine for reference.
<configuration>
<system.webServer>
<directoryBrowse enabled="true" />
</system.webServer>
<system.web>
<compilation debug="true" />
<authentication mode="Windows" />
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
<identity impersonate="false" />
</system.web>
</configuration>
Please advise.
Related
I have a site that uses OWIN authentication. All works perfectly, however, I need to restrict access for this site before placing it to the public.
To accomplish this, I want to make the system to present the windows authentication dialog box before the home page is loaded.
I put this in web.config of the site:
<system.web>
<customErrors mode="Off" />
<compilation targetFramework="4.6" />
<httpRuntime targetFramework="4.6" />
<authentication mode="Windows" />
<globalization culture="es-CL" uiCulture="es" />
<authorization>
<deny users="?"/>
<allow users="Demo" />
</authorization>
</system.web>
But the home page does not work.
when I try to load home page, this actual URL is loaded:
http://demo.site.cl/Security/Account?ReturnUrl=%2FSecurity%2FAccount%3FReturnUrl%3D%252FSecurity%252FAccount%253FReturnUrl%253D%25252FSecurity%25252FAccount%25253FReturnUrl%25253D%2525252FSecurity%2525252FAccount%2525253FReturnUrl%2525253D%252525252FSecurity%252525252FAccount%252525253FReturnUrl%252525253D%25252525252FSecurity%25252525252FAccount%25252525253FReturnUrl%25252525253D%2525252525252FSecurity%2525252525252FAccount%2525252525253FReturnUrl%2525252525253D%252525252525252FSecurity%252525252525252FAccount%252525252525253FReturnUrl%252525252525253D%25252525252525252FSecurity%25252525252525252FAccount%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FSecurity%2525252525252525252FAccount%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FSecurity%252525252525252525252FAccount%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FSecurity%25252525252525252525252FAccount%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FSecurity%2525252525252525252525252FAccount%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FSecurity%252525252525252525252525252FAccount%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FSecurity%25252525252525252525252525252FAccount%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FSecurity%2525252525252525252525252525252FAccount%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FSecurity%252525252525252525252525252525252FAccount%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252FSecurity%25252525252525252525252525252525252FAccount%25252525252525252525252525252525253FReturnUrl%25252525252525252525252525252525253D%2525252525252525252525252525252525252FSecurity%2525252525252525252525252525252525252FAccount%2525252525252525252525252525252525253FReturnUrl%2525252525252525252525252525252525253D%252525252525252525252525252525252525252F
And a 404 error is shown.
How can this be done?
As a test, I'm trying to use the web.config to control security in the following ways:
Deny access to all files in a directory, except for a specific file
Allow access to all files in a directory, except for a specific file
So I set up the web.config as follows:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<!-- Deny access to all files in a directory, except for a specific file -->
<location path="NonAccessibleDirectory">
<system.web>
<authorization>
<deny users="?"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="NonAccessibleDirectory/AccessibleFile.html">
<system.web>
<authorization>
<allow users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
<!-- Allow access to all files in a directory, except for a specific file -->
<location path="AccessibleDirectory/NonAccessibleFile.html">
<system.web>
<authorization>
<deny users="?"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
</system.web>
</configuration>
As expected:
If I browse to the non accessible directory and do not specify a file, I get access denied
If I browse to the accessible directory and do not specify a file, I can see the list of files
The problems I'm having are:
If I browse to the non accessible directory and specify a file, I can view it, and I would have expected not to be granted access
If I browse to the accessible directory and specify a file I have denied access to via the web.config, I can still view it, and I would have expected not to be granted access
Amy I configuring things wrong?
You may be running in to the difference between ASP.NET URL Authorization and IIS URL Authorization. A detailed summary on this is at http://www.iis.net/learn/manage/configuring-security/understanding-iis-url-authorization#Differences
Briefly, what happens with ASP.NET by default with web.config is that it only apply the allow and deny rules to files handled by the managed handler.
Files such as .txt and .html files are handled by IIS and not ASP.NET, so the authorization rules aren't applied to them.
You can test this out by adding this to your main web.config to use the IIS version.
<system.webServer>
<modules>
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
</modules>
</system.webServer>
I tested this with your same security and same directories and files, and all appears to work
A more complete version if you use other authentication methods such as forms could be this
<system.webServer>
<modules>
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
</system.webServer>
In my asp.net MVC application I have tried to deny unauthorized users from an html file inside a sub folder. But it is not working as expected. Below is the web.config section which used right now.
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<authentication mode="Forms">
<forms loginUrl="~/" defaultUrl="~/" slidingExpiration="true" timeout="60">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="Docs/help/index.html">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
I think the global deny users will block all unauthorized access for all the pages, otherwise we should give specific permission. Please correct me If I am wrong.
But in my case even http://siteurl.com/Docs/help/index.html still able to access for an unauthorze user.
IIS - 7.5 , .NET - 4.5, MVC - 4
Please help me to resolve this issue.
MG
You have two ways to achieve it.
1st: <modules runAllManagedModulesForAllRequests=“true” /> Meaning
Add <modules runAllManagedModulesForAllRequests="true" /> in your web.config
(IIS < v7)
2nd: Global.asax Events in IIS 6 and IIS 7 for Static Resources
Add an wildcard managed handler to serve each request (inlucding static files which are handled by iis directly)
You can put a new Web.config in the folder that needs the permissions applied. Inside it do something like this
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
Or you might need to wrap the <authorization> tag with a <security> tag.
If that doesn't work for you, try to do it via IIS Manager and see how it does it, then copy that.
I was searching for some solution but can't find one. There is this and this ones but can't found and answer there. Im developing an asp.net application on ASP.NET development server. I have the following web.config in my root asp.net folder:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms name="4df5d465h"
loginUrl="~/login.aspx"
protection="All"
timeout="30" path="/" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
My image folder is together my main web.config at root asp.net application folder.
Inside the image folder I put the following web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="*"/>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
I put role attribute after to see if its work.
I wrote the main web.config in this way too:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms name="3D45C7D8B0B0C"
loginUrl="~/login.aspx"
protection="All"
timeout="30" path="/" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="~/image">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
But the login page never can load the images
In design mode, inside visual studio editor, the image load in login.aspx page then image tag must be ok.
What I'm doing wrong?? Thanks a lot.
#nico, thanks a lot for format my question. No im not rewriting nothing. Its most simple and default asp.net application possible. Its default template asp.net application with an link on Default.aspx and a simple login.aspx page, its a test project, the login form works but the image doesn't load.
#Chris_Lively, yes there is a web.config in image folder, its web.config with <'allow roles='*'>, i checked, the folder is named image\ , the src of image tag point to image\ its getting me crazy
Your config file contains error - 'roles'-tag cannot use asterisk, you should define specific role name (allow element) or dont use it at all.
You'll see error message 'Parser Error Message: Authorization rule names cannot contain the '*' character' in fiddler.
I think it was reason of your problem.
I am running a shopping cart application in asp.net.I am running my application in IIS.I am getting following error while running.
Server Error in '/cart' Application.
Configuration Error Description: An error occurred during the
processing of a configuration file required to service this request.
Please review the specific error details below and modify your
configuration file appropriately.
Parser Error Message: It is an error to use a section registered as
allowDefinition='MachineToApplication' beyond application level. This
error can be caused by a virtual directory not being configured as an
application in IIS.
Source Error:
Line 32: --> Line
33: Line 34: Line 35:
Source File: D:\ecomm_3_1_LITE\wwwroot\web.config Line: 34
-------------------------------------------------------------------------------- Version Information: Microsoft .NET Framework Version:2.0.50727.42;
ASP.NET Version:2.0.50727.42
Following is my web.config file
Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
-->
<!-- SQL SP & TABLES PREFIX -->
<add key="SQLprefix" value="gaspprod_"/>
</appSettings>
<connectionStrings>
<add name="ConnStr" connectionString="Data Source=GRAPHIX\SQLEXPRESS;Initial Catalog=GlitzCart;Integrated Security=True " providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<globalization uiCulture="en" culture="en-US"/>
<!--<globalization uiCulture="hr" culture="hr-HR"/>-->
<authentication mode="Forms">
<forms name="guru_aspnet_cart"
protection="All"
timeout="30"
path="/"
loginUrl="AdminLogin.aspx"></forms>
</authentication>
<pages maintainScrollPositionOnPostBack="false"
buffer="true"
validateRequest="false"
compilationMode="Auto"></pages>
<customErrors mode="Off"
defaultRedirect="error.html"></customErrors>
<compilation debug="true">
</compilation>
<!--<trace enabled="true" pageOutput="true"/>-->
</system.web>
<!--disable access to Admin directory for everyone, except for the administrators -->
<location path="admin" allowOverride="false">
<system.web>
<authorization>
<allow users="admin, admin2, malik "/> <!--ADMINISTRATORS USERNAMES, SEPARATED BY ", " -->
<deny users="*"/>
</authorization>
</system.web>
</location>
<!--disable access to Admin/Modules directory -->
<location path="admin/modules" allowOverride="false">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<!--disable access to Modules directory -->
<location path="modules" allowOverride="false">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<!--disable access to Modules directory -->
<location path="SQLbackup" allowOverride="false">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
What change i have to make my application run?Can anybody help?
The error itself asks if you've enabled the virtual directory and set it as an application.
Is that the case? Your web.config is in the file root so I would say no.
Regardless, have you double checked you've enabled applications, enabled the correct version of ASP.NET and ensured ASP.NET is permitted to run.
If they are all ok then I would recommend you next take a vanilla ASP.NET website/web application (I prefer the latter) and deploy it to that folder. Don't write any code and double check it works.
If it doesn't then the default web.config doesn't work. It could be an error with your machine.config or something similar. Personally I'd reinstall and re-register .NET. A sledgehammer approach!
If it does work, then your web.config may be corrupt.
These are all guess-timates but I hope they help out!