The webpage that I am creating can't access the CSS file.
Take a look at my webconfig:
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="MySql.Data, Version=6.2.5.0, Culture=neutral, PublicKeyToken=C5687FC88969C44D"/>
<add assembly="System.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
<add assembly="System.Web.Extensions.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add assembly="System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
</assemblies>
</compilation>
</system.web>
<location path="css">
<system.web>
<authentication mode="Forms">
<forms name=".ASPXFORMSDEMO" loginUrl="Login.aspx" protection="All" path="/" timeout="60"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
I found some answer here:
Authorization Issue - anonymous users can't access .jpeg or .css
But when I tried to put
<location path="css">
on top of 'system.web' it didn't work. Please help me fix this. Thanks for all your help guys!
The location tag has to be a direct child of configuration
Put this under your existing <system.web>
<configuration>
<system.web>
...
</system.web>
<location path="css">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
</configuration>
as you are using <authentication mode="Forms"> and protection="All" so you can't access any file other than loginUrl without login.
If you want to access any file or folder without login you should tell this in you web.config file as follows
<location path="file_name">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Or if you want any folder to be accessible without login then you should be using this as follow
<location path="folder_name">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
The tag <allow users="*" /> works for you. It allows the user to access that path without login.
Here are some good links
http://msdn.microsoft.com/en-us/library/b6x6shw7%28v=vs.71%29.aspx
http://msdn.microsoft.com/en-us/library/ms178692%28v=vs.100%29.aspx
Related
I want to configure the application and prevent the user from going directly to any page in the application without signing in but any user can access the websites homepage.
But when I run the homepage ,login page or any page of the website, I am getting this error:- The requested page cannot be accessed because the related configuration data for the page is invalid.
I can't find out where I am making mistake. I have posted my web.config file . have a look over it .show me where I am making mistake and what is the solution.
web.config
<?xml version="1.0"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<connectionStrings>
<add name="ConnectionString" connectionString="Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=|DataDirectory|\Database.mdf;Integrated Security=True"
providerName="System.Data.SqlClient" />
</connectionStrings>
<authentication mode="Forms">
<forms loginUrl="/Registration/LoginPage.aspx">
</forms>
</authentication>
<system.web>
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
</system.web>
<location path="FIRST PAGE">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Registration">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="AdminHome">
<system.web>
<authorization>
<allow users="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Student">
<system.web>
<authorization>
<allow roles="Student"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Teacher">
<system.web>
<authorization>
<allow roles="Teacher"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<appSettings>
<add key="ValidationSettings:UnobtrusiveValidationMode" value="None"/>
</appSettings>
</configuration>
ERROR
the homepage of the website is under the folder FIRST PAGE and login and register page is under the folder Registration
The <authentication> part of your configuration should be inside the <system.web> section
MSDN authentication Element
Just edit your web.config:
<system.web>
<authentication mode="Forms">
<forms loginUrl="/Registration/LoginPage.aspx">
</forms>
</authentication>
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
</system.web>
How can I restrict access to the root folder and all sub folders of my website? I have an ASP.Net Webforms application using Identity for authentication. Users will have accounts created for them. When a user goes to the website the first thing they should see is the login page. I've tried "/", "~/", "", values in the Location tag, as well as simply not having the location tag in the web.config file but none of these produces the desired result.
<location path="/">
<system.web>
<authorization>
<allow users="user1#mydomain.com"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="None"/>
<compilation debug="true" targetFramework="4.5.2"/>
<httpRuntime targetFramework="4.5.2"/>
<pages>
<namespaces>
<add namespace="System.Web.Optimization"/>
<add namespace="Microsoft.AspNet.Identity"/>
</namespaces>
<controls>
<add assembly="Microsoft.AspNet.Web.Optimization.WebForms" namespace="Microsoft.AspNet.Web.Optimization.WebForms" tagPrefix="webopt"/>
</controls>
</pages>
<membership>
Remove the <location> element and try the following config:
<system.web>
<authentication mode="Forms">
<forms name="FormsAuth" loginUrl="/your-login-path" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
....
</system.web>
There may be further adjustments you'll need to make on the <forms> element depending on your enviroment/setup etc, but this should get you going.
EDIT
The above doesn't work for ASP.Net Indentity. The only way I could get this to work was creating individual <location> elements for every page, in the root and subfolder web.config, explicitly denying or allowing users as needed.
<location path="Default.aspx">
<system.web>
<authorization>
<deny users ="?"/>
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="None"/>
...
</system.web>
In your Root Web.Config Add:
<authorization>
<deny users ="?"/>
</authorization>
In your Account/Web.Confing Add:
<system.web>
<authorization>
<allow users="*"/>
</authorization>
That worked for me
Parallel Plesk is not opening default page on my domain name which I've set in the default directories, instead it is opening a login page of my ASP.NET web application. However it opens default page on my domain name once I logged in by giving right credentials.
Here is my web.config file:
<system.web>
<compilation debug="true" targetFramework="4.5" />
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH"></forms>
</authentication>
<httpRuntime targetFramework="4.5" maxRequestLength="20896" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="UserPanel.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
If you are hosting on IIS (7 or later), inside the <system.webServer> (of your web.config) add:
<defaultDocument>
<files>
<clear/>
<add value="UserPanel.aspx" />
</files>
</defaultDocument>
I am trying to get the simplest example of allowing access by default, denying access unless authenticated to specific directories in IIS, to work. When you Google around, everyone says it's as simple as this:
<location path="~/pages">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Somehow it hasn't been for me.
Here's the project structure:
Here's the Web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/" />
</authentication>
<authorization>
<!--<deny users="*"/>-->
</authorization>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
<location path="~/pages">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
The goal is to allow all users to access index.html and to deny access to everything in pages.
Here's my observations:
<!--<deny users="*"/>--> works when un-commented.
It doesn't work at all without <modules runAllManagedModulesForAllRequests="true" />. Remove this, deny doesn't work anywhere.
The deny in <location path="~/pages"> doesn't work. Setting the path to pages or pages/secure.html or ~/pages/secure.html also doesn't work.
What's the problem here?
it doesn't like the path "~/pages" . The following works for me
<configuration>
<system.web>
<authentication mode="Forms"/>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"></modules>
</system.webServer>
<!-- note the change below -->
<location path="pages" >
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
I'm working on a ASP.NET 3.5 application running on IIS7 (Server '08) using the stock MS Forms Authentication and SqlRolesProvider. (I used the aspnet_regsql tool to generate the tables).
We have three roles: SysAdmins, AppAdmins, and Users. All users are in Users, and a user can be in either SysAdmins, AppAdmins or both.
I can't seem to get an Admin directory to block access to users not in SysAdmins and AppAdmins. Either it lets in all logged-in users, or no one.
Here are the relevant bits of my current configuration:
<configuration>
...
<system.web>
<authentication mode="Forms">
<forms loginUrl="/client/security/login.aspx" timeout="480" />
</authentication>
<authorization>
</authorization>
<roleManager defaultProvider="SqlRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName="EquityTouch.Roles" cookieProtection="All" cookieSlidingExpiration="true" cookieTimeout="60">
<providers>
<clear />
<add name="SqlRoleProvider" applicationName="EquityTouch" connectionStringName="SQLProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
...
</system.web>
<system.webServer>
<security>
<authorization>
<add accessType="Deny" users="?" />
</authorization>
</security>
...
</system.webServer>
<location path="admin">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs=""/>
<add accessType="Allow" roles="SysAdmins,AppAdmins" />
</authorization>
</security>
</system.webServer>
<system.web>
<authorization>
<deny users="*"/>
<allow roles="SysAdmins,AppAdmins"/>
</authorization>
</system.web>
</location>
</configuration>
I believe this configuration currently blocks everyone. I've done similar configurations that block no one.
I suspect the issue lies in using both system.web and system.webserver sections. Any help with getting this configuration working correctly would be greatly appreciated.
UPDATE
Removing the <system.webServer> section from the <location> element makes the .aspx pages in that folder return correctly! Unfortunately, the .js files in that folder are still blocked to all users... Ideally I would like to lock the .js files as well from unpriviledged eyes. So I'm still looking for help.
Even in IIS7 Integrated Pipeline mode, I am successfully using the old IIS6-style authorization blocks. Please try the code below, which includes the following changes:
Added <deny users="?" /> to the first authorization block
Switched the order of <allow> and <deny> in location-specific authorization block
Removed <system.webServer> location-specific authorization blocks
To allow js files through, my best advice is to move them to a separate folder and allow all but anonymous to access that folder (see below). Alternately, you can name each js file in the location's path attribute. That solution is less maintainable, however.
Please let me know if that works for you!
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="/client/security/login.aspx" timeout="480" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<roleManager defaultProvider="SqlRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName="EquityTouch.Roles" cookieProtection="All" cookieSlidingExpiration="true" cookieTimeout="60">
<providers>
<clear />
<add name="SqlRoleProvider" applicationName="EquityTouch" connectionStringName="SQLProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
</system.web>
<location path="admin">
<system.web>
<authorization>
<allow roles="SysAdmins,AppAdmins"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="js">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>