I am working on a project in asp.net where i store some files in a directory say temp. I want to give access to that folder and its contents only to the users who are logged else it should show access denied.
i have tried
<system.web>
<authentication mode="Forms">
<forms loginUrl="Default.aspx" defaultUrl="Default.aspx" ></forms>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="temp">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
but it's not working.
what am i doing wrong ? what should be the right approach ?
First, forget about modifying the global web.config, there is no need for that. You just create an auxiliary web.config in the mentioned folder and put:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
inside.
Second, this won't work for static files that do not pass through the ASP.NET pipeline. This is tricky, as the development server serves requests to all files and the problem arises only when you deploy your application to IIS.
You would have to add
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
It tells IIS to process all possible requests (including requests to static resources) with ASP.NET pipeline. This has its drawbacks, though, as it could potentially slow down the server a little bit.
Related
My web application uses forms authentication mode.
<authentication mode="Forms">
<forms loginUrl="Logon.aspx" protection="All" path="/" timeout="60" slidingExpiration="false" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
There is a folder in my web application, named "Documentos", that has a lot of PDF files.
My program allow the user to load a PDF file using its URL address:
http://MyHost/MyWebApp/Documentos/1.pdf
However, I need to restrict that functionality only to authenticated users.
For that, I put in my web.config:
<location path="Documentos">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
But it doesn't make any difference. Any one can still load any PDF file in folder Documentos doing:
http://MyHost/MyWebApp/Documentos/1.pdf
Can I accomplish what I'm looking for or should I approach it in a different way?
EDIT
Win's solution and Richard's solution are correct. This is the way to put those settings in web.config:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
<location path="Documentos">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Yo have two options -
Option 1
Use ~/ if your web application is not root level.
<location path="~/Documentos">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Option 2
Create a web.config with following content, and place it inside Documentos folder.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
The problem is that by default, the auth section only applies to requests that go through the pipeline, not to static files. To do what you want, add the following attribute to your modules section:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
...
I have an ASP.NET 2.0 web application developed on my Win8/VS2012 machine (but using .NET2.0 and not 4.0). I want to protect direct acccess to a number of folders, e.g. the PDF files that are stored in the Content/Documents folder for particular roles, using forms authentication. It works with the below web.config file on my dev machine, and if I type in an URL of a PDF directly, I get redirected to the login page.
However, when copying the whole solution to the production server (windows server 2003R2 sp1, having .NET 2 and 4 installed) the files are directly accessible and it seems as if the forms authentication does not work.
How can I investigate this on the server?
What is wrong in my config?
Note: the roles are assigned at login time, without a roles provider (as demonstrated by many articles on the internet and on stackoverflow) and I guess I did that correct since it works on my dev machine.
Note 2: One strange thing I noticed is that in the IIS administration tool on the win2003R2 server, the configuration windows do not correspond with what I have in the web.config file. When I right click web app properties in IIS manager, go to ASP.NET tab, go to edit configuration and go to authorization tab for the different locations, it looks like it only states allow * while the config file clearly has deny *. Is it possible that on that server this type of configuration file is not supported (it does not generate any errors either however).
Thx in advance
Wim
<?xml version="1.0"?>
<!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<connectionStrings>
<add name="..." connectionString="..."
providerName="System.Data.SqlClient"/>
</connectionStrings>
<system.web>
<httpRuntime maxRequestLength="102400" executionTimeout="600"/>
<authentication mode="Forms">
<forms name="MYWEBAPP.ASPXAUTH"
loginUrl="member_login.aspx"
protection="All"
path="/"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
<customErrors mode="Off"></customErrors>
<compilation debug="true"/>
</system.web>
<location path="Content/Documents">
<system.web>
<authorization>
<allow roles="MEMBER,ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Content/Events">
<system.web>
<authorization>
<allow roles="MEMBER,ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Content/News">
<system.web>
<authorization>
<allow roles="MEMBER,ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Content/PriceChange">
<system.web>
<authorization>
<allow roles="MEMBER,ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Administrator">
<system.web>
<authorization>
<allow roles="MEMBER,ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Member">
<system.web>
<authorization>
<allow roles="MEMBER,ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Nothing is wrong with your config. Rather, static files (jpgs, csses, pdfs) are handled by iis without involving asp.net pipeline. This means that your authorization rules are ignored when you ask for a pdf file.
To fix this you can either have an aspx page that gets a parameter that states which file should be downloaded or configure the application to run some (or all) static files through the asp.net pipeline. An easiest way to have all requests go through asplnet is to set
runAllManagedModulesForAllRequests="true"
in the modules section of the web.config.
I am using ASP.NET forms authentication for my web app. I have a folder to which I would like to grant access to unauthenticated users. I am using IIS 7 and the app pool is in the integrated mode. As a test, I created hello.txt inside ScriptsHandlers folder. When I try to browse it using IIS, I get redirected to the login page despite the location element. Also, when I am running my application, I get 401 Unauthorized errors when querying asmx web services stored in the folder.
Here is a snippet of my web.config:
<location path="ScriptsHandlers">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location allowOverride="true">
<system.web>
<authentication mode="Forms">
<forms loginUrl="Views/Login.aspx" name=".ASPXFORMSAUTH" cookieless="UseUri" slidingExpiration="true" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*"/>
</authorization>
</system.web>
</location>
Allow access to everything inside ScriptsHandlers folder
ScriptsHandlers Or /ScriptsHandler depending on where you keep this web.config
<location path="ScriptsHandlers">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I worked long time back on a website and it has been working fine, recently a problem has been reported, which I need to go through.
In my site there is a folder named repository, which contains files like word and PDF documents and ideally only logged in users are allowed to download them but now it has been observed that anyone who is not logged into the website, can even also download them :(
Is there any wayout to handle it without moving the folder out of the web directory? Like making that folder password protected and only my pages can access the content, any code sample or link will be of high use.
My web application is in ASP.NET 2.0 with C# and server has IIS 6.0.
Thanks in Advance
Edit:
My Web.Config has these tags in it:
<authentication mode="Forms">
<forms slidingExpiration="true" loginUrl="Login.aspx" defaultUrl="HomePage.aspx" name=".ASPXMAIN" timeout="30">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
Use the <location /> tags in the web.config, http://msdn.microsoft.com/en-us/library/b6x6shw7(v=vs.71).aspx
<location path="content">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
See this answer for more links to msdn documentation: https://stackoverflow.com/a/4280257/426894
You can try with this config in your Web.config (location permit you to define path)
This sample use roles in order to design profil.
Also use users in order to design user.
<location path="~/MembersOnly" >
<system.web>
<authorization>
<allow roles="Members"/>
<deny users="?" />
</authorization>
</system.web>
</location>
So here is the scenario, I have an Asp.Net application that is using a custom authentication & membership provider but we need to allow completely anonymous access (i.e.) to a particular folder within the application.
In IIS manager, you can set the authentication mode of a folder, but the settings are saved within C:\Windows\System32\inetsrv\config\applicationHost.config file as described here
To make installation easier, it would be great if I could set this within my web.config but after a couple of attempts I think this may not be possible.
Does anyone know otherwise?
Many thanks
The first approach to take is to modify your web.config using the <location> configuration tag, and <allow users="?"/> to allow anonymous or <allow users="*"/> for all:
<configuration>
<location path="Path/To/Public/Folder">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
If that approach doesn't work then you can take the following approach which requires making a small modification to the IIS applicationHost.config.
First, change the anonymousAuthentication section's overrideModeDefault from "Deny" to "Allow" in C:\Windows\System32\inetsrv\config\applicationHost.config:
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
overrideMode is a security feature of IIS. If override is disallowed at the system level in applicationHost.config then there is nothing you can do in web.config to enable it. If you don't have this level of access on your target system you have to take up that discussion with your hosting provider or system administrator.
Second, after setting overrideModeDefault="Allow" then you can put the following in your web.config:
<location path="Path/To/Public/Folder">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
Use <location> configuration tag, and <allow users="?"/> to allow anonymous only or <allow users="*"/> for all:
<configuration>
<location path="Path/To/Public/Folder">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
<location path="ForAll/Demo.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
In Addition: If you want to write something on that folder through website , you have to give IIS_User permission to the folder
To make it work I build my directory like this:
Project
Public
Restrict
So I edited my webconfig for my public folder:
<location path="Project/Public">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
And for my Restricted folder:
<location path="Project/Restricted">
<system.web>
<authorization>
<allow users="*"/>
</authorizatio>
</system.web>
</location>
See here for the spec of * and ?:
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/authorization/add
I hope I have helped.
I added web.config to the specific folder say "Users" (VS 2015, C#)
and the added following code
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Initially i used location tag but that didn't worked.