ASP.NET web.config authorization settings ignored in subfolders - asp.net

I'm using asp.net mvc 2 and vs 2008.
I'm trying to make website with forms authorization. When i'm trying to restrict access to some pages, i'm using asp.net administration tool. There i create rule, for example, to deny access to anonimous users to whole web site. Administration tool, as expected, adds following section in the root web.config file:
<authorization>
<deny users="?" />
</authorization>
When i do same thing in some subfolder, as example %ApplicationRoot%/View/Protected, administration tool, as expected too, adds web.config file in mentioned subfolder, with following code:
<configuration>
<system.web>
<authorization>
<deny users="UserName" />
</authorization>
</system.web>
Prime difference between theese files is that root web.config authorisation section has some effect(generally speaking, it works as planned - denies all unauthenticated users from whole website). But subfolder web.config authorisation section have no effect at all.
I found that then added to root config file, following code
<location path="Protected">
<authorization>
<deny users="UserName" />
</authorization>
</location>
does the work greatly - it, as planned, denies %UserName% acces to all views, located in %ApplicationRoot%/View/Protected Folder.
This behavoir is simmilar with cassini and iis, i tried both.
The main problem is that i need kind administration tool to do the work, so i'm asking for any help with issue - why doesn't authorisation section works when web.config is located in subfolder?
P.S. I tried to place incorrect code in between <authorization> and </authorization> in subfolder's web.config:
<authorization>
asdfg
</authorization>
No effect. Probably the whole section is ignored due to some issue?
P.P.S. Incorrect code out of the authorization section in the same file causes an error

Your problem is that your application is not a classical ASP.NET Web Forms application.
What you're trying to do would work perfectly in Web Forms, but not in MVC.
In MVC world when browser requests page /People/SmartList it's not necessarily that it would be shown the /People/SmartList.cshtml from your project. In fact, your project could not even have the /People/ folder at all. The view (.cshtml file) which will be shown by MVC engine is determined by routes. And that MVC routing engine doesn't look at all at your web.config files, when it accesses those .cshtml files. Now, you can see, why your web.conig files are ignored.
But you're still able to do the authorization. Instead of using web.config files you should use the [Authorize] attribute and apply it to appropriate controller's action methods, or even to a whole controller class.
[Authorize(Users="UserName")]
public ActionResult ShowRestrictedData()
...

Related

ASP.Net Web Forms Identity\OWIN Login Page Access Issues

I have recently been re-working a web form application from .net2.0 to .net4.7 and decide to add Identity and OWIn for local and social authentication.
I create a new web forms app and then copied the account, app_start and models folders over to the existing app as well as the startup.vb file.
Now all this is OK and the app compiles without issue however whenever we try to login using /Accoount/Login itsimply redirects us back to the default.aspx page in the root of the app.
there is a web.config file in the Account folder and it looks like this, although i do not think this is the issue:
<configuration>
<location path="Manage.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
Although this allows authenticated access to manage.aspx all other files in the account folder should be anonymous access but something is redirecting away from login.aspx and I cannot figure out what?
Anyone come across this?

IIS 7.5 and making anonymous authentication/forms authentication play nicely together

I've got an ASP.NET MVC 4 application that I run under the site level of an IIS web site.
So the dir structure looks like this:
\IIS
\Site
\bin
\Content
\Views
The MVC 4 app uses Forms Authentication via Username and Password, but I have a requirement to lock down the full site and turn off anonymous authentication at the IIS level.
The goal of this requirement is to allow users only to land on a home page and logon page. The problem is if I turn off anonymous authentication then users can't even get to home or login.
Another thing we want to prevent a user from being able to go to /Content/Scripts/MyScript.js in their browser.
I'm using bundling so those file are there and don't get used by me besides when I bundle things up.
Is this even possible since IIS and MVC 4 auth are at completely different level? If it is possible what options do I have?
Chris Pratts answer is correct. You can successfully turn of anonymous authentication and let MVC4 handle all of that for you.
Make sure in your web.config you have the following
<modules runAllManagedModulesForAllRequests="true"></modules>
In your system.webserver section.
Another thing you can do is make use of the locations tags in IIS to prevent user access to different parts of the site.
For example, you could put this in your web.config
<location>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
This ensures that only authenticated users can access the site. You can then further refine this.
<location path="External">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Basically, now any request to /External will be allowed for all users (regardless of authentication). You will probably want to put all your scripts in here that you need unauthenticated users to access.
If there was a specific directory you didn't want anyone to access, you could do something like
<location path="/Content/Scripts">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
Now any access to that location will be prevented by default in IIS. Give that a try, it should satisfy your requirement to have the scripts available for bundling, but not accessible if someone browses directly to it.
I only halfway got what I wanted, but here is what I ended up doing. I have anonymous authentication enabled at the site level and used Forms authentication for specific controllers. This was how I originally had it so nothing changed here.
Since I am using bundles the users never really need to look at the .js so I used Request Filtering by file extension so block any .js and even .css I don't want exposed.
This works because the bundling doesn't make http requests to those files and the bundles themselves don't have the normal JavaScript and CSS file extensions.
You don't handle this at the IIS-level. You simply allow Anonymous Auth and then add [Authorize] to every controller. Then only on your home and login actions add the attribute [AllowAnonymous].
As to the second part of your question, you can't really stop this. MVC bundles on the fly, so it needs the actual files to be there. If they're never referenced, though, they're black holes: the user would have no way of knowing what file to request, so it's kind of security by obscurity.

asp.net forms authentication: public folder not allowing application access

I have a website that I've recently set up with asp.net forms authentication. It is authenticating through Active Directory. On the website are two folders which I've made public using location tags in the root web.config file, like this:
<location path="FolderA">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="FolderB">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
FolderA contains a PHP application that uses jQuery's ajax function to get json data from a controller which resides within FolderA.
FolderB contains a ClickOnce application (an Outlook add-in).
I am able to navigate to both of those folders in all current browsers without getting prompted to log in. If I go to other non-public areas of the site, I am prompted to log in. That's exactly the way I want it.
But I have a few users on IE9 who have experienced failure when they hit a view in FolderA that tries to get the json data. The users, of course, aren't prompted to log in, but the data never loads, and there is an error message in the dev console saying access denied. Oddly, I am not able to duplicate this behavior with IE9 on my machine.
Additionally, when I try to install the ClickOnce application, it downloads and installs successfully, but when Outlook tries to load the add-in I get a message saying that authentication with the application failed. It used to work fine; the only thing that has changed is that I added forms authentication to the site. I've tried designating the folder as an application in IIS with anonymous authentication, but no luck.
I'm running IIS7, and the site is using .Net Framework 2.0.
I'm having trouble understanding this behavior, and I was hoping someone could give me guidance on how to address it. I'm pretty much at a loss and the users are getting restless.

ASP.Net Provide Acceess/Browse Rights only to the Authenticated User

On the root of my webservice application, I have a directory which contains some html and txt files. These files should be accessed only to the authenticated user. How can I achive this?
This is the follow-up of my question: ASP.Net Directory Security
I implemented HttpHandler as suggested by Shark on that post. It allows html and txt files to handle but I can't show these files to the authenticated user too.
Update: I solved this issue by checking session on the handler. While hosting this on the server I faced another problem. i.e. my custom handler was not getting called. I got the cause and solution for that issue on: http://msdn.microsoft.com/en-us/library/bb515343.aspx
Cause:
By default, Internet Information Services (IIS) passes requests for
only certain file types to ASP.NET to service. Files with file-name
extensions such as .aspx, asmx, and .ashx are already mapped to the
ASP.NET ISAPI extension (Aspnet_isapi.dll).
Solution:
To have IIS pass other file-name extensions to ASP.NET, you must
register the extensions in IIS.
Whole Story: http://www.naveenbhat.in/2012/06/directory-security-on-webservice-with.html
If you are using ASP.Net Security (Forms/Windows authentication), you can simply control it by web.config settings. Like so:
<system.web>
<authentication mode="Forms">
</authentication>
<location path="directoryPath">
<system.web>
<authorization>
<deny users="?"/> // this will deny access to anonymous users
</authorization>
</system.web>
</location>
</system.web>

Multiple/Different authentication settings in web.config

How would I go about setting different authentication tags for different parts of my web app? Say I have:
/
/folder1/
/folder2/
Would it be possible to specify different <authentication/> tags for each folder?
I want folder1 to use Windows authentication but folder2 use Forms authentication.
I tried doing in a <location/> tag but it doesn't look like you can have <authentication/> tags in a <location/> tags, at least not via VS 2008 with it's built in webserver.
This errors out saying - Error 3 It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
<location path="/folder1">
<system.web>
<authentication mode="Forms" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
You can only have <authentication /> on the top level web.config. You may have to create multiple applications. ie you can create an application within an application and use different authentication modes in each one.
I think you can set the forms authentication authorization on folder1 to
<allow users="*" />
then control the windows access via setting windows permissions on the folder.
I haven't tried it, but I can't think of why that wouldn't work.
These settings are only valid at the root level of your ASP.Net application. To use different settings in a sub folder you will need to go into IIS and set that sub folder to be a new application.
Once you done this, the folder will have a different icon in the IIs manager. Inside your subfolder, create a new web.config file and add the new authentication settings there.
More information available at Creating Applications.

Resources