I have a website hosted in IIS with directory browsing disabled. The website is developed in ASP.Net, MySql and C#.
For e.g., If i type www.mysite.com/LoremIpsums/ then it shows 403 error. However if i type, www.mysite.com/LoremIpsums/IpsumLorem.pdf it shows/downloads the the PDF file. How to disable this?
I have searched on net and found sth like
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="Administrators" />
</authorization>
If i use this in web.config, the user won't be able to download the pdf file even after logging in. So how to achieve file access only for logged in users. (Either using C# code or IIS Settings)?
Here you Go:
<location path="download">
<system.web>
<authorization>
<!-- Order and case are important below -->
<allow roles="user"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
download is your folder where you want to restrict the anonymous user from direct access.
Related
I am using ASP.NET 4.5 OWIN Identity and attempting to block access to a directory for all but authenticated users. The directory contains raw files, so it isnt possible to wrap them in the ASP LoggedInTemplate tag.
When I try and prevent access to the directory to anonymous users, it fails.
I have tried adding the following to the main Web.config file:
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="/docs">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Doing this gives server 500 errors and highlight the location path="/docs" line as the source of the error. This is a hosted solution, so options for changing the IIS server config to allow overrides arent available to me, though that does seem one potential solution for anyone experiencing this issue.
I have now removed the above from the main web.config and added a separate web.config file in the directory that I want to protect. The new web.config contains this:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
This gives no errors, but allows unauthenticated users access to the folder, which is what I am trying to prevent.
Any ideas or pointers to any article that describes how to resolve this would be much appreciated.
The solution to this for my environment was to use the web.config file in the sub directory, but to add a custom handler definition for the file types in question.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<system.webServer>
<handlers>
<add name="PDFHandler" verb="*"
path="*.pdf"
type="System.Web.StaticFileHandler"
resourceType="Unspecified" />
</handlers>
</system.webServer>
</configuration>
The web server then allows authenticated users only to access the files in the sub directory.
This article led my to the solution: http://www.primaryobjects.com/CMS/Article112
I have a folder with several survey aspx pages. I have to set permissions on these aspx pages. There are 5 different pages and only one allows certain users to access. I have added a web.config file to allow and deny the users, but it's not working. If I allow my username and add a deny="?" I don't have access, but if I add another user, take mine out and take the deny option out I get permission to log onto the system. I can get access if I take deny out, but then all users is getting access to the page.
Adding my user credentials on and denying all anonymous users I don't get access. Can somebody please point me in the right direction of what I'm doing wrong?
Can it be that it is not reading or taking my windows logon credentials? I'm using visual studio 2012, entity framework.
This is what I've done:
//Web Config that allows and denies:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="QualityCheckSurvey.aspx">
<system.web>
<authorization>
<allow users="DomainName\User2" />
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
I have set my authentication mode to windows.
EDIT
It seems that the permissions were set incorrectly. But it's still not working. When I deny *, but allow USER1 the user don't get access even when prompted with a login request. The login windows dialog boks just keep on popping up 3times with even if the used have access. making it deny ? (anonymous) allows everybody to have access, even if I take out the deny and only have the allow tag with USER1 the rest of the users still have access... I'm running locally now, but even on the IIS when setting the authentication on there with (windows and basic authentication) does exactly the same....
EDIT
This is the actual code that I am using. Only 3 users are allowed in this path "". This web.config file is within the survey folder with the 5 different types of surveys. Only this one survey should allow certain users, the rest of the surveys anyone can access....
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="QualityCheckSurvey.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow users="OEP\kevinh, OEP\shabierg, OEP\heilened" />
<deny users="*" />
</authorization>
</system.web>
</location>
In my main web.cofin in the root of the application I have set authentication mode to windows:
<authentication mode="Windows">
<!--<forms loginUrl="~/Account/Login.aspx" timeout="2880" />-->
</authentication>
On your question you said you have a folder name but on the web.config you have given only the file name on the path. Use the foldername/filename.aspx like below. Use deny users="*" instead of deny users="?'
<location path="foldername/QualityCheckSurvey.aspx">
<system.web>
<authorization>
<allow users="DomainName\User2"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
EDIT
This looks like you have multiple web.config files in the same application. To avoid confusion just remove the one on the survey folder and on the root folder web.config add this code.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<authentication mode="Windows" />
</authorization>
</system.web>
<location path="survey/QualityCheckSurvey.aspx">
<system.web>
<authorization>
<allow users="OEP\kevinh, OEP\shabierg, OEP\heilened" />
<deny users="*" />
</authorization>
</system.web>
</location>
I am assuming the survey folder is inside the root folder.
Fixing this error if windows authentication is added to project after it's been created
That's a mouthful. I was having this issue when I added Windows authentication to an existing project. There were a couple of key things that I needed to do before it works:
In Solution Explorer, Click on the project and then push F4. This should open up the Project properties.
In Project Properties and under the Development Server, make the following changes:
Anonymous Authentication: Disabled
Windows Authentication: Enabled
Include the following in the Web.config under <system.web>:
<authorization>
<allow users="DOMAIN\user"/>
<deny users="*"/>
</authorization>
Still in the Web.config under <appSettings>:
<add key="owin:AutomaticAppStartup" value="false"/>
This is what worked for me. If I'm doing something wrong, please let me know.
Hopefully this will help future individuals who are working with windows authentication after creating the project.
<deny users="?" />
<allow users="DomainName\User2" />
<deny users="*" />
I worked long time back on a website and it has been working fine, recently a problem has been reported, which I need to go through.
In my site there is a folder named repository, which contains files like word and PDF documents and ideally only logged in users are allowed to download them but now it has been observed that anyone who is not logged into the website, can even also download them :(
Is there any wayout to handle it without moving the folder out of the web directory? Like making that folder password protected and only my pages can access the content, any code sample or link will be of high use.
My web application is in ASP.NET 2.0 with C# and server has IIS 6.0.
Thanks in Advance
Edit:
My Web.Config has these tags in it:
<authentication mode="Forms">
<forms slidingExpiration="true" loginUrl="Login.aspx" defaultUrl="HomePage.aspx" name=".ASPXMAIN" timeout="30">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
Use the <location /> tags in the web.config, http://msdn.microsoft.com/en-us/library/b6x6shw7(v=vs.71).aspx
<location path="content">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
See this answer for more links to msdn documentation: https://stackoverflow.com/a/4280257/426894
You can try with this config in your Web.config (location permit you to define path)
This sample use roles in order to design profil.
Also use users in order to design user.
<location path="~/MembersOnly" >
<system.web>
<authorization>
<allow roles="Members"/>
<deny users="?" />
</authorization>
</system.web>
</location>
In IIS 7 Web site I have web.config authorization configuration to allow only definite roles. But one page must be available for all users. The problem is that if user is not in allowed group DOMAIN\group1 then he gets authentication prompt (User name and password) when opening page public_page.aspx that is allowed for all. Despite of that he is in domain. User presses Cancel on the prompt and then this public page is opened successfully and he is even authenticated in it (<%=User.Identity.Name%> in it shows his Windows identity). Browser is IE8. In IIS6 there was no such issue. Why does browser show this username/password prompt if the user is authenticated successfully? And how can I disable it? Maybe I should somehow reconfigure a web.config? Thank you all for help!
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="DOMAIN\group1" />
<deny users="*" />
</authorization>
</system.web>
<location path="public_page.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
I resolved the issue by creating web.config by placing public_page.aspx to subfolder /public and created web.config file there with contents:
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
I have a directory where I am placing PDF files that are generated by my application. The issue is that since there are no aspx pages, the security in the web.config is not preventing direct navigation to those pdf's. Granted, the information is public, I just dont want someone to be able to go straight to them for a variety of reasons.
So the question is, how do I prevent access to that directory in a web.config file? here is what I have:
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<allow roles="role1" />
<allow roles="role2" />
<allow roles="role3" />
<allow roles="role4" />
<deny users="*" />
</authorization>
</system.web>
You should be using an HttpHandler to accomplish file security you can map extensions through IIS and use these to handle mappings of each particular file type (ie: pdf, doc, exe, etc...)
Here is a link describing it...
http://www.15seconds.com/Issue/020417.htm