I worked long time back on a website and it has been working fine, recently a problem has been reported, which I need to go through.
In my site there is a folder named repository, which contains files like word and PDF documents and ideally only logged in users are allowed to download them but now it has been observed that anyone who is not logged into the website, can even also download them :(
Is there any wayout to handle it without moving the folder out of the web directory? Like making that folder password protected and only my pages can access the content, any code sample or link will be of high use.
My web application is in ASP.NET 2.0 with C# and server has IIS 6.0.
Thanks in Advance
Edit:
My Web.Config has these tags in it:
<authentication mode="Forms">
<forms slidingExpiration="true" loginUrl="Login.aspx" defaultUrl="HomePage.aspx" name=".ASPXMAIN" timeout="30">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
Use the <location /> tags in the web.config, http://msdn.microsoft.com/en-us/library/b6x6shw7(v=vs.71).aspx
<location path="content">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
See this answer for more links to msdn documentation: https://stackoverflow.com/a/4280257/426894
You can try with this config in your Web.config (location permit you to define path)
This sample use roles in order to design profil.
Also use users in order to design user.
<location path="~/MembersOnly" >
<system.web>
<authorization>
<allow roles="Members"/>
<deny users="?" />
</authorization>
</system.web>
</location>
Related
I have an ASP.NET 2.0 web application developed on my Win8/VS2012 machine (but using .NET2.0 and not 4.0). I want to protect direct acccess to a number of folders, e.g. the PDF files that are stored in the Content/Documents folder for particular roles, using forms authentication. It works with the below web.config file on my dev machine, and if I type in an URL of a PDF directly, I get redirected to the login page.
However, when copying the whole solution to the production server (windows server 2003R2 sp1, having .NET 2 and 4 installed) the files are directly accessible and it seems as if the forms authentication does not work.
How can I investigate this on the server?
What is wrong in my config?
Note: the roles are assigned at login time, without a roles provider (as demonstrated by many articles on the internet and on stackoverflow) and I guess I did that correct since it works on my dev machine.
Note 2: One strange thing I noticed is that in the IIS administration tool on the win2003R2 server, the configuration windows do not correspond with what I have in the web.config file. When I right click web app properties in IIS manager, go to ASP.NET tab, go to edit configuration and go to authorization tab for the different locations, it looks like it only states allow * while the config file clearly has deny *. Is it possible that on that server this type of configuration file is not supported (it does not generate any errors either however).
Thx in advance
Wim
<?xml version="1.0"?>
<!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<connectionStrings>
<add name="..." connectionString="..."
providerName="System.Data.SqlClient"/>
</connectionStrings>
<system.web>
<httpRuntime maxRequestLength="102400" executionTimeout="600"/>
<authentication mode="Forms">
<forms name="MYWEBAPP.ASPXAUTH"
loginUrl="member_login.aspx"
protection="All"
path="/"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
<customErrors mode="Off"></customErrors>
<compilation debug="true"/>
</system.web>
<location path="Content/Documents">
<system.web>
<authorization>
<allow roles="MEMBER,ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Content/Events">
<system.web>
<authorization>
<allow roles="MEMBER,ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Content/News">
<system.web>
<authorization>
<allow roles="MEMBER,ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Content/PriceChange">
<system.web>
<authorization>
<allow roles="MEMBER,ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Administrator">
<system.web>
<authorization>
<allow roles="MEMBER,ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Member">
<system.web>
<authorization>
<allow roles="MEMBER,ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Nothing is wrong with your config. Rather, static files (jpgs, csses, pdfs) are handled by iis without involving asp.net pipeline. This means that your authorization rules are ignored when you ask for a pdf file.
To fix this you can either have an aspx page that gets a parameter that states which file should be downloaded or configure the application to run some (or all) static files through the asp.net pipeline. An easiest way to have all requests go through asplnet is to set
runAllManagedModulesForAllRequests="true"
in the modules section of the web.config.
I have a folder with several survey aspx pages. I have to set permissions on these aspx pages. There are 5 different pages and only one allows certain users to access. I have added a web.config file to allow and deny the users, but it's not working. If I allow my username and add a deny="?" I don't have access, but if I add another user, take mine out and take the deny option out I get permission to log onto the system. I can get access if I take deny out, but then all users is getting access to the page.
Adding my user credentials on and denying all anonymous users I don't get access. Can somebody please point me in the right direction of what I'm doing wrong?
Can it be that it is not reading or taking my windows logon credentials? I'm using visual studio 2012, entity framework.
This is what I've done:
//Web Config that allows and denies:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="QualityCheckSurvey.aspx">
<system.web>
<authorization>
<allow users="DomainName\User2" />
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
I have set my authentication mode to windows.
EDIT
It seems that the permissions were set incorrectly. But it's still not working. When I deny *, but allow USER1 the user don't get access even when prompted with a login request. The login windows dialog boks just keep on popping up 3times with even if the used have access. making it deny ? (anonymous) allows everybody to have access, even if I take out the deny and only have the allow tag with USER1 the rest of the users still have access... I'm running locally now, but even on the IIS when setting the authentication on there with (windows and basic authentication) does exactly the same....
EDIT
This is the actual code that I am using. Only 3 users are allowed in this path "". This web.config file is within the survey folder with the 5 different types of surveys. Only this one survey should allow certain users, the rest of the surveys anyone can access....
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="QualityCheckSurvey.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow users="OEP\kevinh, OEP\shabierg, OEP\heilened" />
<deny users="*" />
</authorization>
</system.web>
</location>
In my main web.cofin in the root of the application I have set authentication mode to windows:
<authentication mode="Windows">
<!--<forms loginUrl="~/Account/Login.aspx" timeout="2880" />-->
</authentication>
On your question you said you have a folder name but on the web.config you have given only the file name on the path. Use the foldername/filename.aspx like below. Use deny users="*" instead of deny users="?'
<location path="foldername/QualityCheckSurvey.aspx">
<system.web>
<authorization>
<allow users="DomainName\User2"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
EDIT
This looks like you have multiple web.config files in the same application. To avoid confusion just remove the one on the survey folder and on the root folder web.config add this code.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<authentication mode="Windows" />
</authorization>
</system.web>
<location path="survey/QualityCheckSurvey.aspx">
<system.web>
<authorization>
<allow users="OEP\kevinh, OEP\shabierg, OEP\heilened" />
<deny users="*" />
</authorization>
</system.web>
</location>
I am assuming the survey folder is inside the root folder.
Fixing this error if windows authentication is added to project after it's been created
That's a mouthful. I was having this issue when I added Windows authentication to an existing project. There were a couple of key things that I needed to do before it works:
In Solution Explorer, Click on the project and then push F4. This should open up the Project properties.
In Project Properties and under the Development Server, make the following changes:
Anonymous Authentication: Disabled
Windows Authentication: Enabled
Include the following in the Web.config under <system.web>:
<authorization>
<allow users="DOMAIN\user"/>
<deny users="*"/>
</authorization>
Still in the Web.config under <appSettings>:
<add key="owin:AutomaticAppStartup" value="false"/>
This is what worked for me. If I'm doing something wrong, please let me know.
Hopefully this will help future individuals who are working with windows authentication after creating the project.
<deny users="?" />
<allow users="DomainName\User2" />
<deny users="*" />
I am working on a project in asp.net where i store some files in a directory say temp. I want to give access to that folder and its contents only to the users who are logged else it should show access denied.
i have tried
<system.web>
<authentication mode="Forms">
<forms loginUrl="Default.aspx" defaultUrl="Default.aspx" ></forms>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="temp">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
but it's not working.
what am i doing wrong ? what should be the right approach ?
First, forget about modifying the global web.config, there is no need for that. You just create an auxiliary web.config in the mentioned folder and put:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
inside.
Second, this won't work for static files that do not pass through the ASP.NET pipeline. This is tricky, as the development server serves requests to all files and the problem arises only when you deploy your application to IIS.
You would have to add
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
It tells IIS to process all possible requests (including requests to static resources) with ASP.NET pipeline. This has its drawbacks, though, as it could potentially slow down the server a little bit.
Hi I'm using the authorization tag to lock down my site to anonymous people. I've put the code below
<system.web>
<roleManager enabled="true" />
<authentication mode="Forms">
<forms loginUrl="~/webPages/Login.aspx" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
However now I need to allow anonymous users to access specific other pages (register.aspx etc...) how can I open those pages without undoing the lock on the rest of the site?
Thanks Chris - I've tried this but for some reason it only works on pages in the home folder but nothing deeper. This actually causes problems because it's not even registering the css files because they're off limits
Ah I was using a path like "~/styles" now that I took the "~/" out, its working.
Thanks allot vcsJones
You can accomplish by adding location elements (outside the system.web element):
<location path="Logon.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
Redirect user to Login Page dependent on the Folder they are in. I have a web application with the root directory which is used by all users and the admin site.
For people that would require the authenticated functionality of the site, they would require to login and be redirected to root/login.aspx. However, when an Admin needs to login to the root/admin/ section of the site, I want them to be redirected to the login form on root/admin/login.aspx
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
I have this file in the root/admin directory. I have tried adding the following line but it is giving an error.
<authentication>
<forms defaultUrl="default.aspx" loginUrl="default.aspx"></forms>
</authentication>
Basically I am trying to overwrite the defaulturl and loginurl that exists in the main app.
You need to use the <location> element in your web.config. You can use the <location> tag to apply authorization settings to an individual file or directory.
<location path="/root">
<system.web>
<authentication mode="Forms" >
<forms name="LoginForm" defaultUrl="default.aspx"
loginUrl="/root/login.aspx" protection="Encryption"
timeout="30" path="/"/>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="/root/admin">
<system.web>
<authentication mode="Forms" >
<forms name="formName" defaultUrl="login.aspx"
loginUrl="/root/admin/login.aspx" protection="Encryption"
timeout="30" path="/"/>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
MSDN
For centralized administration,
settings can be applied in the
Machine.config file. The settings in
the Machine.config file define
machine-wide policy and can also be
used to apply application-specific
configuration using <location>
elements. Developers can provide
application-configuration files to
override aspects of machine policy.
For ASP.NET Web applications, a
Web.config file is located in the
application's virtual root directory
and optionally in subdirectories
beneath the virtual root.
If you would like 1 login location and different access levels you might want to use roles.
<location path="/root">
<system.web>
<authorization>
<allow roles="admin,root" />/*admin, root is allowed */
<deny users="*" />
</authorization>
<system.web>
</location>
<location path="/root/admin">
<system.web>
<authorization>
<allow roles="admin" />/*admin is allowed */
<deny users="*" />
</authorization>
<system.web>
</location>
Users can belong to more than one
role. For example, if your site is a
discussion forum, some users might be
in the role of both Members and
Moderators. You might define each role
to have different privileges on the
site, and a user who is in both roles
would then have both sets of
privileges.
You can access all these element at
the code level if you would like to
manipulate the roles/authentication
programmatically
Page.User.Identity.Name
Page.User.Identity.IsAuthenticated
Page.User.Identity.AuthenticationType
Page.User.IsInRole("string");
Tutorials
4 Guys From Rolla Tutorial
The ASP.NET web.config File Demystified