I have a sub folder called admin. I want to protect it to users with roles ADMIN only. How do I do that. I have created a new web.config and put that within that folder. Following is my web config.
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<allow roles="ADMIN"/>
</authorization>
</system.web>
</configuration>
But all the authenticated users are being able to access that. How do I protect that folder contents.
EDIT
The authentication is done in parent folder and the same login is being used for user and admin.
Try this:
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<allow roles="ADMIN"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
Related
I have created a "restricted" page with the forms authentication and it's working well.
<authentication mode="Forms">
<forms loginUrl="login.aspx" defaultUrl="documents.aspx" />
</authentication>
<location path="documents.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
I would like to deny access to a folder and all the files that it contains depending on this authentication. Basically, documents.apsx has a document list that you can download. If I try to access to www.mywebsite.com/documents I'm automatically redirect to the login.aspx. I added the following Web.config in my Documents folder:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
However, if I know the path of a document, for example www.mywebsite.com/documents/test.pdf I can access to this file.
My question is: How can I deny access to all the files in the Document folder if you are not authenticated?
Put all your doucments PDF in a folder and set restriction on that folder like this:
<location path="FolderName">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
So here is the scenario, I have an Asp.Net application that is using a custom authentication & membership provider but we need to allow completely anonymous access (i.e.) to a particular folder within the application.
In IIS manager, you can set the authentication mode of a folder, but the settings are saved within C:\Windows\System32\inetsrv\config\applicationHost.config file as described here
To make installation easier, it would be great if I could set this within my web.config but after a couple of attempts I think this may not be possible.
Does anyone know otherwise?
Many thanks
The first approach to take is to modify your web.config using the <location> configuration tag, and <allow users="?"/> to allow anonymous or <allow users="*"/> for all:
<configuration>
<location path="Path/To/Public/Folder">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
If that approach doesn't work then you can take the following approach which requires making a small modification to the IIS applicationHost.config.
First, change the anonymousAuthentication section's overrideModeDefault from "Deny" to "Allow" in C:\Windows\System32\inetsrv\config\applicationHost.config:
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
overrideMode is a security feature of IIS. If override is disallowed at the system level in applicationHost.config then there is nothing you can do in web.config to enable it. If you don't have this level of access on your target system you have to take up that discussion with your hosting provider or system administrator.
Second, after setting overrideModeDefault="Allow" then you can put the following in your web.config:
<location path="Path/To/Public/Folder">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
Use <location> configuration tag, and <allow users="?"/> to allow anonymous only or <allow users="*"/> for all:
<configuration>
<location path="Path/To/Public/Folder">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
<location path="ForAll/Demo.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
In Addition: If you want to write something on that folder through website , you have to give IIS_User permission to the folder
To make it work I build my directory like this:
Project
Public
Restrict
So I edited my webconfig for my public folder:
<location path="Project/Public">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
And for my Restricted folder:
<location path="Project/Restricted">
<system.web>
<authorization>
<allow users="*"/>
</authorizatio>
</system.web>
</location>
See here for the spec of * and ?:
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/authorization/add
I hope I have helped.
I added web.config to the specific folder say "Users" (VS 2015, C#)
and the added following code
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Initially i used location tag but that didn't worked.
config I have :
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode ="Forms">
<forms name ="loginpage" loginUrl="login_to_secure3700.aspx" />
</authentication>
</system.web>
<location path ="securedpages/bob.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
This way the pag bob.aspx will only be accessible when the username and password were entered ok.
BUT , this works only for page bob.aspx, how can I make this work for eg 50 pages, but all with different logins and passwords. ?
There are two options:
Secure each page with deny all users and only allow bob on bob.aspx and helen to helen.aspx. Given the answers above you will manage that fore sure but it is cumbersume: for every new user you need to change your config.
I think the better way is to create one! page (user.aspx) and take the user that is logged in and personalize that single page for this user. This is a lot easier to maintain and you will have all the code on one page.
If you want to keep the personalized approach in the pagename (bob.aspx) you can have a look into URL rewriting.
You could add multiple paths like this:
<location path ="securedpages/bob.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path ="securedpages/bob2.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Or more simple, just add the dir of the secured pages:
<location path ="securedpages">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
you can put all the 50 pages in one folder and the add 1 web.config for them in this folder that contains
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
It does not matter if they have different logins and password.
I want to secure my Website Admin Area which in folder named admin i want to allow users to navigate all website pages except admin area must log by user name & password please help me Doing that .
Add the following in the configuration section of the web.config.
<location path="Admin">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<deny users="?"/> means an unauthenticated user will not be able to access the Admin Folder.
Refering to Configuring Specific Files and Subdirectories
Configuration settings can be applied
to specific resources by using a
tag with an appropriate
path attribute. The path attribute can
be used to identify a specific file or
child directory to which unique
configuration settings apply. Only one
file path can be used in the path
attribute.
<configuration>
<system.web>
<sessionState cookieless="true" timeout="10"/>
</system.web>
<!-- Configuration for the "sub1" subdirectory. -->
<location path="sub1">
<system.web>
<httpHandlers>
<add verb="*" path="sub1" type="Type1"/>
<add verb="*" path="sub1" type="Type2"/>
</httpHandlers>
</system.web>
</location>
<!-- Configuration for the "sub1/sub2" subdirectory. -->
<location path="sub1/sub2">
<system.web>
<httpHandlers>
<add verb="*" path="sub1/sub2" type="Type3"/>
<add verb="*" path="sub1/sub2" type="Type4"/>
</httpHandlers>
</system.web>
</location>
</configuration>
You should put a web.config file in admin folder and in that, deny access for all users except the users or roles that must have access:
<system.web>
<authorization>
<allow roles="admins"/>
<allow users="user1,user2"/>
<deny users="*"/>
</authorization>
</system.web>
Use .htaccess and .htpasswd
you can generate these files here http://www.htaccesstools.com/htpasswd-generator/
I am using ASP.Net Forms Authentication. My Web.config looks like this.
<authentication mode="Forms">
<forms loginUrl="login.aspx"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>
So currently every aspx page requires authentication.
I want to allow access to even unauthenticated users to a specific page named special.aspx.
How can I do this?
Take a look at the example on MS Support
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this
application except for those that you have not explicitly
specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated
user access to the ThePageThatUnauthenticatedUsersCanVisit.aspx
page only. It is located in the same folder
as this configuration file. -->
<location path="ThePageThatUnauthenticatedUsersCanVisit.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated
user access to all of the files that are stored
in the TheDirectoryThatUnauthenticatedUsersCanVisit folder. -->
<location path="TheDirectoryThatUnauthenticatedUsersCanVisit">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
Put the following in your web.config:
<location path="special.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="register.aspx"> //path here is path to your register.aspx page
<system.web>
<authorization>
<allow users="*"/> // this will allow access to everyone to register.aspx
</authorization>
</system.web>
</location>
For more detail follow the below link
http://weblogs.asp.net/gurusarkar/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config
Allow everyone to access a particular page
Sometimes you want to allow public access to some page and want to restrict access to rest of the site only to logged / authenticated users .i.e. do not allow anonymous access. Say your special.aspx is in your site's root folder. In the web.config of your website's root folder you need to have following setup.
<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization> <deny users="?"/> //this will restrict anonymous user access
</authorization>
</system.web>
<location path="special.aspx"> //path here is path to your special.aspx page
<system.web>
<authorization>
<allow users="*"/> // this will allow access to everyone to special.aspx
</authorization>
</system.web>
</location>
</configuration>