I have an asp.net application and when I try and turn on the application tracing....
<system.web>
<trace enabled="true" pageOutput="true" requestLimit="40" localOnly="false"/>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Pages/Account/MyAlerts.aspx">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Pages/Account/FullDetails.aspx">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Pages/Account/ActivateLicence.aspx">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
I get the following error:
I have looked for
<deployment retail=true />
But its not in my config and I really cant see why when I navigate to mysite/trace.axd I get this error.
Look for inherited values from your,
machine.config - if you are using .NET framework 4 its in
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config
Root web.config - if you are using .NET framework 4 its in
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config
if your application configured as sub folder in IIS your web.config values might have been inherited from parent application.
<deployment retail=true /> is typically used in production web servers in machine.config you can read more about config values inheritance from here http://msdn.microsoft.com/en-us/library/ms178685.aspx
Related
I have a folder "qc" which is only allowed for the role "warehouse".
In that folder i have a page that I want anyone to access without logging in.
Here's what I've done with web.config but it still redirects me to the login page:
<location path="QC/MyPage.aspx">
<system.web>
<authorization>
<allow users="?" />
<allow roles="*"/>
</authorization>
</system.web>
</location>
<location path="QC">
<system.web>
<authorization>
<deny users="?" />
<allow roles="warehouse" />
</authorization>
</system.web>
</location>
As aswered her you need to repeat it without the aspx extension.
<location path="test/webform1">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="test/webform1.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
I'm building a webforms application, separating pages into folders, authorizing web-pages within these folders using the web.config, authorizing pages to authenticated users only and allowing certain pages to certain roles.
I have a 'beheer' folder in which the page1.aspx - page6.aspx reside. I also have a web.config in that folder which is shown below.
I'm logging into the system as a user have the role 'Admin', which would mean that all pages should be available to me, if I go to page3, page4, page5 or page6 it works just fine, but going to page1 or page2 it doesn't work, I get a unauthorized message, even though page2 and page3. I can't seem to figure out what I'm missing.
<configuration>
<system.web>
<authorization>
<deny users="?" />
<!-- Deny all unauthenticated users -->
</authorization>
</system.web>
<location path="Page1.aspx" >
<system.web>
<authorization>
<allow roles="Page1,Admin,UserAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Page2.aspx" >
<system.web>
<authorization>
<allow roles="Page3,Admin,UserAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Page3.aspx" >
<system.web>
<authorization>
<allow roles="Page3,Admin,UserAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Page4.aspx,Page5.aspx,Page6.aspx" >
<system.web>
<authorization>
<allow roles="Admin,UserAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
I doubt you actually have the Admin role assigned. This part seems wrong:
<location path="Page4.aspx,Page5.aspx,Page6.aspx" >
<system.web>
<authorization>
<allow roles="Admin,UserAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
You can't specify more than one resource on the path element. See here for more information.
Try changing it into this:
<location path="Page4.aspx" >
<system.web>
<authorization>
<allow roles="Admin,UserAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Page5.aspx" >
<system.web>
<authorization>
<allow roles="Admin,UserAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Page6.aspx" >
<system.web>
<authorization>
<allow roles="Admin,UserAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
I have in my web.config
<location path="Admin">
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Admin/Page1">
<system.web>
<authorization>
<allow roles="SubAdmin"/>
</authorization>
</system.web>
</location>
Would this properly block everyone except "Administrator" and "SubAdmin" roles from Admin/Page1?
Or do I have to add <allow roles="Administrator"/> <deny users="?"/> to the Admin/Page1 section?
You can use it this way:
<allow roles="Admin"/>
<allow roles="SubAdmin"/>
<deny users="*"/>
For future reference: http://msdn.microsoft.com/en-us/library/8d82143t%28VS.71%29.aspx
If possible, keep web.configs in each folder instead of keeping in one web.config.
I'm not sure which role is more powerful - Administrator or SubAdmin. You need to keep the most powerful role inside the nested folder.
Inside Administrator only folder
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
Inside SubAdmin and Administrator folder
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator, SubAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
Thanks for any help.
Edit
this has been altered from the initial question, as no answers had been posted, and the problem evolved in more detail
I am trying to complete an asp.net 4.0 web application. I am struggling to manage folder based authorization.
a sample of the XML from the web.config:
<location path="~/drugAdmin">
<system.web>
<authorization>
<allow roles="drugAdmin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="~/wardAdmin">
<system.web>
<authorization>
<allow roles="wardAdmin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="~/websiteAdmin">
<system.web>
<authorization>
<allow roles="websiteAdmin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="~/personalAccount">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
The authorization works beautifully when the web application is started via visual studio.
when I publish to a local directory on my machine with the same web.config file, the authorization allows anonymous users into the wardAdmin and personalAccount folders ONLY (ie works appropriately for the other folders).
Has anyone come accross a similar problem and know a solution? thanks
replacing the tildes fixed the problem
<location path="drugAdmin">
<system.web>
<authorization>
<allow roles="drugAdmin" />
<deny users="*" />
</authorization>
</system.web>
</location>
Login.aspx, passwordrecovery.aspx, and register.aspx should be the only pages accessible for logged in users. I have the following in my webconfig:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" defaultUrl="Login.aspx" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
I have the following in my configuration element of my webconfig:
<location path="images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="css">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="register.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="passwordrecovery.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
I get an Error: ASP.NET Ajax client-side framework failed to load. alert box when viewing any of the public pages. How do I allow access to the asp.net client-side framework (using the location tags?)?
Check the actual url that is requested. I think those will be the calls to Webresource.axd.
I checked fiddler and added the following:
<location path="Telerik.Web.Ui.WebResource.axd">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Ajax client side framework now loads - error message is gone. For those not using the Telerik controls - I'm sure you can use something similar to:
<location path="WebResource.axd">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
I agree with Greg, put all your public resources in the root and place any protected items in a subfolder.
Ex:
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="subfolderName">
<system.web>
<authorization>
<allow roles="myRole" />
<deny users="*" />
<!-- deny unknown users -->
<deny users="?" />
</authorization>
</system.web>
</location>