I am writing an ASP.NET web application.
I have a login screen that has some CSS styles and images on it. I ran into an issue where the styles and images weren't displaying. I read online and it said I needed a web.config inside my Content folder. I added the following to the web.config:
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
This seemed to work on my local machine. However, when I publish to inetpub on the server, it does not work.
Here is my folder structure:
Login/Login.aspx - my login screen
Content - this is my root content folder
Content/Styles - this is where my CSS is housed
Content/Images - this is where my images are stored
I tried putting the same web.config inside Styles and Images as well but that didn't work either.
Any help would be appreciated.
Updated:
Here is what I have in my main web.config related to user access:
<location path="Content">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Updated 2:
Here is all that's in my root web.config besides connection string info:
<system.web>
<httpRuntime requestValidationMode="2.0"/>
<compilation debug="true" targetFramework="4.0"/>
<sessionState cookieless="UseCookies"/>
<authentication mode="Forms">
<forms name="CMS" loginUrl="Login/Login.aspx" timeout="25" slidingExpiration="true"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<membership>
<providers>
<clear/>
<add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="ApplicationServices" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/"/>
</providers>
</membership>
<profile>
<providers>
<clear/>
<add name="AspNetSqlProfileProvider" type="System.Web.Profile.SqlProfileProvider" connectionStringName="ApplicationServices" applicationName="/"/>
</providers>
</profile>
<roleManager enabled="false">
<providers>
<clear/>
<add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/"/>
<add name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" applicationName="/"/>
</providers>
</roleManager>
</system.web>
<location path="Content" allowOverride="false">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
Could there be something in here interfering with the user access?
See my answer here. Some people would recommend putting a web.config file in the folder you want to be open to the public, but I prefer to monitor everything from the root web.config element. Basically, you insert the same snippet that you already have, but into the web.config file in the root of your website. Don't forget the "allowOverried=false" attribute, too. :)
Something else than can be really tricky is getting the path right. Make sure you've got it just right! :)
<location path="Path to your folder" allowOverride="false">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Basically, you want to allow any user to access files in the Content folder.
add this to your main web.config:
<location path="Content">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
I realize this is an old question, but I had this same trouble and hope this helps someone.
In my case, I had to alter the Authentication settings in IIS to let it work. This sounds like what happened once you moved it to a remote server where the default configuration may have been different.
We have Windows Authentication mode enabled by default, but when the web.config specifies Forms Authentication, it will actually enable both of them on in the IIS configuration.
With your web.config, you have something like this
<system.web>
<authentication mode="Forms">
<forms name="CMS" loginUrl="Login/Login.aspx" timeout="25" slidingExpiration="true"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<!-- ...etc... -->
</system.web>
If the server you moved to has Windows Authentication enabled, it will look like this in IIS
Notice both Forms and Windows are enabled, despite your config saying only Forms. What this will do is undermine your added web.config files in the subdirectories.
When you have the below in your Content folder, it appears to have a conflict with Windows vs Forms and no matter what you put, it doesn't appear to honor your web.config
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
If you are in this same situation, make sure to disable Windows Authentication, or any other unused authentication modes, like in the image below. You need to also make sure Anonymous is enabled to allow it to be open to all.
Hope this helps someone.
By way of documenting what helped in my case:
This discussion was useful
I had another application where I didn't have the problem and the only difference was that IUSR had permissions in the folders. Adding IUSR permissions helped
Using 'inspect' in the browser to display the console makes it clear when files are not accessible (otherwise local caching obscures the results)
I tried using web.configs at various levels as described above but those solutions didn't work for me.
Related
I'm using Asp.Net Identity. I need to allow admins and deny users to access all pages in my management folder, so I've put a web.config file in that folder.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>
But anybody can still access all files in folder. I've also tried to put it into main config file with location tag,but no results. Have you any ideas where to start looking for a problem?
Update: I've found a question on asp.net forum which explains a lot:
http://forums.asp.net/t/1955560.aspx?ASP+NET+Identity+Are+web+config+files+no+longer+acting+in+the+capacity+of+a+security+guard+for+our+ASP+NET+applications+files+and+folders+
There also one thing to mention. When creating new web application project with asp.net Identity. Visual Studio 2013 sets these parameters:
<system.web>
<authentication mode="None"/>
</system.web>
and
<system.webServer>
<modules>
<remove name="FormsAuthenticationModule" />
</modules>
<system.webServer>
change your code to ** ** it prevent any user that aren't authenticated:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="?" />
</authorization>
</system.web>
</configuration>
try this
<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="[mymanagementfolder]">
<system.web>
<authorization>
<deny users ="?" />
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
MSDN SOURCE
If Directory Browsing Is enabled in IIS then you should turn it OFF
EDIT:
I Think You Should Enable Form/windows authentication. Above code is working fine on My Computer as It redirects to ReturnUrl
I'm working on an ASP.NET Web Forms application and where I've a folder called Account at the root. Which contain mainly three ASPX pages: Login.aspx, ChangePassword.aspx, ForgotPassword.aspx.
I've configured forms authentication with custom membership provider.
web.config
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" slidingExpiration="true" timeout="2880" path="/" protection="All" />
</authentication>
<membership defaultProvider="CustomMembershipProvider">
<providers>
<clear/>
<add name="CustomMembershipProvider"
type="App_Code.CustomMembershipProvider, Portal.Web"
connectionStringName="PortalConnectionString"
applicationName="/" />
</providers>
</membership>
If I try to access the pages in Account folder other than Login.aspx I've been redirecting to Login.aspx and I currently I'm avoiding forms authentication for the other two pages like below,
<location path="Account/ChangePassword.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Account/ForgotPassword.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Instead of specifying individual pages like above can I combine them? I tried of specifying the folder name Account in the path attribute but that's not working.
The next thing is I've another page called Dashboard.aspx in the root and whenever I directly access it I thought I would be redirected to the Account/Login.aspx page but it's not happening, why?
You definitely can specify a folder as the path attribute - try removing the trailing / if you'd left it on, e.g.
<location path="account">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
However, because you want to protect the other pages inside account folder, you will need to override for the pages specifically available for anonymous users, such as Login.aspx and ResetPassword.aspx. You cannot combine multiple file entries.
As for why Dashboard.aspx is redirecting, there must be something else in the config you've not posted here which is causing that.
I have created a login system to my website. This login system is supposed to protect one page only (Meaning that there is one page that requires users to login to see it).
My problem is:
Since I created this login system, all my other 8 pages now require validation. This is not my intention, and I have been searching like crazy for a solution, but no luck.
My web.config file looks like this:
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="MySql.Data, Version=5.0.9.0, Culture=neutral, PublicKeyToken=C5687FC88969C44D"/>
</assemblies>
</compilation>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH" timeout="30" /> <!--name =".ASPXFORMSAUTH"-->
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
The only page that requires log in is called Default.aspx
The rest of my pages should be public to all users. How can I achieve this?
Thanks
You can do it by using location element within web.config file.
<location path="Default.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Use "location" in your web.config and specify the directory you want to be protected. Here's a nice example:
http://www.codefixer.com/asp-net/tutorials/protecting-folders-with-forms-authentication.asp
My ASP.NET Forms 4.0 site is running with forms authentication. By default unauthorized users are denied, and then I allow access to certain pages.
I have a problem allowing access to the default url: http:/example.com. I have this entry in web.config that defines default page:
<defaultDocument>
<files>
<clear/>
<add value="default.aspx" />
</files>
</defaultDocument>
and I have this location override:
<location path="default.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
It works OK when I go to the full url: http://example.com/default.aspx, but redirects to the login page if I go to http://example.com
Any ideas what am I doing wrong?
I just found answer in a response (by Dmitry) to a similar question here in SO: Forms Authentication Ignoring Default Document:
In Global.asax, method: Application_BeginRequest, place the following:
if (Request.AppRelativeCurrentExecutionFilePath == "~/")
HttpContext.Current.RewritePath("default.aspx");
Worked like charm!
I've just figured out how to solve this without having to fudge a redirection.
If just happened to me after converting from .Net 2 to .Net 4 and I've never found my solution anywhere on the internet so here goes.
If like me your login page is also your default page you need to make sure you do the following two things in the web.config file
Add this to exempt to default.aspx from authentication (didn't need this in .Net 2)
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
And change the login url from this
<forms name="myform" loginUrl="~/default.aspx" timeout="240" defaultUrl="~/home.aspx" slidingExpiration="true" protection="All" path="/" />
to this
<forms name="myform" loginUrl="~/" timeout="240" defaultUrl="~/home.aspx" slidingExpiration="true" protection="All" path="/" />
and you should fine it all work nows, just tried it out on two different sites and it did the trick for me
I didn't like making a code change for this issue, especially because my site was working fine on my Windows Server 2008 R2 machine, but not on my Windows 7 SP1 development machine.
It turns out that the root cause of this issue is an update in Service Pack 1 for Windows 7:
http://support.microsoft.com/kb/2526854
The solution appears to be to disable the new "ExtensionlessUrl" feature that was added in SP1:
<system.webServer>
<handlers>
<remove name="ExtensionlessUrl-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrl-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrl-Integrated-4.0" />
</handlers>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
Obviously if you're using the ExtensionlessUrl feature this won't work for you, but I've documented it here for those migrating a legacy site and are wondering what has suddenly gone wrong.
This works for me in a test web app:
<location path="">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Default.aspx">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
Now I can't get to either "/" or "/Default.aspx" - give that a try (but use allow instead).
I'm working on a ASP.NET 3.5 application running on IIS7 (Server '08) using the stock MS Forms Authentication and SqlRolesProvider. (I used the aspnet_regsql tool to generate the tables).
We have three roles: SysAdmins, AppAdmins, and Users. All users are in Users, and a user can be in either SysAdmins, AppAdmins or both.
I can't seem to get an Admin directory to block access to users not in SysAdmins and AppAdmins. Either it lets in all logged-in users, or no one.
Here are the relevant bits of my current configuration:
<configuration>
...
<system.web>
<authentication mode="Forms">
<forms loginUrl="/client/security/login.aspx" timeout="480" />
</authentication>
<authorization>
</authorization>
<roleManager defaultProvider="SqlRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName="EquityTouch.Roles" cookieProtection="All" cookieSlidingExpiration="true" cookieTimeout="60">
<providers>
<clear />
<add name="SqlRoleProvider" applicationName="EquityTouch" connectionStringName="SQLProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
...
</system.web>
<system.webServer>
<security>
<authorization>
<add accessType="Deny" users="?" />
</authorization>
</security>
...
</system.webServer>
<location path="admin">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs=""/>
<add accessType="Allow" roles="SysAdmins,AppAdmins" />
</authorization>
</security>
</system.webServer>
<system.web>
<authorization>
<deny users="*"/>
<allow roles="SysAdmins,AppAdmins"/>
</authorization>
</system.web>
</location>
</configuration>
I believe this configuration currently blocks everyone. I've done similar configurations that block no one.
I suspect the issue lies in using both system.web and system.webserver sections. Any help with getting this configuration working correctly would be greatly appreciated.
UPDATE
Removing the <system.webServer> section from the <location> element makes the .aspx pages in that folder return correctly! Unfortunately, the .js files in that folder are still blocked to all users... Ideally I would like to lock the .js files as well from unpriviledged eyes. So I'm still looking for help.
Even in IIS7 Integrated Pipeline mode, I am successfully using the old IIS6-style authorization blocks. Please try the code below, which includes the following changes:
Added <deny users="?" /> to the first authorization block
Switched the order of <allow> and <deny> in location-specific authorization block
Removed <system.webServer> location-specific authorization blocks
To allow js files through, my best advice is to move them to a separate folder and allow all but anonymous to access that folder (see below). Alternately, you can name each js file in the location's path attribute. That solution is less maintainable, however.
Please let me know if that works for you!
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="/client/security/login.aspx" timeout="480" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<roleManager defaultProvider="SqlRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName="EquityTouch.Roles" cookieProtection="All" cookieSlidingExpiration="true" cookieTimeout="60">
<providers>
<clear />
<add name="SqlRoleProvider" applicationName="EquityTouch" connectionStringName="SQLProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
</system.web>
<location path="admin">
<system.web>
<authorization>
<allow roles="SysAdmins,AppAdmins"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="js">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>