In my web application all the .aspx pages resides in Pages directory. The project structure is shown below:
The Home.aspx is set as Start Page and the Web.config file of the Pages folder contains:
<configuration>
<location path="Secured">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
And the main Web.config has:
<authentication mode="Forms">
<forms loginUrl="~/Pages/Login.aspx" timeout="2880" defaultUrl="~/Pages/Secured/Home.aspx" />
</authentication>
So when the application launches it redirects to the Login page with the URL:
http://localhost:2453/Pages/Login.aspx?ReturnUrl=%2fPages%2fSecured%2fHome.aspx
Now if I delete the
Login.aspx?ReturnUrl=%2fPages%2fSecured%2fHome.aspx
from that URL and press enter it is taking me to the Directory Listing:
What I want that it will again send me to the Login page located at
http://localhost:2453/Pages/Login.aspx
How can I achieve this? Your help be appreciated.
Thanks.
The localhost:
You need to disable directory browsing from IIS or from the web.config
<configuration>
<location path="Secured">
<system.webServer>
<directoryBrowse enabled="false" />
</system.webServer>
</location>
</configuration>
this entry above applies to IIS 7+, for IIS 6 you'll have to do it from IIS Manager
There are 2 ways using which you can disable the Directory Listing:
This has been tested & works for IIS 10.
1. Web.config
<configuration>
<system.webServer>
<directoryBrowse enabled="false" /> <!--this line will disable directory browsing-->
</system.webServer>
</configuration>
2. IIS
Go to Internet Information Services(IIS) and look for the Directory Browser option. Select it and on the right corner you see an option Open Feature. Click on it and it will take you to another tab. Now select Disable and you see that the browsing has been disabled.
Related
I am using ASP.NET 4.5 OWIN Identity and attempting to block access to a directory for all but authenticated users. The directory contains raw files, so it isnt possible to wrap them in the ASP LoggedInTemplate tag.
When I try and prevent access to the directory to anonymous users, it fails.
I have tried adding the following to the main Web.config file:
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="/docs">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Doing this gives server 500 errors and highlight the location path="/docs" line as the source of the error. This is a hosted solution, so options for changing the IIS server config to allow overrides arent available to me, though that does seem one potential solution for anyone experiencing this issue.
I have now removed the above from the main web.config and added a separate web.config file in the directory that I want to protect. The new web.config contains this:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
This gives no errors, but allows unauthenticated users access to the folder, which is what I am trying to prevent.
Any ideas or pointers to any article that describes how to resolve this would be much appreciated.
The solution to this for my environment was to use the web.config file in the sub directory, but to add a custom handler definition for the file types in question.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<system.webServer>
<handlers>
<add name="PDFHandler" verb="*"
path="*.pdf"
type="System.Web.StaticFileHandler"
resourceType="Unspecified" />
</handlers>
</system.webServer>
</configuration>
The web server then allows authenticated users only to access the files in the sub directory.
This article led my to the solution: http://www.primaryobjects.com/CMS/Article112
In my asp.net MVC application I have tried to deny unauthorized users from an html file inside a sub folder. But it is not working as expected. Below is the web.config section which used right now.
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<authentication mode="Forms">
<forms loginUrl="~/" defaultUrl="~/" slidingExpiration="true" timeout="60">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="Docs/help/index.html">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
I think the global deny users will block all unauthorized access for all the pages, otherwise we should give specific permission. Please correct me If I am wrong.
But in my case even http://siteurl.com/Docs/help/index.html still able to access for an unauthorze user.
IIS - 7.5 , .NET - 4.5, MVC - 4
Please help me to resolve this issue.
MG
You have two ways to achieve it.
1st: <modules runAllManagedModulesForAllRequests=“true” /> Meaning
Add <modules runAllManagedModulesForAllRequests="true" /> in your web.config
(IIS < v7)
2nd: Global.asax Events in IIS 6 and IIS 7 for Static Resources
Add an wildcard managed handler to serve each request (inlucding static files which are handled by iis directly)
You can put a new Web.config in the folder that needs the permissions applied. Inside it do something like this
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
Or you might need to wrap the <authorization> tag with a <security> tag.
If that doesn't work for you, try to do it via IIS Manager and see how it does it, then copy that.
I want to add enable/disable asp.net mvc website feature, to achieve this I just replace web.config content to
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="maintenance.htm"></forms>
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>
<location path="server">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
I also have put maintenance.htm into website root.
But when I try then navigate to site, i don't see my maintenance.htm, instead I receive
status "Aborted" in Firebug, and Firefox displays a message:
This is for production environment. On local, app just continue process web.config as a normal and displays YSOD saying that it could not find some keys in web.config (it assume that they exist)
I also try to just add app_offline.htm as a simpler solution, but result is the same.
What can cause such behavior?
I have an ASP.NET 4.5 / C# site where I am trying to do the following. When users hit the root of the site, www.blah.com, they should be redirected to Default.aspx. This page is open and does not require login. There is a link on this page if they would like to login. However, I need to automatically redirect them to login if they try to access other pages. Some are open to all and some are not. I'm cool with assigning permissions via roles per page or per folder. The issue I have is with Default.aspx.
If a user comes to my site by typing: www.blah.com/Default.aspx then the page comes up with no redirect for a login.
If a user comes to my site by typing: www.blah.com/Admin.aspx then they are redirected to login.
My life is good so far, but...
If a user comes to my site by typing: www.blah.com then they are redirected to login instead of just loading Default.aspx. Here is the relevant web.config.
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx" requireSSL="false" protection="All" slidingExpiration="true" path="/" timeout="240" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" />
</authentication>
<authorization>
<deny users= "?"/>
</authorization>
<system.web>
I assume my specific permission on Default.aspx overrides the generalized deny. Again, this appears to work. The issue I have is the automatic redirect to Default.aspx when someone hits the root of my site, www.blah.com.
As always, thanks!
update
I have moved everything into one of 3 directories: _public, _private, _admin. Let's not worry about _admin for now. Here is how my web.config is set up:
<defaultDocument>
<files>
<clear />
<add value="~/_public/Default.aspx" />
</files>
</defaultDocument>
.
.
.
<location path="_public">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="_private">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
.
.
.
<forms name=".ASPXFORMSAUTH" loginUrl="~/_public/Login.aspx" defaultUrl="~/_private/landingPage.aspx" slidingExpiration="true" path="/" />
I am still doing something wrong. Shouldn't my users come to ~/_public/Default.aspx when they hit www.blah.com? Now it is telling me I don't have a default page specified.
Also, regarding the defaultUrl property of the forms tag. How does this tie in with the DestinationPageUrl of my login control?
Thx!
update
I updated the paths in the location tag to "~/folder" instead of "folder". Now instead of an error is just keeps taking me to the login screen. I don't have another authorization tag in the root of web.config, but I am handling the subfolders from the main web.config instead of putting a separate file in each subfolder.
Thank you all for the detailed replies. They were all very helpful and let me to a better overall solution. However, the root of my issue was something very small and annoying. Take a look at my default page again:
<defaultDocument>
<files>
<clear />
<add value="~/_public/Default.aspx" />
</files>
</defaultDocument>
Notice the path in the value. I experimented with this and found that if I lead with a tilde or a forward slash that this value is completely ignored. Once I specified it as "_public/Default.aspx" everything else fell into place and worked as expected.
I did change a few things up though. I am using three subfolders for pages: _public, _private, and _admin. _public is for anyone, _private is for anyone authenticated, and _admin is for those with special privs. I want to mention that I DO NOT have any Default.aspx file in the root of my website whatsoever. To verify the way I was specifying the path in the web.config was wrong, I have tried switching it back with exactly the same failure.
I'm curious if anyone has spotted this, and do you see it as inconsistent? Most everywhere else in my web.config I can specify a path from root by beginning with a tilde.
So, my site acts as expected...anonymous users hitting public pages works fine. Hitting private or admin pages redirects to login. Once logged in, if you were trying to get to a specific page you go there...if not, you are redirected via the defaulturl in the forms tag. Most importantly, when you type in the name of the site with no page specified, you are taken to the default page...which should have been the simplest part of it all if not for the syntax issue. So there it is....doh!
I would recommend making a landing page that will be the result of the root URL being typed in by the user.
The issue you are seeing is that default.aspx is the default document for a root URL request in IIS and is also the defaultUrl for your Forms Authentication.
Create a Landing.aspx page that has whatever message you want, link to log-in, etc.
Now make this Landing.aspx be the first default document in IIS (make sure it is before default.aspx in the list) so that a root URL request will redirect to Landing.aspx and not get involved with the Forms Authentication at all.
Also, add a <location> entry in web.config to allow all users access to the Landing.aspx page:
<location path="Landing.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
If you want to restrict users to folders, you want to create *web.config*s inside each folder (which is a lot easier to maintain than added all in main web.config).
Note: for good design practice (in traditional ASP.Net), you want to place Admin.aspx inside a separate folder. Same for user pages too which required login.
Here is an example -
Main web.config
<system.web>
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx" requireSSL="false" protection="All" slidingExpiration="true" path="/" timeout="240" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" />
</authentication>
<system.web>
Users/web.config
Deny anonymous access. In other words, user is required to login before accessing any pages inside User folder.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Admin/web.config
Deny everyone except users in Administrator role.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator" />
<deny users="*"/>
</authorization>
</system.web>
</configuration>
try the following:
Create a folder for example admin and put the Login.aspx there
Set authentication to forms
<authentication mode="Forms">
<forms name="HIVLogin" loginUrl="~/admin/Login.aspx" timeout="20" protection="All"/>
</authentication>
then under system.web
<location path="Admin">
<system.web>
<authorization>
<allow roles="Admin" />
<allow users="Admin" />
<deny users="*" />
</authorization>
</system.web>
There is no need to write any code to set a page as your default page in ASP.NET. Got to Solution Explorer and right click on the page you like to set as default and click on Set As Start Page.
You need to add following mappings under section<system.web>.
<urlMappings enabled="true">
<add url="~/" mappedUrl="~/Default.aspx" />
</urlMappings>
This will redirect to default.aspx when you browse root url i.e www.domain.com or localhost.
Thanks.
I spent about 6 hours debugging the issue. Our website was working fine, and suddenly it started redirecting to login page instead of default page (unauthenticated). Our web.config included all authentication/authorization settings correctly.
<authentication mode="Forms">
<forms name="MyAuth" path="/" loginUrl="login.aspx" protection="All" timeout="30" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="default.htm" />
</files>
</defaultDocument>
...
</system.webServer>
<location path="default.htm">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
...
SOLUTION: You need to remove Extensionless URL feature from your website. Ref: https://support.microsoft.com/en-us/help/2526854/users-may-be-redirected-to-the-login-page-of-an-asp-net-4-application
<system.webServer>
<handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
</handlers>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
After the fix, the website was back to normal.
How to restrict folder access in asp.net
like I don't want any other to see my Uploads folder in browser by link http://www.example.com/Uploads
For the future generation the answer which works for me is to use hidden segments.
If you want to secure e.g. Uploads folder go to your root Web.config and add into <system.webServer> following element:
<security>
<requestFiltering>
<hiddenSegments>
<add segment="Uploads"/>
</hiddenSegments>
</requestFiltering>
</security>
This will prevent all users from direct access to Uploads folder and its content.
You can do like #klausbyskov mentions, to add <authorization />'s to the root web.config, like:
<location path="Admin">
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
or you can add a web.config to the folder where you want to allow/deny access with the following content:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>
Of course replace the <allow /> and <deny /> with you own rules
You should add a web.config file to said folder and put an <authorization> tag in the file, as described here.
You can manage folder browsing in IIS settings.,
Open IIS Manager and navigate to the folder you want to manage.
In Features View, double-click Directory Browsing.
In the Actions pane, click Enable/Disable.
This is for IIS7.
you can also use commandline for this.
appcmd set config /section:directoryBrowse /enabled:true|false
Hope this helps...
Happy Programming,