I'm using VS 2010 with .NET 4.0 and SQL 2008 Membership/Role providers. My goal is to only allow access to a folder named "members" (and it's subdirectories) for those users that have logged in and are in the role of "member". There are not any asp pages in the "members" folder, just files such as jpegs. On my development machine, I have configured my root web.config file as follows:
<authentication mode="Forms">
<forms loginUrl="default.aspx" />
</authentication>
</system.web>
<location path="members">
<system.web>
<authorization>
<allow roles="member"/>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
This all works fine on my development machine. However, when I publish to my production server it does not work ... all users can access the folder "members" not just the users that have logged in as a "member" role.
My production server is running IIS 7. I think the problem lies there. I added Authorization Rules in the IIS Manager for "member" to allow access and deny anonymous users. This made no difference.
Any ideas?
Thanks ... Bob
PS: I propose calling them mouse users, I hate spelling anonymous.
Fixed, roles were incorrect in IIS.
Related
I am working on ASP.NET web application hosted on IIS 7.
I have to provide access to only authenticated users to a particular list of pdf kept in a folder "PdfFiles" in root directory.
I was trying below configuration settings in web.config, but it did not work, with this setting still this folder is accessible to all the users. I have form authenticated enabled for this site.
<location path="PdfFiles">
<system.web>
<authorization>
<deny users="?" />
<allow users="*"/>
</authorization>
</system.web>
</location>
Also I noticed that anonymous authentication was enabled for "PdfFiles" folder in IIS. If I disable this, it does not allow authenticated or anonymous, any of the user to access the pdfs.
So configuration change or IIS change, none of them worked. Can any one help me out on this issue?
I have a website that is hosted on my local machine for development. I have a virtual directory named "content" that contains the images for my website (mapped to the physical path "C:\Content" in IIS). The problem is that when a user is not logged into my website, the images don't show up. I've tried putting a web.config file in the content folder using this
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
but that doesn't work. I've also tried adding this to my website's web.config file
<location path="Content">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
but that's not working either. Any suggestions?
The <system.web><authorization> element only refers to content handled by the ASP.NET runtime, not IIS itself (which is <system.webServer> and has a totally different schema). However the Cassini/dev server in VS does use <system.web><authorization> for all resources because ASP.NET handles every request under Cassini.
Check your IIS Authentication rules, as well as your NTFS ACLs. Ensure that Anonymous Authentication is enabled and the correct user identity is set. You can do this in IIS Manager.
Many thanks in advance. When running the ASP.NET Development Server, everything is working fine. However, when I deploy my asp.net application to the production server (IIS 7.0 integrated mode, fresh install), my location tags in my web.config file are being ignored.
Case in point: I'm using forms authentication, and when the user arrives at my login.aspx page, the external css & js files are not being loaded...even though I have specified that those files should be available to all users (auth'd or not). However, once the user is logged in, the files do in fact load.
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
<authorization>
<deny users="?" /> <!-- Restrict anonymouse user access -->
</authorization>
And the exception to my css file...
<location path="Styles/xtools.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I've verified that the path to the css file is accurate. Any suggestions?
Thanks, --Dan
--EDIT
Forgot to mention, I have tried creating a web.config file in the targetted folder as well...still not working.
Just got it. It wasn't enough to give IIS_IUSRS permissions on the folders containing the app ...I needed to give IUSR permissions, as well.
Problem solved. Thanks, ben f!
I have an asp.net web site, I want restrict all users to access a folder named "log" and I have this element in web.config:
<location path="log">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
and this element before it in system.web:
<authorization>
<allow users="*"/>
</authorization>
but still I have access to this url: http://www.mydomain.com/log/log.txt
Any ideas?
Thanks.
.txt files are not handled by ASP.NET by default. You'll have to block access to the folder from within IIS.
If you're using IIS 7 you can use Request Filtering to achieve this.
to avoid this confusions I usually create one web.config file at the directories i need to set different permissions.
If you place a web.config file inside your log folder it will work ok (and it will become easier to check the applied permissions at the folder)
Example:
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
I typed up a summary since many were facing the same situation regarding subfolder authentication.
Subfolder Authorization
ASP.NET can only have a single
authentication mode for one
application.
The different
applications CANNOT share resource
among them.
Scenario
Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.
The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.
1 In IIS, configure Authentication as follows:
Enable Anonymous Authentication,
Enable Windows Authentication
2 Add the followings in Web.Config.
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
I have an existing ASP.NET application that implements Forms Authentication site-wide. The application is deployed in multiple instances (e.g., customer1, customer2, test, dev, etc...), with a separate database per instance. SSL is in play. Instance configuration is via an XML config file.
I have a new requirement to allow upload/download of certain data, which I would like to implement as a public web service.
My initial thought here was to selectively disable forms authentication for a subdirectory of the application (e.g., ~/Services), and then do authentication via a SOAP header or similar.
However, I'm not finding a way to selectively disable forms auth.
Question: Is there a way to do this? I've tried the <location> tag in web config to no avail.
If not, what are your recommendations for how to set this up? I can think of the following options:
1) Create a new "Services" project in my solution, and then configure a separate IIS ASP.NET application on that directory in each instance. (Pro: easy access to instance configuration, which may be needed in the future. Con: configuration burden for each relevant instance).
2) Create a separate "Services" solution that references needed assemblies from the application solution and host it as a separate ASP.NET application. Then, lookup the db connection string based on the UserName provided in SOAP Header. (Pro: single app to configure in IIS. Con: No easy access to instance config.)
3) ??
Clarification: I did see the answer here: Override ASP.NET forms authentication for a single page, but the use of a location tag is not helping (requests for the web service are still redirected). The relevant sections in my web.config look like this:
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
<location path="~/Services/MyService.asmx">
<system.web>
<authentication mode="None" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
I would think the location tag would work, where you specify the services folder and allow all users, something like:
<location path="services">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
But you said that didn't work, have you tried putting a web.config file in the services folder and disabling forms authentication and allowing all users in that file?
You could also have a (overriding) web.config file in the services folder with the access control set to anonymous.
what worked for me was to allow users all users access in the folder where my webservices is located.
Firstly i added a configuration file in that folder and inserted the code below to allow all users.
<authorization>
<allow users="*"/>
</authorization>
</system.web>