I'm working on restricting access of static PDF files to only logged-in users. I only want to use a server-side redirect from the resource when a request comes that doesn't have the proper credentials.
I could use an IHttpHandler and set the path value, but I don't want to have to hand-serve the file. I would like requests from logged-in users to pass straight through, more like an IHttpModule, except I can't set a path to restrict the files that the module will act on.
Is there a way to pass requests through a handler, or limit the path of a module?
EDIT
It may also be useful to note that I want to redirect the user to a login page with a specific query string parameter redirecting the user back to the resource if login is successful.
If these are really static resources (exist on disk) then you could just stick them in a folder and restrict that folder using a location element in the web.config
<location path="MyPDFs">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
This will prevent any unauthorized users from being able to access any files located in the MyPDFs folder within your site.
If you only want a subset of those files, then you can create a sub directory, and secure it in a similar fashion.
<location path="PDF/SecureSubDirectory">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
UPDATE:
It may also be useful to note that I want to redirect the user to a
login page with a specific query string parameter redirecting the user
back to the resource if login is successful.
This is all handled for you by default when using Forms Authentication in ASP.Net
Any request for a resource that fails because a user is not yet authenticated will automatically be redirected to the configured login page defined in your web.config.
<system.web>
<authentication mode="Forms">
<forms loginUrl="Logon.aspx" name=".ASPXFORMSAUTH">
</forms>
</authentication>
</system.web>
It appends a query string parameter that referes to the originally requested resource. Once the user successfully authenticates, they are redirected back to the URL they originally requested.
All this is baked into the framework :)
Related
I have asp.net web application. I want to allow only Authenticated users to this application. Any anonymous users should get access denied error or should get redirected to login page. So I added the “Authorization” element in config file to deny all anonymous users. I excluded login.aspx page so anonymous users can access it.
<system.web>
<authentication mode="None" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
NOTE: This application use Azure AD for authentication thats why you see authetication mode="None". When user access login page it just redirect user to Azure site for authentication. And this authentication piece is working fine.
Questions
1. Consider my application is hosted in local IIS. Since only
login.aspx is excluded from Authorization, if I type
http://localhost I get access denied error. I have to explicitly
type http://localhost/login.aspx to for login. How do I change this
so when I type http://localhost IIS will redirect to
http://localhost/login.aspx (I have already tried setting
login.aspx as first page under default document in IIS)
2. What configuration I need to do, so if anonymous user try to
access any resource under http://localhost he would get redirected
to http://localhost/login.aspx (This would also take care of 1st
question)
Add your Startup page name in Default document option like the below snagit:
Open IIS(Internet Information Service) Manager
Select “Default Document”
Add your file path to be homepage
I am using my own authentication method by cookies and username and password verification from database but when I debug my application i can access any folder and image, pdf etc. type files by directly typing the url of that without Log-In. So i want to all these type of unauthorized access to folders and files both to be redirected to default.aspx page.
please help me.
Try this,
<location path="[subdir1]">
<system.web>
<authorization>
<deny users ="?" />
<allow users ="*" />
</authorization>
</system.web>
</location>
change the [subdir] to the folder you want to protect. For more info see Here
Try these
Use Asp.net Authentication, for more info Go here
Use global.asax file beginrequest event, do your custom code there to check valid user, for more info Go here
In ~/tools/ I have a webconfig file that contains the following:
<system.web>
<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>
</system.web>
Requests to ~/tools/mypage.aspx require the user to be in the admin role. If I use URL routing and have requests to ~/categories/mytools route to that above page, forms authentication does not require the user to be in the admin role. How do I use forms authentication on a virtual routed url?
So I need to add this to my webconfig:
for every virtual url that needs forms authentication? Seems repetitive if this has to be done with every url that is directed to a 'protected' destination page. Is there another solution?
Since ~/categories/mytools is not explicitly ~/tools the web.config authorization does not get called. Even with virtual routing. You will need to replicate the web.config files across the directories to achieve this affect. To avoid doing double duty, you might want to put these entries into the root web.config listing their specific directories or files for exact permissions.
NET MVC project i have following tag in in web.config file
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880"/>
</authentication>
This causes even the authenticated users but unauthorized resource requested users to redirect to logon page. but i need only to redirect this page if user try to access unauthorized page and not already authenticated(logged on) and redirect to custom page.
Is there easy way to do this without writing custom action filter?
All that this line does in web.config is to simply define the timeout of the authentication cookie and the login url. It is your code that decides which parts of the site are authenticated or no, by for example decorating your controllers and/or actions with the [Authorize] attribute.
please check your "authorization" setting in web.config file. It should be somewhat
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
also when user authenticates successfully make sure you call
FormsAuthentication.SetAuthCookie(<username>, false);
I want, when I type http://localhost/Admin, to take me to the page http://localhost/Something/Login.aspx. How can I do this?
What you are looking for is called Forms Authentication. A very short introduction follows.
You need to create a login page that makes a call like this, after verifying the identity of the user:
FormsAuthentication.RedirectFromLoginPage(userName);
Then you need to wire up the login page in the web.config file:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Something/Login.aspx" />
</authentication>
</system.web>
Furthermore, you will need to tell the framework that all URLs below ~/Admin/ requires the user to be authenticaticated. This can be done by adding an another web.config file within that folder:
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
Read the article linked above, or search the web for "ASP.NET forms authentication" and you will soon be on the right track.
EDIT 1 - If all you want to do is really to "make a redirect to a specific URL", then this is sufficient:
Response.Redirect("~/Something/Login.aspx")
From the URLs you mention in the your questions, it seems that you are trying to enforce some kind of authentication/authorization scheme. If this is true, forms authentication is a better answer.
EDIT 2 - If you want to rewrite, not redirect, requests from ~/Admin to ~/Something/Login.aspx you can do so by mapping a URL mapping in your root web.config file
<system.web>
<urlMappings>
<add url="~/Admin/Default.aspx" mappedUrl="~/Something/Login.aspx"/>
</urlMappings>
</system.web>
In most setups, the web server will only pass the request to ASP.NET if the requested URL ends with a known suffix, such as .aspx. On approach to trick the web server to pass requests for ~/Admin to ASP.NET, is to use the "default document" feature in the web server. For this to work, you must add an empty file named Default.aspx in the ~/Admin folder.