when i use:
<deny users="?"/>
in "authorization" tags, CSS stop working for unauthorized visitors. how can i define a exception for css files. i want them to apply to all visitors.
this is my web.config file:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
<roleManager enabled="true"/>
<authentication mode="Forms">
<forms loginUrl="welcome.aspx" defaultUrl="Default.aspx"/>
</authentication>
<compilation debug="true" targetFramework="4.0"/>
</system.web>
</configuration>
i did edit my web.config to this:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
<roleManager enabled="true"/>
<authentication mode="Forms">
<forms loginUrl="welcome.aspx" defaultUrl="Default.aspx"/>
</authentication>
<compilation debug="true" targetFramework="4.0"/>
</system.web>
<location path="styles">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="styles/welcome.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
and it's working.
thank you.
Add the location of your CSS to your web.config. You can put it completely at the end, just before the </configuration>
<location path="css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Of course, change "css" to the real folder of your css file... It is the easiest to put it in a separate folder where all items are public. Just like your images etc.
You are probably blocking access to the folder where you store css files.
Try to allow everybody to access your css-folder even if they are not autorized.
You can use the Location element to define which part of your site the configuration applies to:
(from MSDN)
<location allowOverride="True|False" path="path" />
Related
I want to configure the application and prevent the user from going directly to any page in the application without signing in but any user can access the websites homepage.
But when I run the homepage ,login page or any page of the website, I am getting this error:- The requested page cannot be accessed because the related configuration data for the page is invalid.
I can't find out where I am making mistake. I have posted my web.config file . have a look over it .show me where I am making mistake and what is the solution.
web.config
<?xml version="1.0"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<connectionStrings>
<add name="ConnectionString" connectionString="Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=|DataDirectory|\Database.mdf;Integrated Security=True"
providerName="System.Data.SqlClient" />
</connectionStrings>
<authentication mode="Forms">
<forms loginUrl="/Registration/LoginPage.aspx">
</forms>
</authentication>
<system.web>
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
</system.web>
<location path="FIRST PAGE">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Registration">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="AdminHome">
<system.web>
<authorization>
<allow users="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Student">
<system.web>
<authorization>
<allow roles="Student"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Teacher">
<system.web>
<authorization>
<allow roles="Teacher"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<appSettings>
<add key="ValidationSettings:UnobtrusiveValidationMode" value="None"/>
</appSettings>
</configuration>
ERROR
the homepage of the website is under the folder FIRST PAGE and login and register page is under the folder Registration
The <authentication> part of your configuration should be inside the <system.web> section
MSDN authentication Element
Just edit your web.config:
<system.web>
<authentication mode="Forms">
<forms loginUrl="/Registration/LoginPage.aspx">
</forms>
</authentication>
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
</system.web>
I have a web.config file, which I want to transform using SlowCheetah. The relevant fragment looks like this:
<configuration>
<location path="ui/cms">
<system.web>
<authorization>
<allow roles="AAA" />
</authorization>
</system.web>
</location>
<location path="WebServices">
<system.web>
<authorization>
<allow roles="BBB" />
</authorization>
</system.web>
</location>
</configuration>
I want to transform value BBB to CCC, so I wrote my Web.CCC.config transformation file:
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location path="WebServices">
<system.web>
<authorization>
<allow roles="CCC" xdt:Transform="Replace" />
</authorization>
</system.web>
</location>
</configuration>
Unfortunately, it results in CCC being inserted into <location path="ui/cms"> instead of <location path="WebServices"> - probably because it is the first one it locates in my web.config file.
How can I make SlowCheetah notice the different path parameter, and replace the correct node in my xml file?
As it turns out, this can be obtained using xdt:Locator in a transformation file.
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location path="WebServices" xdt:Locator="Match(path)>
<system.web>
<authorization>
<allow roles="CCC" xdt:Transform="Replace" />
</authorization>
</system.web>
</location>
</configuration>
Hope it helps anyone. Rubber duck debugging seems to work even with SO.
How can I restrict access to the root folder and all sub folders of my website? I have an ASP.Net Webforms application using Identity for authentication. Users will have accounts created for them. When a user goes to the website the first thing they should see is the login page. I've tried "/", "~/", "", values in the Location tag, as well as simply not having the location tag in the web.config file but none of these produces the desired result.
<location path="/">
<system.web>
<authorization>
<allow users="user1#mydomain.com"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="None"/>
<compilation debug="true" targetFramework="4.5.2"/>
<httpRuntime targetFramework="4.5.2"/>
<pages>
<namespaces>
<add namespace="System.Web.Optimization"/>
<add namespace="Microsoft.AspNet.Identity"/>
</namespaces>
<controls>
<add assembly="Microsoft.AspNet.Web.Optimization.WebForms" namespace="Microsoft.AspNet.Web.Optimization.WebForms" tagPrefix="webopt"/>
</controls>
</pages>
<membership>
Remove the <location> element and try the following config:
<system.web>
<authentication mode="Forms">
<forms name="FormsAuth" loginUrl="/your-login-path" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
....
</system.web>
There may be further adjustments you'll need to make on the <forms> element depending on your enviroment/setup etc, but this should get you going.
EDIT
The above doesn't work for ASP.Net Indentity. The only way I could get this to work was creating individual <location> elements for every page, in the root and subfolder web.config, explicitly denying or allowing users as needed.
<location path="Default.aspx">
<system.web>
<authorization>
<deny users ="?"/>
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="None"/>
...
</system.web>
In your Root Web.Config Add:
<authorization>
<deny users ="?"/>
</authorization>
In your Account/Web.Confing Add:
<system.web>
<authorization>
<allow users="*"/>
</authorization>
That worked for me
In my ASP.NET's Web Config file I have the following location elements defined:
<location path="">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="dir1">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="dir2">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
The example above is specifying that all directories will be locked down to anonymous users except the two directories dir1 and dir2.
I'm curious if there is a syntax that I can use that will allow me to define more than one directory within one location element. For example, it would be convenient if we could do something like this...
<location path="dir1,dir2,etc">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
You cannot specify multiple elements in the path attribute, but you can make use of the configSource attribute.
For example, the following original web.config file:
<?xml version="1.0"?>
<configuration>
<location path="form1.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="form2.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="form3.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="form4.aspx">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="form5.aspx">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="form6.aspx">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Can be replaced by the following equivalent web.config, allow.config, and deny.config files:
web.config
<?xml version="1.0"?>
<configuration>
<location path="form1.aspx">
<system.web>
<authorization configSource="allow.config" />
</system.web>
</location>
<location path="form2.aspx">
<system.web>
<authorization configSource="allow.config" />
</system.web>
</location>
<location path="form3.aspx">
<system.web>
<authorization configSource="allow.config" />
</system.web>
</location>
<location path="form4.aspx">
<system.web>
<authorization configSource="deny.config" />
</system.web>
</location>
<location path="form5.aspx">
<system.web>
<authorization configSource="deny.config" />
</system.web>
</location>
<location path="form6.aspx">
<system.web>
<authorization configSource="deny.config" />
</system.web>
</location>
</configuration>
allow.config
<?xml version="1.0"?>
<authorization>
<allow users="*"/>
</authorization>
deny.config
<?xml version="1.0"?>
<authorization>
<deny users="*"/>
</authorization>
The usefulness of this approach increases as the number of allow/deny rules in each section increases.
sorry, but path property doesn't allow to use ","
so you must write tag for all path,
Or you can create web.config in each directory.
it is possible to set path to a specific folder.
For example we have some aspx pages:
/data/pages/form1.aspx
/data/pages/form2.aspx
/data/pages/form3.aspx
By creating this rule in web.config:
<location path="data/pages">
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Frame-Options" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>
</location>
All resources in data/pages will be affected.
I had a similar issue. so went with the normal way of creating separate tags, no other BETTER solution.
Does anyone know of a good link to explain how to use the web.config......
For example, i am using forms authentication... and i notice there is a system.web and then it closed /system.web and then below configuration there are additional location tags
here is an example, if you ntoice there is an authentication mode=forms with authorization i presume this is the ROOT....... It is also self contained within a system.web .... Below this there are more location= with system.web tags....
I have never really understand what i am actually doing.. I have tried checkign the MSDN documentation but still i don't fully understand up....
Can anyone help?
If you notice with my example.... everything is stored in 1 web.config... i thought the standard waas create a standard web.config and then create another web.config in the directory where i wish to protect it..???
<configuration>
<system.web>
<compilation debug="true" strict="false" explicit="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms loginUrl="Login.aspx" defaultUrl="Login.aspx" cookieless="UseCookies" timeout="60"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="Forms">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Forms/Seguridad">
<system.web>
<authorization>
<allow roles="Administrador"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
Standard entries (web.config is extensible) are well documented therein.
http://msdn.microsoft.com/en-us/library/aa719558.aspx
is a good start.
It is - as should be obvious - XML based, btw.
You can place following web.config file in Forms/Seguridad:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
</configuration>