<authentication mode="Windows"/>
<authorization>
<allow users="USERS"/>
<allow roles="ROLES"/>
<deny users="*"/>
</authorization>
Is there a way to write an if statement in here to detect what url I am on so I can allow a certain role for that certain URL.
Example code in my head of what I kind of want to see:
If (UCase(Url) = UCase("URL")) Then
<allow roles="ROLES"/>
ElseIF(UCase(Url) = UCase("URL")) Then
<allow roles="ROLES"/>
ElseIF (UCase(Url) = UCase("URL")) Then
<allow roles="ROLES"/>
End If
<deny users="*"/>
Is this even allowed in the web.config? If it isn't how could I go about doing this?
I have 3 websites. One for Dev, UAT and PROD. Now for each sites I have different user groups for each set up. I just want to find a way that I can just find what URL i'm at and point it at the certain user group. I'm guessing I have to make a web.config for each because you can't do conditional statements but I'm just making sure. If I have to make a web.config for each how can I go about setting that up?
Edit (changed the whole answer as I think your issue is now different)
Your best option is to have different configuration settings in each web.config which is what web.config files are for. You might have to look at your deployment process if you deploy the web.config each time (either manually or automatically).
Another option would be to instead have your application do the authorisation by knowing what environment it is running in and denying access using code. That path is obviously more work than something that has already been provided, but is an option.
Alternatively (and most of the time better) you should place additional web.config files in your subfolders - then the folder itself defines who can access it.
In these web.configs all you need to have is the authentication section that will override parent folder authentication.
In general this only works properly in webforms, as MVC got rid of meaningful folders and supports different security model entirely (the one where Controller has to figure out the access via new security attributes)
If you are deploying the same web application to different environments, then you can consider using web.config transformations. With this approach you can have a special file for each environment that will take the default development web.config and change only certain values, in your case the <authorization> tag (or maybe also the <connectionStrings> or <appSettings> tags if you want to).
In Visual Studio it looks like this:
This only works for Web Application Projects, not for Web Site Projects (), and only with Visual Studio 2010 and later.*
You need to create a solution configuration for each environment first. From the main menu, select Build > Configuration Manager. Here you can manage each configuration. By default you will have Debug and Release, you can add UAT and Production configurations for your solution for example.
Then you can right-click the web.config file in your Web Application project and click Add config transforms and you will find a new transform for each configuration:
web.config
web.Debug.config
web.Production.config
web.Release.config
web.UAT.config
Now you must write the transformation, in your case, it would look like this (for web.UAT.config):
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<authorization xdt:Transform="Replace">
<allow roles="USER-ACCEPTANCE-TEST" />
<deny users="*" />
</authorization>
<system.web>
</configuration>
Notice how we instruct the transformation to replace the <authorization> tag completely. This will happen when you publish the web application (right click and select Publish...), for example to a folder on your desktop for transferring by FTP to the UAT server.
See here for some tutorials:
http://blogs.msdn.com/b/webdevtools/archive/2009/05/04/web-deployment-web-config-transformation.aspx
http://msdn.microsoft.com/en-us/gg454290
http://msdn.microsoft.com/en-us/library/ie/dd465318.aspx
Although you can technically use it in a Web Site project, it's not easy. You will have to use the Visual Studio command line to run msbuild.exe. See some of the tutorial above for how to do that as well).
Replace on your roleManager like this:
<roleManager enabled="true" defaultProvider="DefaultRoleProvider">
Related
I'm using asp.net mvc 2 and vs 2008.
I'm trying to make website with forms authorization. When i'm trying to restrict access to some pages, i'm using asp.net administration tool. There i create rule, for example, to deny access to anonimous users to whole web site. Administration tool, as expected, adds following section in the root web.config file:
<authorization>
<deny users="?" />
</authorization>
When i do same thing in some subfolder, as example %ApplicationRoot%/View/Protected, administration tool, as expected too, adds web.config file in mentioned subfolder, with following code:
<configuration>
<system.web>
<authorization>
<deny users="UserName" />
</authorization>
</system.web>
Prime difference between theese files is that root web.config authorisation section has some effect(generally speaking, it works as planned - denies all unauthenticated users from whole website). But subfolder web.config authorisation section have no effect at all.
I found that then added to root config file, following code
<location path="Protected">
<authorization>
<deny users="UserName" />
</authorization>
</location>
does the work greatly - it, as planned, denies %UserName% acces to all views, located in %ApplicationRoot%/View/Protected Folder.
This behavoir is simmilar with cassini and iis, i tried both.
The main problem is that i need kind administration tool to do the work, so i'm asking for any help with issue - why doesn't authorisation section works when web.config is located in subfolder?
P.S. I tried to place incorrect code in between <authorization> and </authorization> in subfolder's web.config:
<authorization>
asdfg
</authorization>
No effect. Probably the whole section is ignored due to some issue?
P.P.S. Incorrect code out of the authorization section in the same file causes an error
Your problem is that your application is not a classical ASP.NET Web Forms application.
What you're trying to do would work perfectly in Web Forms, but not in MVC.
In MVC world when browser requests page /People/SmartList it's not necessarily that it would be shown the /People/SmartList.cshtml from your project. In fact, your project could not even have the /People/ folder at all. The view (.cshtml file) which will be shown by MVC engine is determined by routes. And that MVC routing engine doesn't look at all at your web.config files, when it accesses those .cshtml files. Now, you can see, why your web.conig files are ignored.
But you're still able to do the authorization. Instead of using web.config files you should use the [Authorize] attribute and apply it to appropriate controller's action methods, or even to a whole controller class.
[Authorize(Users="UserName")]
public ActionResult ShowRestrictedData()
...
I'm trying to add a directory for anon access in IIS 7.5. It works under Web Dev but not IIS 7.5
I'm currently using this web.config in the directory. This is a directory with style sheets:
<?xml version="1.0"?>
<!--
Note: As an alternative to hand editing this file you can use the
web admin tool to configure settings for your application. Use
the Website->Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
Update:
I've went to the folder and under Authentication, I've changed anonymous authentication from IIS_USR to pool. This seems to have correct it.
I will reward anyone who provides a very good explanation and resources for understanding this setting. Also, how to apply it globally would be good to know -- for all folders.
Since you answered your own question, here is the explanation that might help
Authorization deals with who IIS will offer resources to. Those resources, however, have their own security as they are just files on a file system.
The Authentication element in the config assists in determining how IIS will identify a user's requests after its accepted and as it accesses resources beyond/external to IIS.
This is set at the site level, typically in the applicationHost.config file for your server. It can, if properly setup, be overridden at the site level.
IIS.net pages about this:
http://www.iis.net/ConfigReference/system.webServer/security/authorization/add
http://www.iis.net/ConfigReference/system.webServer/security/authentication/anonymousAuthentication
The .config version of what you did in the UI is:
<location path="/yourSite">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" username="" />
</authentication>
</security>
</system.webServer>
</location>
On the anon. auth method, the username field is who IIS will impersonate when resources are accessed. When you don't specify one, it defaults to use the identity of the apppool.
Now, as to why this mattered ... check the actual file on disk (the .css). If this fixed the problem that would mean IUSR doesn't have access to read that file.
You don't have a location defined for your authorization. You also don't specify what sort of authentication you're using within the web.config (if any).
<location path="/">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I am upgrading my site to IIS7, .NET 4.0 and Integrated Pipeline and am having some issues.
I have a sub application (virtual directory on a remote server) in my IIS install which contains static files, and I want it to be authenticated using WindowAuthentication where as the rest of my site will be using FormsAuthentication.
It has a web.config that looks like:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="?" />
</authorization>
</system.web>
I add the 2 authentication modules in the parent web.config and remove the default managedOnly precondition. Although, obviously because of the remove statement the directory is not under any authentication. However if I remove those lines, I get a generic server 500 error. Am I missing something else?
Okay, so the reason this was happening was actually pretty simple, the application didn't have a Bin directory and so it didn't have any of the DLLs it needed and so it was throwing an error because it didn't know how to create a new WindowsAuthenticationModule
When I run my website through debug mode in visual studio everything looks great and all the images on the page show up fine. But once I deploy my website to an IIS7 web server (doubt that other versions would make any difference, but you never know) then users can't see the images on the site until they log in.
The website is an asp.net MVC site and I'm new to MVC, though I do have lots of experience with asp.net forms. It seems that only authenticated users are allowed to access the images folder, and there is an authorization section in my web.config saying that only admins can access the site, so how do I make it so that all users, authenticated or otherwise can view the images?
-- Update --
I tried putting in the configuration block suggested, which from everything I can tell makes perfect sense, but it didn't seem to make a difference. The sample below has Content/Images for the path but before that I tried just Content, since it's OK for everything in there to be accessible. I also tried setting the allowOverride setting to false, which also didn't seem to make a difference.
<location path="Content/Images">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
--Update 2--
Funny thing is that I don't even see any explicit deny entries in my web.config, just an allow for admin's, and when I went into IIS 7 and used the UI to allow all users access to the Content directory it didn't show any deny's on the list either. But then again, this project works fine when I just debug it from my personal computer, it's only after I deploy it that I have problems...
<authorization>
<allow roles="admin" />
</authorization>
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
In your web.config file, after the </system.web> tag, add the following
<location path="images">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
where path="images" is the name of the folder with your images/css.
Update:
If you're using ASP.NET MVC, I would remove the authorization declaration in the web.config file and use the [Authorize] attribute on the controllers that need to be locked down.
You can also specify the roles you want to grant access to using [Authorize("admin")].
By default, the configuration you define in a Web.config file, applies to every subdirectory of its containing folder. If you have a Web.config in the application root, that configuration will propagate to every subdirectory, including those where you have images and Css style sheets. So, if you have in your root Web.config a rule like this one:
<system.web>
...
<authorization>
<deny users="?"/>
</authorization>
...
</system.web>
anonymous users will not be able to access the resources needed to display the page like you would expect it.
To fix it, you need to include another Web.config in every subdirectory that has presentation resources, and apply the rules you want to override. In your case, this should do the work:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
If you are using Themes, place a single Web.config file in the theme folder.
Just ran into the same problem. We noticed it on our Login page. The CSS and images weren't loading (they were under the content directory). Adding IUSR to the folder with Read privileges fixed it for us.
Old question but I came across the same problem and found the answer.
I had created a new folder for the Membership pages that I wanted logged-in users to have access to, but the images wouldn't show up in them!
It turns out that no matter what I tried I couldn't set a relative path to the images from within the Members folder.
The problem was the html image (as far as I could tell anyway, correct me if I'm wrong).
I swapped it out for an asp:image with a relative path and now it works great.
My new code: asp:image runat="server" id="Logo" ImageUrl="~/Images/logo.jpg"
Notice the ' ~/ ', that wouldn't work for me with
I tried: img src="../Images/logo.jpg", img src="~/Images/logo.jpg", img src="/Images/logo.jpg", etc. to no avail.
Hope this answer helps someone solve this problem more quickly in the future.
Try browsing the image file directly and see if that comes up for an anonymous user. In IIS 7, there is a way in which you can authorize anonymous users directly from your UI [which in turn would create the web.config if it doesn't exist].
Folder -> .NET Authorization Rules -> Add Allow Rule
Are you using membership framework. I suspect that you have misconfigured your permission settings in web.config and your images folder is only allowing authorised requests. This can be easily change via web.config. Just remove the folder name from your authorised section and this should solve the problem.
For your reference this should be the section in web.config if you are using membership framework :
<authorization>
<deny roles="xyz" />
</authorization>
We came across the same problem in our project and found a solution, although we are not sure about the reasons of this behaviours.
We had a similar scenario, with a folder containing all our png images. Our marketing colleague wanted to rename some of them, so to make it easier for her, we shared (this might be the key) that folder, granting read/writer rights to her.
From this point, the images started behaving as you describe, requiring authorization for being accessed. No unauthorized user could see them any more.
We realized that the problem was related to sharing the folder because it started happening at that point of time. Otherwise we still don't see any relationship among ASP.NET MVP user authorization/login and hard disk user rights. We could have expected an IO Exception or something similar, but not this behaviour.
After checking the folder, and comparing with other folders, we realized that after sharing, the permissions on the folder had slightly changed. Mainly they did not inherit from its parent folder anymore and some permissions such as CREATOR OWNER and MACHINE_NAME\Users had dissapeared (although IUSR and the app pool user were still there).
So, we renamed that folder, created a new one with the same name, and copied the content from the old folder to the new one. The new folder had the permissions inherited from its parent and everything started to work perfectly again.
It solved our problem, but we are still not sure why this all happened this way.
Regards
How would I go about setting different authentication tags for different parts of my web app? Say I have:
/
/folder1/
/folder2/
Would it be possible to specify different <authentication/> tags for each folder?
I want folder1 to use Windows authentication but folder2 use Forms authentication.
I tried doing in a <location/> tag but it doesn't look like you can have <authentication/> tags in a <location/> tags, at least not via VS 2008 with it's built in webserver.
This errors out saying - Error 3 It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
<location path="/folder1">
<system.web>
<authentication mode="Forms" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
You can only have <authentication /> on the top level web.config. You may have to create multiple applications. ie you can create an application within an application and use different authentication modes in each one.
I think you can set the forms authentication authorization on folder1 to
<allow users="*" />
then control the windows access via setting windows permissions on the folder.
I haven't tried it, but I can't think of why that wouldn't work.
These settings are only valid at the root level of your ASP.Net application. To use different settings in a sub folder you will need to go into IIS and set that sub folder to be a new application.
Once you done this, the folder will have a different icon in the IIs manager. Inside your subfolder, create a new web.config file and add the new authentication settings there.
More information available at Creating Applications.