I have an ASP.NET Web Site running in Visual Studio dev-fabric (azure project) and am using ACS and WIF. My authentication process isn't working because after I login I get this:
A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").
The documentation states that I need to add
<pages validateRequest="false" />
and
<httpRuntime requestValidationMode="2.0" />
And I did - but I'm still getting the error. I've also added validateRequest="false" at the page level. But nada - still getting the same error.
These steps seem to have fixed the issue for other posters - is it something to do with running in dev-fabric perhaps?
I hadn't realised, but I'd accidentally added these settings within a location tag created by WIF:
<location path="FederationMetadata">
<system.web>
<authorization>
<allow users="*" />
</authorization>
<!-- wrong! -->
</system.web>
</location>
<system.web>
<!-- right! -->
<httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false" />
Related
I have a site that uses OWIN authentication. All works perfectly, however, I need to restrict access for this site before placing it to the public.
To accomplish this, I want to make the system to present the windows authentication dialog box before the home page is loaded.
I put this in web.config of the site:
<system.web>
<customErrors mode="Off" />
<compilation targetFramework="4.6" />
<httpRuntime targetFramework="4.6" />
<authentication mode="Windows" />
<globalization culture="es-CL" uiCulture="es" />
<authorization>
<deny users="?"/>
<allow users="Demo" />
</authorization>
</system.web>
But the home page does not work.
when I try to load home page, this actual URL is loaded:
http://demo.site.cl/Security/Account?ReturnUrl=%2FSecurity%2FAccount%3FReturnUrl%3D%252FSecurity%252FAccount%253FReturnUrl%253D%25252FSecurity%25252FAccount%25253FReturnUrl%25253D%2525252FSecurity%2525252FAccount%2525253FReturnUrl%2525253D%252525252FSecurity%252525252FAccount%252525253FReturnUrl%252525253D%25252525252FSecurity%25252525252FAccount%25252525253FReturnUrl%25252525253D%2525252525252FSecurity%2525252525252FAccount%2525252525253FReturnUrl%2525252525253D%252525252525252FSecurity%252525252525252FAccount%252525252525253FReturnUrl%252525252525253D%25252525252525252FSecurity%25252525252525252FAccount%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FSecurity%2525252525252525252FAccount%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FSecurity%252525252525252525252FAccount%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FSecurity%25252525252525252525252FAccount%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FSecurity%2525252525252525252525252FAccount%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FSecurity%252525252525252525252525252FAccount%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FSecurity%25252525252525252525252525252FAccount%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FSecurity%2525252525252525252525252525252FAccount%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FSecurity%252525252525252525252525252525252FAccount%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252FSecurity%25252525252525252525252525252525252FAccount%25252525252525252525252525252525253FReturnUrl%25252525252525252525252525252525253D%2525252525252525252525252525252525252FSecurity%2525252525252525252525252525252525252FAccount%2525252525252525252525252525252525253FReturnUrl%2525252525252525252525252525252525253D%252525252525252525252525252525252525252F
And a 404 error is shown.
How can this be done?
In my asp.net MVC application I have tried to deny unauthorized users from an html file inside a sub folder. But it is not working as expected. Below is the web.config section which used right now.
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<authentication mode="Forms">
<forms loginUrl="~/" defaultUrl="~/" slidingExpiration="true" timeout="60">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="Docs/help/index.html">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
I think the global deny users will block all unauthorized access for all the pages, otherwise we should give specific permission. Please correct me If I am wrong.
But in my case even http://siteurl.com/Docs/help/index.html still able to access for an unauthorze user.
IIS - 7.5 , .NET - 4.5, MVC - 4
Please help me to resolve this issue.
MG
You have two ways to achieve it.
1st: <modules runAllManagedModulesForAllRequests=“true” /> Meaning
Add <modules runAllManagedModulesForAllRequests="true" /> in your web.config
(IIS < v7)
2nd: Global.asax Events in IIS 6 and IIS 7 for Static Resources
Add an wildcard managed handler to serve each request (inlucding static files which are handled by iis directly)
You can put a new Web.config in the folder that needs the permissions applied. Inside it do something like this
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
Or you might need to wrap the <authorization> tag with a <security> tag.
If that doesn't work for you, try to do it via IIS Manager and see how it does it, then copy that.
I'm building a project in Visual Studio using C#.
When I try to run the program I get Error Http 404.
My question is how can I change my URL
http://localhost:55188/login.aspx?ReturnUrl=%2f
to
http://localhost:55188/Index.aspx.
The page login.aspx does no longer exist.
This is my web.config
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<authentication mode="Forms">
<forms defaultUrl="addRole.aspx" path="/"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="LoggedIn.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<appSettings>
<add key="ValidationSettings:UnobtrusiveValidationMode" value="None" />
</appSettings>
</configuration>
Thank you.
The page you try to reach requires authintication and your web.config says login.aspx can provide that. Change your web.config and you'll be fine.
Here is your web.config without authentication requirements:
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
</system.web>
<appSettings>
<add key="ValidationSettings:UnobtrusiveValidationMode" value="None" />
</appSettings>
</configuration>
As Matthias Aslund correctly started, you have specified that you want your users to be authenticated but have not specified which Login page you wish users to be redirected to in order to login by using the "LoginUrl" attribute on the forms element in the Web.config file. The default value of "Login.aspx" is therefore being used, as specified on this MSDN page on the LoginUrl attribute. The "DefaultUrl" attribute has a different purpose and is used as the default page to redirect users to after logging on if one is not specified using the "ReturnUrl" querystring value that is visible in your URL above - see the MSDN page on the DefaultUrl attribute for more.
If you no longer have any authentication in your application, that is to say any user can access your application without a username and password, then you need to change your Web.config as follows. It is extremely important that you are clear that any user who is able to reach your application will now be able to access any part of it, and that there will be no restrictions based on the fact that the user is authenticated/known to the application, is a specific user, or is in a specific role.
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<authentication mode="None" />
</system.web>
<appSettings>
<add key="ValidationSettings:UnobtrusiveValidationMode" value="None" />
</appSettings>
</configuration>
This replaces the whole of the contents of your Web.config file you have provided above, but you must be clear that this removes all authentication from your application (which appears to be what you want).
My ASP.NET Forms 4.0 site is running with forms authentication. By default unauthorized users are denied, and then I allow access to certain pages.
I have a problem allowing access to the default url: http:/example.com. I have this entry in web.config that defines default page:
<defaultDocument>
<files>
<clear/>
<add value="default.aspx" />
</files>
</defaultDocument>
and I have this location override:
<location path="default.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
It works OK when I go to the full url: http://example.com/default.aspx, but redirects to the login page if I go to http://example.com
Any ideas what am I doing wrong?
I just found answer in a response (by Dmitry) to a similar question here in SO: Forms Authentication Ignoring Default Document:
In Global.asax, method: Application_BeginRequest, place the following:
if (Request.AppRelativeCurrentExecutionFilePath == "~/")
HttpContext.Current.RewritePath("default.aspx");
Worked like charm!
I've just figured out how to solve this without having to fudge a redirection.
If just happened to me after converting from .Net 2 to .Net 4 and I've never found my solution anywhere on the internet so here goes.
If like me your login page is also your default page you need to make sure you do the following two things in the web.config file
Add this to exempt to default.aspx from authentication (didn't need this in .Net 2)
<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
And change the login url from this
<forms name="myform" loginUrl="~/default.aspx" timeout="240" defaultUrl="~/home.aspx" slidingExpiration="true" protection="All" path="/" />
to this
<forms name="myform" loginUrl="~/" timeout="240" defaultUrl="~/home.aspx" slidingExpiration="true" protection="All" path="/" />
and you should fine it all work nows, just tried it out on two different sites and it did the trick for me
I didn't like making a code change for this issue, especially because my site was working fine on my Windows Server 2008 R2 machine, but not on my Windows 7 SP1 development machine.
It turns out that the root cause of this issue is an update in Service Pack 1 for Windows 7:
http://support.microsoft.com/kb/2526854
The solution appears to be to disable the new "ExtensionlessUrl" feature that was added in SP1:
<system.webServer>
<handlers>
<remove name="ExtensionlessUrl-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrl-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrl-Integrated-4.0" />
</handlers>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
Obviously if you're using the ExtensionlessUrl feature this won't work for you, but I've documented it here for those migrating a legacy site and are wondering what has suddenly gone wrong.
This works for me in a test web app:
<location path="">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Default.aspx">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
Now I can't get to either "/" or "/Default.aspx" - give that a try (but use allow instead).
I am running a shopping cart application in asp.net.I am running my application in IIS.I am getting following error while running.
Server Error in '/cart' Application.
Configuration Error Description: An error occurred during the
processing of a configuration file required to service this request.
Please review the specific error details below and modify your
configuration file appropriately.
Parser Error Message: It is an error to use a section registered as
allowDefinition='MachineToApplication' beyond application level. This
error can be caused by a virtual directory not being configured as an
application in IIS.
Source Error:
Line 32: --> Line
33: Line 34: Line 35:
Source File: D:\ecomm_3_1_LITE\wwwroot\web.config Line: 34
-------------------------------------------------------------------------------- Version Information: Microsoft .NET Framework Version:2.0.50727.42;
ASP.NET Version:2.0.50727.42
Following is my web.config file
Asp.Net Configuration option in Visual Studio.
A full list of settings and comments can be found in
machine.config.comments usually located in
\Windows\Microsoft.Net\Framework\v2.x\Config
-->
<!-- SQL SP & TABLES PREFIX -->
<add key="SQLprefix" value="gaspprod_"/>
</appSettings>
<connectionStrings>
<add name="ConnStr" connectionString="Data Source=GRAPHIX\SQLEXPRESS;Initial Catalog=GlitzCart;Integrated Security=True " providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<globalization uiCulture="en" culture="en-US"/>
<!--<globalization uiCulture="hr" culture="hr-HR"/>-->
<authentication mode="Forms">
<forms name="guru_aspnet_cart"
protection="All"
timeout="30"
path="/"
loginUrl="AdminLogin.aspx"></forms>
</authentication>
<pages maintainScrollPositionOnPostBack="false"
buffer="true"
validateRequest="false"
compilationMode="Auto"></pages>
<customErrors mode="Off"
defaultRedirect="error.html"></customErrors>
<compilation debug="true">
</compilation>
<!--<trace enabled="true" pageOutput="true"/>-->
</system.web>
<!--disable access to Admin directory for everyone, except for the administrators -->
<location path="admin" allowOverride="false">
<system.web>
<authorization>
<allow users="admin, admin2, malik "/> <!--ADMINISTRATORS USERNAMES, SEPARATED BY ", " -->
<deny users="*"/>
</authorization>
</system.web>
</location>
<!--disable access to Admin/Modules directory -->
<location path="admin/modules" allowOverride="false">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<!--disable access to Modules directory -->
<location path="modules" allowOverride="false">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<!--disable access to Modules directory -->
<location path="SQLbackup" allowOverride="false">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
What change i have to make my application run?Can anybody help?
The error itself asks if you've enabled the virtual directory and set it as an application.
Is that the case? Your web.config is in the file root so I would say no.
Regardless, have you double checked you've enabled applications, enabled the correct version of ASP.NET and ensured ASP.NET is permitted to run.
If they are all ok then I would recommend you next take a vanilla ASP.NET website/web application (I prefer the latter) and deploy it to that folder. Don't write any code and double check it works.
If it doesn't then the default web.config doesn't work. It could be an error with your machine.config or something similar. Personally I'd reinstall and re-register .NET. A sledgehammer approach!
If it does work, then your web.config may be corrupt.
These are all guess-timates but I hope they help out!