I have to password protect a directory on a Windows server. The page is supposed to show a list of files located in that directory. I don't have any previous knowledge (only worked with Apache before) so I've tried hacking something together by googling. (For someone who knows what they're doing I'm sure this will look ridiculous)
What I have right now is I get a login-popup but no password is working. We have a table in our SQL database for adminusers so either fetching user-login from there or having the login embedded in the config file is fine. All I need is the folder to be password-protected.
This is what I have right now in my web.config file that is located in the folder that is supposed to be password-protected.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authentication mode="Forms">
<credentials passwordFormat="Clear">
<user name="test" password="test" />
</credentials>
</authentication>
<authorization>
<allow users="test" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<directoryBrowse enabled="true" />
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="true" />
<windowsAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</configuration>
Hopefully this is a simple problem and thanks in advance for any help! :)
Try this:
<configuration>
<system.web>
<authentication mode="Forms">
<credentials passwordFormat="Clear">
<user name="test" password="test" />
</credentials>
</authentication>
<authorization>
<allow users="test" />
<deny users="*" />
</authorization>
</system.web>
<location path="admin">
<system.web>
<authorization>
<allow roles="admin" />
<deny users="*"/>
</authorization>
</system.web>
</location>
<system.webServer>
<directoryBrowse enabled="true" />
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<basicAuthentication enabled="true" />
<windowsAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</configuration>
You can encrypt the user information using something like this:
aspnet_regiis.exe -pef "sectionName" C:\Path\To\Your\Application
Related
In my web.config in application is:
<authentication mode="Forms">
<forms loginUrl="app/Login.aspx" name=".ASPXFORMSAUTH" protection="All" slidingExpiration="true" timeout="10"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
In web.config in app folder is:
<configuration>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<directoryBrowse enabled="false"/>
<defaultDocument enabled="true">
<files>
<clear/>
<add value="Default.aspx"/>
</files>
</defaultDocument>
<handlers accessPolicy="Read, Script, Execute"/>
<staticContent enableDocFooter="false">
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="00:00:00"/>
</staticContent>
<asp enableParentPaths="false" scriptLanguage="VBScript" bufferingOn="true">
<limits scriptTimeout="00:01:30"/>
<session allowSessionState="true" timeout="00:20:00"/>
</asp>
<security>
<authentication>
<anonymousAuthentication enabled="true" password="" userName="IUSR"/>
<basicAuthentication enabled="false" realm="" defaultLogonDomain=""/>
<windowsAuthentication enabled="false"/>
<digestAuthentication enabled="false" realm=""/>
</authentication>
</security>
<httpLogging dontLog="true"/>
</system.webServer>
</configuration>
This working, but I want to give access to my_public folder for anonymous users.
In my_public folder is site about.aspx.
In web.config in my_public folder is:
<configuration>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<directoryBrowse enabled="false"/>
<defaultDocument enabled="true">
<files>
<clear/>
<add value="Default.aspx"/>
</files>
</defaultDocument>
<handlers accessPolicy="Read, Script, Execute"/>
<staticContent enableDocFooter="false">
<clientCache cacheControlMode="UseMaxAge" cacheControlMaxAge="00:00:00"/>
</staticContent>
<asp enableParentPaths="false" scriptLanguage="VBScript" bufferingOn="true">
<limits scriptTimeout="00:01:30"/>
<session allowSessionState="true" timeout="00:20:00"/>
</asp>
<security>
<authentication>
<anonymousAuthentication enabled="true" password="" userName="IUSR"/>
<basicAuthentication enabled="false" realm="" defaultLogonDomain=""/>
<windowsAuthentication enabled="false"/>
<digestAuthentication enabled="false" realm=""/>
</authentication>
</security>
</system.webServer>
<system.web>
<authorization>
<allow roles="*"/>
</authorization>
</system.web>
</configuration>
When user go to my_public/about.aspx always is redirect to app/login.aspx.
User should redirect to my_public/about.aspx when is annonymus.
Change the authorization section on the public web.config to
<authorization>
<allow users="?"/>
</authorization>
This will allow anonymous access.
I have multiple aspx pages in my web site but i want to secure only one page.I used the asp.net membership and role manager but it require user name and password for all pages but i want to secure only a single page.please any one can help me how can i do this in vb.net with asp.net .I have used the following code in web.config but it applies on all pages which i dnt want
<authorization>
<allow users="sml" />
<deny users="?" />
<deny roles="users" />
</authorization>
<roleManager enabled="true" />
<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="9820" defaultUrl="Food.aspx" cookieless="AutoDetect" >
</forms >
</authentication >
<location path="ProtectedPage.aspx">
<system.web>
<authorization>
<allow roles="sml" />
<deny users="*" />
</authorization>
</system.web>
</location>
you can use URL Authorization for that
<location path="page.aspx" />
<authorization>
<allow users="Bob" />
<deny users="*" />
</authorization>
</location>
check http://msdn.microsoft.com/en-us/library/ff649337.aspx
Try to modify your web.config. as mentioned below.
<secureWebPages>
<files>
<add path="Default.aspx" secure="Insecure" />
<add path="Admin/MoreAdminStuff.aspx" secure="Ignore" />
<add path="Legal/Copyright.aspx" secure="Ignore" />
<add path="Lib/PopupCalendar.aspx" secure="Ignore" />
</files>
<directories>
<add path="/" recurse="False" />
<add path="Admin" />
<add path="Admin/Info" secure="Insecure" />
<add path="Members/Secure" recurse="True" />
</directories>
Refer http://www.codeproject.com/Articles/7206/Switching-Between-HTTP-and-HTTPS-Automatically-Ver for more details.
Here's my problem...
I have a website running in II7 integrated pipeline mode and I want to enable forms auth on the entire website apart from the '/secure/' directory which contains the login form.
My web config currently looks something like this...
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<customErrors mode="Off"/>
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="secure/login.aspx" protection="All" path="/" timeout="999999" slidingExpiration="true" enableCrossAppRedirects="true">
<credentials passwordFormat="Clear">
<user name="user1" password="xxxxxx"/>
</credentials>
</forms>
</authentication>
<authorization>
<allow users="user1"/>
<deny users="*"/>
</authorization>
</system.web>
<location path="secure">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.webServer>
<!--Enabling Forms Authentication for the Entire Application-->
<modules>
<remove name="FormsAuthenticationModule" />
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
</system.webServer>
</configuration>
When I visit the website URL I just get an endless loop of redirects. I've tried putting the location specific auth rules above the system.web section but this had no effect.
Any ideas?
Cheers,
Robin
Access permissions are hierarchical. That is if you are forbidden to access some parent, you are forbidden to access all of its children, no matter what permissions are set to children.
You can move login form to the root directory and set permissions for the form - it will work.
I'm probably missing something easy here, but I've never done this before, so I thought I'd ask the Stackers.
I've implemented Windows Authentication on my ASP.NET app (IIS 7.5). I have rules for both the application (system.web) and IIS (system.webServer) that deny anonymous users, deny built in admins, and allow members of "Demolitions Repayment".
The trouble is, I am a built in admin AND in "Demolitions Repayment", but I'm locked out. Is it a matter of precedence?
<system.web>
<compilation debug="true" targetFramework="4.0" />
<customErrors mode="Off" defaultRedirect="~/errors/Unknown.htm" />
<authentication mode="Windows" />
<authorization>
<deny users="?" />
<deny roles="BUILTIN\Administrators" />
<allow roles="gc\Demolitions Repayment" />
</authorization>
</system.web>
<system.webServer>
<security>
<authorization>
<add accessType="Deny" users="?" />
<add accessType="Deny" roles="BUILTIN\Administrators" />
<add accessType="Allow" roles="gc\Demolitions Repayment" />
</authorization>
</security>
</system.webServer>
Try denying all users (authenticated and not authenticated) and then grant only a certain role:
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?,*" />
<allow roles="gc\Demolitions Repayment" />
</authorization>
</system.web>
<system.webServer>
<security>
<authorization>
<add accessType="Deny" users="?,*" />
<add accessType="Allow" roles="gc\Demolitions Repayment" />
</authorization>
</security>
</system.webServer>
I'm working on a ASP.NET 3.5 application running on IIS7 (Server '08) using the stock MS Forms Authentication and SqlRolesProvider. (I used the aspnet_regsql tool to generate the tables).
We have three roles: SysAdmins, AppAdmins, and Users. All users are in Users, and a user can be in either SysAdmins, AppAdmins or both.
I can't seem to get an Admin directory to block access to users not in SysAdmins and AppAdmins. Either it lets in all logged-in users, or no one.
Here are the relevant bits of my current configuration:
<configuration>
...
<system.web>
<authentication mode="Forms">
<forms loginUrl="/client/security/login.aspx" timeout="480" />
</authentication>
<authorization>
</authorization>
<roleManager defaultProvider="SqlRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName="EquityTouch.Roles" cookieProtection="All" cookieSlidingExpiration="true" cookieTimeout="60">
<providers>
<clear />
<add name="SqlRoleProvider" applicationName="EquityTouch" connectionStringName="SQLProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
...
</system.web>
<system.webServer>
<security>
<authorization>
<add accessType="Deny" users="?" />
</authorization>
</security>
...
</system.webServer>
<location path="admin">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs=""/>
<add accessType="Allow" roles="SysAdmins,AppAdmins" />
</authorization>
</security>
</system.webServer>
<system.web>
<authorization>
<deny users="*"/>
<allow roles="SysAdmins,AppAdmins"/>
</authorization>
</system.web>
</location>
</configuration>
I believe this configuration currently blocks everyone. I've done similar configurations that block no one.
I suspect the issue lies in using both system.web and system.webserver sections. Any help with getting this configuration working correctly would be greatly appreciated.
UPDATE
Removing the <system.webServer> section from the <location> element makes the .aspx pages in that folder return correctly! Unfortunately, the .js files in that folder are still blocked to all users... Ideally I would like to lock the .js files as well from unpriviledged eyes. So I'm still looking for help.
Even in IIS7 Integrated Pipeline mode, I am successfully using the old IIS6-style authorization blocks. Please try the code below, which includes the following changes:
Added <deny users="?" /> to the first authorization block
Switched the order of <allow> and <deny> in location-specific authorization block
Removed <system.webServer> location-specific authorization blocks
To allow js files through, my best advice is to move them to a separate folder and allow all but anonymous to access that folder (see below). Alternately, you can name each js file in the location's path attribute. That solution is less maintainable, however.
Please let me know if that works for you!
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="/client/security/login.aspx" timeout="480" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
<roleManager defaultProvider="SqlRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName="EquityTouch.Roles" cookieProtection="All" cookieSlidingExpiration="true" cookieTimeout="60">
<providers>
<clear />
<add name="SqlRoleProvider" applicationName="EquityTouch" connectionStringName="SQLProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
</system.web>
<location path="admin">
<system.web>
<authorization>
<allow roles="SysAdmins,AppAdmins"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="js">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>