i have a simple question
How to disable a folder with aspx pages in asp.net
Thw folder is "Administration" and i want to disable it that it cannot be called in browser by typing .../Administratin/edit.aspx, or that simple to redirect to a login page if we want to go to the administration part
First enable forms based authentication. This can be done for VB and C#.
Next you have to specify who will have access to what. This can be done in the web.config.
Apologies if these articles are a little out of date.
Use a locations element and config settings to restrict access to folders.
<location path="Administration">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>
Change the NTFS security permissions on the Administration Folder for
<drive>:\intepub\wwwroot\...\Administration
and restrict access via that way.
You can also right click go to properties in IIS for the folder and remove various granular browsing permissions.
You can also edit the web.config and change permissions there.
Related
I have a directory contains some documents,
i would like to allow access to files on this directory only if the user successfully logged in to a website.
the login users and passwords managed by aspNet Membership tables and stored at the DB.
if the directory was sitting on the website is would be easy since it restricted by default
but physical path of the directory is not inside the website
and i prefer to leave it that way, since this directory can be access from another website
how to solve this?
thanks
You should add the runAllManagedModulesForAllRequests attribute to the modules tag in your web.config like so:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
...
</system.webServer>
This will impose your dotnet security on all files like word documents and such. Then you can secure the folder using the location section in web.config like so:
<location path="SomeVirtualDirectory">
<system.web>
<authorization>
<allow roles="admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
Its not possible to navigate outside of a website directory as it is outside scope of your website and no way depends on the website credentials.
The file directory doesn't have to be a physical subdirectory of your site. If you add it as a virtual directory inside your application, you can just set authentication appropriately.
Alternatively you can just issue something like this:
string filename = #"F:\SomeDirectory\Foo.txt";
Response.TransmitFile(filename);
Then you can just set authentication on this page, for example called DownloadFile.aspx.
I am quite new to ASP.NET technologies
<configuration>
<system.web>
<authorization>
<allow roles="Agency,Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
I have the above web.config for a folder, there is a requirement to give an elevated priviledge to some users in Agency role to access a page called AddOrganisation.aspx.
To solve this, I think I can add the following markup to the web.config but this will be static
<location path="AddOrganization.aspx">
<system.web>
<authorization>
<allow users="wale, etc, etc"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
How can I enable adding users programmatically instead of updating the web.config for each change?
I will be grateful for your responses. Thank you
You should not make changes the web config at runtime, this will restart your application, every time you add a user. MSDN says this
Configuration Changes Cause a Restart of the Application Domain
Changes to configuration settings in Web.config files indirectly cause
the application domain to restart. This behavior occurs by design. You
can optionally use the configSource attribute to reference external
configuration files that do not cause a restart when a change is made.
For more information, see configSource in General Attributes Inherited
by Section Elements.
Instead you should give those users a different role, so that only those users can access the
"AddOrganisation.aspx" page.
Or else you can also do another thing if you dont want to create another role for these users. You keep on adding these users to a table and whenever a request is made to the page you can check if the users name is present in the table or not and then allow/deny the user.
i have one subfolder called MySubFolder in my web form project and i want that all the page in that folder will be protected by form authentication. so i search google to do it. i got a xml snippet which i need to put in my main web.config file. the xml snippet as follows
<location path="MySubFolder">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
so i want to know that does it protect all files in my subfolder? plzz let me know. thanks
Yes, it protects all folder content. And sub-folders' content too (except case when you allow access to sub-folder manually). I.e. with you configuration and next project structure
only authorized users will have access both to MySubFolder/Test.aspx and MySubFolder/MySubFolder2/Test2.aspx.
I am using
<authentication mode="Forms" >
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH" />
</authentication>
Every thing works fine except that, there are some pages like About Us, Contact Us, Privacy Policy etc, which do not need to login to view them.
In my case i need to login to view all pages. I want these common pages to be viewable without having to log on.
I have tested my application on local IIS as well as on deployment server, but same problem occurs.
Please help!
Thanks for sharing your valuable time.
You need to create exceptions to your security policy:
<!-- files in the "Public" folder don't require authorization -->
<location path="Public">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Alternately, you can make page-specific exceptions:
<location path="AboutUs.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Appearantly you want some pages to be available without logging in. The way to go about this is to set permission on subdirectories instead of the website root, and put these pages in the web root (usually they are in teh root)
If thats too much work, put your pages in a directory and allow anonymous users to access it.
There could be a large number of possible answers to such an open question. We will need more specifics to answer. Here are just a few places to look:
Have you checked your web.config file to see if anonymous authentication is off?
Have you checked the web.config to see if you are denying anonymous users access to your root directory?
Have you checked IIS to see if anonymous authentication is off?
Have you checked the pages' source code files to see if you are doing manual denial of service to anonymous users?
I have just noticed a problem accessing a CSS file using forms authentication from an ASP.NET application.
Until I have logged in, then any styles I have set in my login page are not used, as IIS seems to be preventing the login page from accessing this file.
Is there an easy solution for this?
Place the css file in a publicly accessible folder. This will require a change in your web.config that will look something like this:
<location path="css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Granted, this shouldn't be how you setup the permissions in the first place. The css folder ought always to be publicly accessible.
My CSS didn't display in the login page as well.
I noticed that Anonymous Access was using the IUSR account not the IIS_IUSRS account so I just added IUSR to the website folder and everything got back to normal.