Heey Stackoverflowers
My question is: how do I protect a Page using web.config or Global.asax?
Example:
Direct url www.Yoururlhere.com/Account/Edit.aspx is currently accesible from url bar, but that is not what I want. I have a login page already with database etc working, only it's missing the protection to remove direct access or by Login.
Can you help me? My second web.config for Folder Account is as following:
<?xml version="1.0"?>
<configuration>
<system.web>
<location path="Edit.aspx"/>
</system.web>
<system.web>
<authorization>
<allow users="*"/>
<deny users="?" />
</authorization>
</system.web>
</configuration>
You are writing in the wrong way. It should be like...
<configuration>
<location path="Account/Edit.aspx">
<system.web>
<authorization>
<allow users="*"/>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
Related
I'm probably missing something easy here, but I have an ASP.NET website that uses Identity and roles, and I'm trying to restrict access to a folder containing some MP4 videos so that anonymous users cannot see direct links to those videos.
I had this in my web.config for the folder:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<allow roles="User"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>
The asp:LoginView control works fine with this setup, but the videos return a 401 error.
I tried this as well with the same result:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
If I remove everything from the authorization tag, then it works so I know all the paths are right and something about the authorization setup is preventing it from serving that video.
I also tried calling out the Files directory individually like this:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<allow roles="User"/>
<deny users="*" />
</authorization>
</system.web>
<location path="Files">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
Unfortunately, this makes it so that I can access the video link even when not logged in (which is what I am trying to prevent).
If I try to do a role based setup for the Files subfolder like this (which I don't think should be any different from the first version) then I'm back to getting a 401 on the video, even when logged in:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<allow roles="User"/>
<deny users="*" />
</authorization>
</system.web>
<location path="Files">
<system.web>
<authorization>
<allow roles="Admin"/>
<allow roles="User"/>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
What am I missing here?
I modified my answer. I think the following is what you are looking for:
How to prevent anonymous users from accessing a file using forms authentication?
How does one specify root location in web.config to allow unauthenticated users access it?
The root location is served by default.aspx, but users normally don't see default.aspx, they just see http://mysite.com/.
So I've added
<location path="~/default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Which works if user hits mysite.com/default.aspx, but if user hits mysite.com/ - he is still redirected to login page.
I've tried <location path="~"> (does not help) and also <location path="~/">, <location path=""> (site fails completely) and could not make it work.
Any ideas?
Try this one:
<system.web>
<urlMappings enabled="true">
<add url="~/" mappedUrl="~/default.aspx" />
</urlMappings>
<authorization>
<allow roles="admin"/>
<deny users="*" />
</authorization>
</system.web>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
only use
<location path=".">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
or don't write path,because the default path is root(.)
You can achieve by 2 method
Method 1:
You can set redirect path to http://mysite.com/default.aspx in IIS if any user directly comes to your site.in IIS7 you can do that by clicking on Default Document. Here i attached image for your reference
Method 2
You can go through this URL ASp.NET Membership to set your web config settings.
Let me know if you need more detail on this.
The way we done it in the past was to create a folder for all functionality that requires login and set require auth for that folder. All aspx go to that folder. The root of the site stays open.
You probably use a forms authentification no?
<authentication mode="Forms">
<forms loginUrl="~/Default.aspx" />
</authentication>
This will solve your problem. An alternative is:
<location path="~/Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
If you only want to let unauthenticated users to access default.aspx you can use
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
before <system.web> and set that page as default in your web server.
In Visual Studio you can select the page and "Set As Start Page".
If you want to allow access to all the files in the root you have to create folders where you put your pages which need to be accessed by authenticated users.
You can create a Secure folder where you can put all your protected pages and change your web.config this way:
<location path="Secure">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
removing
<authorization>
<deny users="?"/>
</authorization>
To specify root directory you have to set it outside the location block.
<configuration>
<system.web>
<authorization>
<allow users=“*“/>
</authorization>
</system.web>
</configuration>
and then secure your other folder using location block
<location path=“AccessDenied.aspx“>
<system.web>
<authorization>
<deny users=“?“/>
</authorization>
</system.web>
</location>
Use this :
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="~">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
It works for me.
Merk was right!
I used
<location path="">
<system.webServer>
<httpRedirect enabled="true" destination="http://www.newpathdestination.com" exactDestination="true" httpResponseStatus="Permanent" />
</system.webServer>
</location>
on Windows netserver (don't ask), making sure to put nothing in between the quotes for location path. Redirects a request for the old home page to the new home page.
If you want to specify the root of the directory, use <location path="" >
config I have :
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode ="Forms">
<forms name ="loginpage" loginUrl="login_to_secure3700.aspx" />
</authentication>
</system.web>
<location path ="securedpages/bob.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
This way the pag bob.aspx will only be accessible when the username and password were entered ok.
BUT , this works only for page bob.aspx, how can I make this work for eg 50 pages, but all with different logins and passwords. ?
There are two options:
Secure each page with deny all users and only allow bob on bob.aspx and helen to helen.aspx. Given the answers above you will manage that fore sure but it is cumbersume: for every new user you need to change your config.
I think the better way is to create one! page (user.aspx) and take the user that is logged in and personalize that single page for this user. This is a lot easier to maintain and you will have all the code on one page.
If you want to keep the personalized approach in the pagename (bob.aspx) you can have a look into URL rewriting.
You could add multiple paths like this:
<location path ="securedpages/bob.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path ="securedpages/bob2.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Or more simple, just add the dir of the secured pages:
<location path ="securedpages">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
you can put all the 50 pages in one folder and the add 1 web.config for them in this folder that contains
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
It does not matter if they have different logins and password.
All the users have to do the login before access to my site.
So i insert this code in web.config file:
<authentication mode="Forms">
<forms name="login" loginUrl="~/Login.aspx" defaultUrl="~/index.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
It works but the login page is rendered without images..
How can i do?
thanks
You need to modify the security on your image directory to allow unauthenticated users access. You can do that one of two ways:
1) You can add another Web.Config to the image directory that contains:
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
2) Update the Web.Config in your root directory with a location-specific rule:
<location path="images/">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Either change should fix the problem.
I started using dotless in my asp.net site which requires a special httphandler to work. The site uses Forms Authentication. Here's the problem: When I'm logged in the request to http://example.org/stylesheets/mystyles.less works fine. It gives me back the appropriate css. If I'm not logged in the request is denied and I'm redirected to the login page. Is there a way to allow this file to be accessed anonymously? This is not working:
<location path="~/stylesheets">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
The problem is with the path syntax.
This does not work:
<location path="~/stylesheets">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
This DOES work:
<location path="stylesheets">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Not sure if this is the problem but you're missing a quote mark in your xml.
<location path="~/stylesheets">