I have a folder that is restricted and only for logged in user. So I wrote these lines:
<location path="ABC">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
However there is a single file on which I do not want to put any restrictions. What settings should I configure in location tag?
Please don't tell me to move that particular file out of the folder because that is not possible because it is being referenced at many places and I don't want to get messed up.
Try adding the page you want no restrictions on, like this:
<location path="ABC">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="ABC/SomeFile.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Related
I'm dealing with an issue for the last 3 hours.
I have to build a project with WebForms. I'm setting the authentication like this:
<system.web>
<authentication mode="Forms">
<forms loginUrl="Account/Login.aspx" defaultUrl="Backend/Default.aspx"></forms>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
<compilation debug="true" targetFramework="4.6"/>
<httpRuntime targetFramework="4.6"/>
</system.web>
<location path="Backend/Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Not only when executing the application, does not allow me to enter to Backend/Default.aspx (redirect the site to Account/Login.aspx, but neither allow to access to the login page. I'm getting a not authorized error.
Can anyone tell what I am missing?
Edit:
I have 2 files:
Backend/Default.aspx
Account/Login.aspx I want to be allowed to enter Default.aspx without authentication. But not only doesn't allow me, don't allow me Account/Login.aspx neither.
If I change
<location path="Account/Login.aspx">
To
<location path="Account">
It works. But I only need one file on this folder to be allowed and not the entire folder.
Please tell me if I can give more useful information
Your question is a little confusing so I'm not sure if this will work, but it might give the right approach.
You have
<authorization>
<deny users="?"/>
<allow users="*"/> <-- this allows everyone everywhere, overriding the previous line.
</authorization>
Remove the allow line, blocking everyone from everything
<authorization>
<deny users="?"/>
</authorization>
Then allow a specific folder
<location path="Backend/Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Or, you can have 2 web.config files.
Start with this in the root of your site
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
Then add another web.config file in the Account/ directory that has
<!--Block everyone from everything in this directory-->
<authorization>
<deny users="?"/>
</authorization>
<!--But allow a specific file-->
<location path="Account/Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Hth.
I have a folder "qc" which is only allowed for the role "warehouse".
In that folder i have a page that I want anyone to access without logging in.
Here's what I've done with web.config but it still redirects me to the login page:
<location path="QC/MyPage.aspx">
<system.web>
<authorization>
<allow users="?" />
<allow roles="*"/>
</authorization>
</system.web>
</location>
<location path="QC">
<system.web>
<authorization>
<deny users="?" />
<allow roles="warehouse" />
</authorization>
</system.web>
</location>
As aswered her you need to repeat it without the aspx extension.
<location path="test/webform1">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="test/webform1.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
I have a test site on the web that I want to block all annoymous access to except logged in users. I also want to have annoymous access to just my login page (account/login)
I don't know how to exclude one path but even the below does not work, forgetting about the path.
<location path="">
<system.web>
<authorization>
<deny users="*" />
<allow users="?" />
</authorization>
</system.web>
</location>
Ideally, the following web.config setting should work. Make sure you update two Login.aspx with your login page.
It basically does not allow anonymous access except Login page.
<configuration>
<system.web>
...
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" />
</authentication>
<authorization>
<deny users="?"/>
<allow users="*" />
</authorization>
</system.web>
<location path="~/Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Thanks for any help.
Edit
this has been altered from the initial question, as no answers had been posted, and the problem evolved in more detail
I am trying to complete an asp.net 4.0 web application. I am struggling to manage folder based authorization.
a sample of the XML from the web.config:
<location path="~/drugAdmin">
<system.web>
<authorization>
<allow roles="drugAdmin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="~/wardAdmin">
<system.web>
<authorization>
<allow roles="wardAdmin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="~/websiteAdmin">
<system.web>
<authorization>
<allow roles="websiteAdmin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="~/personalAccount">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
The authorization works beautifully when the web application is started via visual studio.
when I publish to a local directory on my machine with the same web.config file, the authorization allows anonymous users into the wardAdmin and personalAccount folders ONLY (ie works appropriately for the other folders).
Has anyone come accross a similar problem and know a solution? thanks
replacing the tildes fixed the problem
<location path="drugAdmin">
<system.web>
<authorization>
<allow roles="drugAdmin" />
<deny users="*" />
</authorization>
</system.web>
</location>
I have the following site structure:
What I'd expect this to do was to deny anyone who isn't a logged-in user with the RegisteredUser role, except on Reset.aspx and Validation.aspx, where it would allow anyone (logged-in or not) to access, but this isn't the case right now.
Everyone who isn't a RegisteredUser isn't able to access these two pages, what am I doing wrong?
Update Even this won't work:
<?xml version="1.0"?>
<configuration>
<location path="Reset.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Validation.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
It doesn't make any sense, isn't this supposed to be the system default?
You do not need to map paths, only file names:
<?xml version="1.0"?>
<configuration>
<location path="Reset.aspx">
<system.web>
<authorization>
<allow users="*" />
<deny />
</authorization>
</system.web>
</location>
<location path="Validation.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<allow roles="RegisteredUser" />
<deny users="*" />
</authorization>
</system.web>
</configuration>