I was searching for some solution but can't find one. There is this and this ones but can't found and answer there. Im developing an asp.net application on ASP.NET development server. I have the following web.config in my root asp.net folder:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms name="4df5d465h"
loginUrl="~/login.aspx"
protection="All"
timeout="30" path="/" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
My image folder is together my main web.config at root asp.net application folder.
Inside the image folder I put the following web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="*"/>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
I put role attribute after to see if its work.
I wrote the main web.config in this way too:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms name="3D45C7D8B0B0C"
loginUrl="~/login.aspx"
protection="All"
timeout="30" path="/" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="~/image">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
But the login page never can load the images
In design mode, inside visual studio editor, the image load in login.aspx page then image tag must be ok.
What I'm doing wrong?? Thanks a lot.
#nico, thanks a lot for format my question. No im not rewriting nothing. Its most simple and default asp.net application possible. Its default template asp.net application with an link on Default.aspx and a simple login.aspx page, its a test project, the login form works but the image doesn't load.
#Chris_Lively, yes there is a web.config in image folder, its web.config with <'allow roles='*'>, i checked, the folder is named image\ , the src of image tag point to image\ its getting me crazy
Your config file contains error - 'roles'-tag cannot use asterisk, you should define specific role name (allow element) or dont use it at all.
You'll see error message 'Parser Error Message: Authorization rule names cannot contain the '*' character' in fiddler.
I think it was reason of your problem.
Related
In my asp.net MVC application I have tried to deny unauthorized users from an html file inside a sub folder. But it is not working as expected. Below is the web.config section which used right now.
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<authentication mode="Forms">
<forms loginUrl="~/" defaultUrl="~/" slidingExpiration="true" timeout="60">
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="Docs/help/index.html">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
I think the global deny users will block all unauthorized access for all the pages, otherwise we should give specific permission. Please correct me If I am wrong.
But in my case even http://siteurl.com/Docs/help/index.html still able to access for an unauthorze user.
IIS - 7.5 , .NET - 4.5, MVC - 4
Please help me to resolve this issue.
MG
You have two ways to achieve it.
1st: <modules runAllManagedModulesForAllRequests=“true” /> Meaning
Add <modules runAllManagedModulesForAllRequests="true" /> in your web.config
(IIS < v7)
2nd: Global.asax Events in IIS 6 and IIS 7 for Static Resources
Add an wildcard managed handler to serve each request (inlucding static files which are handled by iis directly)
You can put a new Web.config in the folder that needs the permissions applied. Inside it do something like this
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
Or you might need to wrap the <authorization> tag with a <security> tag.
If that doesn't work for you, try to do it via IIS Manager and see how it does it, then copy that.
I want to add enable/disable asp.net mvc website feature, to achieve this I just replace web.config content to
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="maintenance.htm"></forms>
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>
<location path="server">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
I also have put maintenance.htm into website root.
But when I try then navigate to site, i don't see my maintenance.htm, instead I receive
status "Aborted" in Firebug, and Firefox displays a message:
This is for production environment. On local, app just continue process web.config as a normal and displays YSOD saying that it could not find some keys in web.config (it assume that they exist)
I also try to just add app_offline.htm as a simpler solution, but result is the same.
What can cause such behavior?
So,
Not done anything in ASP.NET in a long time, I'm restricting a specific page if the user isn't logged in. I've done this a thousand times and have no idea why it's not working.
Root:
file: web.config.
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0"/>
<authentication mode="Forms">
<forms loginUrl="restricted.aspx"/>
</authentication>
</system.web>
</configuration>
In the folder containing restricted file:
file: web2.config
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>`
Any idea's what I'm missing?
Cheers.
In my website, the Web.config is as follows:
<system.web>
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add ..../>
</assemblies>
</compilation>
<authentication mode="Forms">
<forms loginUrl="Login.aspx"></forms>
</authentication>
<authorization>
<allow users="admin" />
<deny users="?" />
</authorization>
</system.web>
I've tried to design the login page but it seems like whatever I do it doesn't appear, and after looking for a solution I'e found this:
"i guess i got it. since you are
denying other pages in web config
unless user authenticated. Allow image
folder also in web config file like
you are allowing login page,similarly
allow image folder,css,javascript
folder etc. Image should show up in
page. It should work."
The problem is I don't know how to allow these folders, can anyone help?
Refering to location Element (ASP.NET Settings Schema):
The location element specifies the
resource that child configuration
settings apply to and is also used to
lock configuration settings,
preventing the settings from being
overridden by child configuration
files.
The location element can enclose other
elements, either to apply
configuration settings to a specific
resource or to lock the settings.
<configuration>
<location path="Images">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
You can add exceptions to your web.config file:
<location path="foldername">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I have implemented forms authentication using the below mentioned code. My login URL is "Login.aspx". With these settings my site images do not get loaded on login.aspx.
However if I comment the authorization section the images are displayed.
<authentication mode="Forms">
<forms name="TBHFORMAUTH" defaultUrl="~/User/Default.aspx" loginUrl ="~/Login.aspx" cookieless="AutoDetect" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
Why this behaviour?
You can add a separate Web.config file to the Images folder that does not need user control. The Web.config file should only contain the following to give full access:
<?xml version="1.0" encoding="UTF-8" ?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
Another approach is if all pages that are limited by usercontrol are located in a sub folder (i.e. Users), then you can give full access in the main Web.config. and have a separate Web.config in the Users folder containing:
<?xml version="1.0" encoding="UTF-8" ?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>