I have the following site structure:
What I'd expect this to do was to deny anyone who isn't a logged-in user with the RegisteredUser role, except on Reset.aspx and Validation.aspx, where it would allow anyone (logged-in or not) to access, but this isn't the case right now.
Everyone who isn't a RegisteredUser isn't able to access these two pages, what am I doing wrong?
Update Even this won't work:
<?xml version="1.0"?>
<configuration>
<location path="Reset.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Validation.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
It doesn't make any sense, isn't this supposed to be the system default?
You do not need to map paths, only file names:
<?xml version="1.0"?>
<configuration>
<location path="Reset.aspx">
<system.web>
<authorization>
<allow users="*" />
<deny />
</authorization>
</system.web>
</location>
<location path="Validation.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<allow roles="RegisteredUser" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
Related
I have a folder "qc" which is only allowed for the role "warehouse".
In that folder i have a page that I want anyone to access without logging in.
Here's what I've done with web.config but it still redirects me to the login page:
<location path="QC/MyPage.aspx">
<system.web>
<authorization>
<allow users="?" />
<allow roles="*"/>
</authorization>
</system.web>
</location>
<location path="QC">
<system.web>
<authorization>
<deny users="?" />
<allow roles="warehouse" />
</authorization>
</system.web>
</location>
As aswered her you need to repeat it without the aspx extension.
<location path="test/webform1">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="test/webform1.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
I have in my web.config
<location path="Admin">
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Admin/Page1">
<system.web>
<authorization>
<allow roles="SubAdmin"/>
</authorization>
</system.web>
</location>
Would this properly block everyone except "Administrator" and "SubAdmin" roles from Admin/Page1?
Or do I have to add <allow roles="Administrator"/> <deny users="?"/> to the Admin/Page1 section?
You can use it this way:
<allow roles="Admin"/>
<allow roles="SubAdmin"/>
<deny users="*"/>
For future reference: http://msdn.microsoft.com/en-us/library/8d82143t%28VS.71%29.aspx
If possible, keep web.configs in each folder instead of keeping in one web.config.
I'm not sure which role is more powerful - Administrator or SubAdmin. You need to keep the most powerful role inside the nested folder.
Inside Administrator only folder
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
Inside SubAdmin and Administrator folder
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator, SubAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
I have a folder that is restricted and only for logged in user. So I wrote these lines:
<location path="ABC">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
However there is a single file on which I do not want to put any restrictions. What settings should I configure in location tag?
Please don't tell me to move that particular file out of the folder because that is not possible because it is being referenced at many places and I don't want to get messed up.
Try adding the page you want no restrictions on, like this:
<location path="ABC">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="ABC/SomeFile.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Login.aspx, passwordrecovery.aspx, and register.aspx should be the only pages accessible for logged in users. I have the following in my webconfig:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" defaultUrl="Login.aspx" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
I have the following in my configuration element of my webconfig:
<location path="images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="css">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="register.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="passwordrecovery.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
I get an Error: ASP.NET Ajax client-side framework failed to load. alert box when viewing any of the public pages. How do I allow access to the asp.net client-side framework (using the location tags?)?
Check the actual url that is requested. I think those will be the calls to Webresource.axd.
I checked fiddler and added the following:
<location path="Telerik.Web.Ui.WebResource.axd">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Ajax client side framework now loads - error message is gone. For those not using the Telerik controls - I'm sure you can use something similar to:
<location path="WebResource.axd">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
I agree with Greg, put all your public resources in the root and place any protected items in a subfolder.
Ex:
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="subfolderName">
<system.web>
<authorization>
<allow roles="myRole" />
<deny users="*" />
<!-- deny unknown users -->
<deny users="?" />
</authorization>
</system.web>
</location>
In my ASP.NET's Web Config file I have the following location elements defined:
<location path="">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="dir1">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="dir2">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
The example above is specifying that all directories will be locked down to anonymous users except the two directories dir1 and dir2.
I'm curious if there is a syntax that I can use that will allow me to define more than one directory within one location element. For example, it would be convenient if we could do something like this...
<location path="dir1,dir2,etc">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
You cannot specify multiple elements in the path attribute, but you can make use of the configSource attribute.
For example, the following original web.config file:
<?xml version="1.0"?>
<configuration>
<location path="form1.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="form2.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="form3.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="form4.aspx">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="form5.aspx">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="form6.aspx">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Can be replaced by the following equivalent web.config, allow.config, and deny.config files:
web.config
<?xml version="1.0"?>
<configuration>
<location path="form1.aspx">
<system.web>
<authorization configSource="allow.config" />
</system.web>
</location>
<location path="form2.aspx">
<system.web>
<authorization configSource="allow.config" />
</system.web>
</location>
<location path="form3.aspx">
<system.web>
<authorization configSource="allow.config" />
</system.web>
</location>
<location path="form4.aspx">
<system.web>
<authorization configSource="deny.config" />
</system.web>
</location>
<location path="form5.aspx">
<system.web>
<authorization configSource="deny.config" />
</system.web>
</location>
<location path="form6.aspx">
<system.web>
<authorization configSource="deny.config" />
</system.web>
</location>
</configuration>
allow.config
<?xml version="1.0"?>
<authorization>
<allow users="*"/>
</authorization>
deny.config
<?xml version="1.0"?>
<authorization>
<deny users="*"/>
</authorization>
The usefulness of this approach increases as the number of allow/deny rules in each section increases.
sorry, but path property doesn't allow to use ","
so you must write tag for all path,
Or you can create web.config in each directory.
it is possible to set path to a specific folder.
For example we have some aspx pages:
/data/pages/form1.aspx
/data/pages/form2.aspx
/data/pages/form3.aspx
By creating this rule in web.config:
<location path="data/pages">
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Frame-Options" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>
</location>
All resources in data/pages will be affected.
I had a similar issue. so went with the normal way of creating separate tags, no other BETTER solution.