I have ASP.NET application with forms authentication. It works well but I have one directory with olly .txt files (no aspx files) that I want users not to access (or only logged in users).
I added web.config to this directory:
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
EDIT:
This works only for .aspx files. It does not work for .txt files and similar. Users cannot browse this directory nor subdirectories however knowing .txt file name they can access it.
I tries IIS6 and IIS 7.5. On IIS6 .txt files are also restricted but on IIS 7.5 not so it may be IIS configuration issue.
Your question depends on the web server you are using. ASP.NET authorization works only with file types that are handled by ASP.NET. If you have IIS 5 or 6, this is normally not true for .txt files or even for .jpg, .gif and pure .html files, but only for aspx, asmx etc.
No problem if you have IIS7 and integrated mode, because ASP.NET is integrated and will be called for every type of file. So if you have IIS5 or 6 you have to register the mime types such as the aspnet.isapi is called for .txt files as well.
UPDATE:
The configuration of
<deny users="*">
locks out all users. It would work only in combination with allow, e.g.
<allow roles="administrators" />
<deny users="*">
like this all users but administrators will be locked out. If a user is authenticated but not adminstrator, he will be redirected to the login page.
The other option is to lock out anonymous users only:
<deny users="?">
Add location section to the web.config with appropriate settings location Element (ASP.NET Settings Schema)
If you use IIS 7+, then you can use the system.webServer/security/authorization http://www.iis.net/ConfigReference/system.webServer/security/authorization section, and have that automatically work for any kind of content in any pipeline mode.
IF you still want to use system.web seciton, then you will need to use Integreated Mode and do the changes that are mentioned in the modules to run for all content, but by far, the simplest is use system.webServer/security/authorization instead.
Related
How can I prevent a User to see the file system in asp.net ? Do I need to change something in my IIS settings or on my Web.config ?
Thanks for help and fast answer
Lets starts from the fact that a remote user to been able to see a file is must know the full path of it on the browser.
To prevent that you disable the directory browsing and/or you have a default.aspx page on each directory. When there is a default page, then the IIS show that page.
Now the second security measure is not let the asp.net application user that runs yous site to have accesss to any file beyond the site running files.
The site is run under two accounts. One for the IIS, and one for the Pool. both this accounts must have limited access only to your site directory and only for read, and for write only on the files/directories that needed to your application.
Additional you can use a web.config on some directories to prevent the run of any aspx page as:
<configuration>
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
but this is not prevend to see files that are not pass from asp.net (like images)
Also you can read
How to find out which account my ASP.NET code is running under?
I have this following section in my web.config file in ASP.Net 4.5 project.
I've added couple of .doc files into that folder.
Whenever I run the project (either logged in or logged out) through VS 2012, It allows me the direct access to the files inside that folder. I need to protect the anonymous users from accessing to the files.
HTTP://localhost/Test/Test1.doc
But when the URL is HTTP://localhost/Test it redirects me to login page.
<location path="Test">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
I wonder how it was working before in .Net Framework 4 on VS 2010.
It prevents the anonymous users from accessing to the content of the folder.
Did I miss any settings in my web.Config file using . Net Framework 4.5?
The problem with this is that ASP.net is not servicing the .doc files.
The web requests for those files are not being handled by.net so IIS allows the access directly.
This issue was answered by Joel on a similar thread: Here
Many Thanks to Joel!
On the root of my webservice application, I have a directory which contains some html and txt files. These files should be accessed only to the authenticated user. How can I achive this?
This is the follow-up of my question: ASP.Net Directory Security
I implemented HttpHandler as suggested by Shark on that post. It allows html and txt files to handle but I can't show these files to the authenticated user too.
Update: I solved this issue by checking session on the handler. While hosting this on the server I faced another problem. i.e. my custom handler was not getting called. I got the cause and solution for that issue on: http://msdn.microsoft.com/en-us/library/bb515343.aspx
Cause:
By default, Internet Information Services (IIS) passes requests for
only certain file types to ASP.NET to service. Files with file-name
extensions such as .aspx, asmx, and .ashx are already mapped to the
ASP.NET ISAPI extension (Aspnet_isapi.dll).
Solution:
To have IIS pass other file-name extensions to ASP.NET, you must
register the extensions in IIS.
Whole Story: http://www.naveenbhat.in/2012/06/directory-security-on-webservice-with.html
If you are using ASP.Net Security (Forms/Windows authentication), you can simply control it by web.config settings. Like so:
<system.web>
<authentication mode="Forms">
</authentication>
<location path="directoryPath">
<system.web>
<authorization>
<deny users="?"/> // this will deny access to anonymous users
</authorization>
</system.web>
</location>
</system.web>
I started a new solution with a website project and a logic project for all my class files.
I copied the web.config file I use for all my other projects and just changed the database name in the connection string. When I run this project to be debugged, it won't let me access any files until I login. This includes javascript files, html files, css files etc.
On all my other projects the only files which require a login by the user to access are .aspx files and .asmx files. The web.config security settings on all several of my projects are as follows:
<authentication mode="Forms">
<forms loginUrl="/Default.aspx" name="ADMINAUTH2" cookieless="UseCookies"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
If I set test.htm as my start page, when I run the debugger the url heads straight to:
http://localhost:2154/Default.aspx?ReturnUrl=%2ftest.htm
In VS on my solution exporler under script documents that are being loaded, any javascript file is shown as: Default.aspx?ReturnUrl=/Functions.js etc, and css files are not applied.
I have tried creating a new web.config file and only adding my auth properties and connection string but to no avail.
I am utterly confused as this works on all my other projects, just not this latest one!
Have you tried deploying this project to IIS or are you just running it from Visual Studio?
Authentication rules specified in the web.config apply to all files which are processed by the ASP.NET ISAPI filter. By default in IIS this is only things like .aspx and .asmx, etc - as you expect. However, the Visual Studio web server processes everything through ASP.NET, so the authentication rules apply to all files.
On the flip-side, this information can be quite useful when you actually do want to secure static assets in production - do so simply by setting IIS to have ASP.NET process those file extensions.
How would I go about setting different authentication tags for different parts of my web app? Say I have:
/
/folder1/
/folder2/
Would it be possible to specify different <authentication/> tags for each folder?
I want folder1 to use Windows authentication but folder2 use Forms authentication.
I tried doing in a <location/> tag but it doesn't look like you can have <authentication/> tags in a <location/> tags, at least not via VS 2008 with it's built in webserver.
This errors out saying - Error 3 It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
<location path="/folder1">
<system.web>
<authentication mode="Forms" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
You can only have <authentication /> on the top level web.config. You may have to create multiple applications. ie you can create an application within an application and use different authentication modes in each one.
I think you can set the forms authentication authorization on folder1 to
<allow users="*" />
then control the windows access via setting windows permissions on the folder.
I haven't tried it, but I can't think of why that wouldn't work.
These settings are only valid at the root level of your ASP.Net application. To use different settings in a sub folder you will need to go into IIS and set that sub folder to be a new application.
Once you done this, the folder will have a different icon in the IIs manager. Inside your subfolder, create a new web.config file and add the new authentication settings there.
More information available at Creating Applications.