I am sure this is a basic answer, but my search powers are not helping me today. I have an ASP.NET MVC 2 (.NET 3.5) application. It is hosted on IIS 6.
For the sake of this question I have two urls.
http://example.com/
http://example.com/admin
I want admin to be available to any user on the domain, and the root to be available to all users. The server is on the domain but the domain is example1.com, so they are not the same.
Since this is ASP.NET MVC there is no Admin folder to set rights on. I have tried setting the whole site to block anonymous request and have had it allowing all request. Then in the web.config I set it up to deny unauthenticated users in the admin folder and/or allow anonymous access to the root.
What I end up getting is a login prompt that doesn't work. I've tried the user name and example1\username but it always fails to login.
What am I missing?
==== Clarification/Answer ====
Pandincus gave a great code suggestion, adding [Authorize] to the class is a very clean way to make this work. However my problem ended up being the fact that I was doing all of this on the same box. I had a HOSTS entry for example.com on my box and was hitting it via the URL. When I put a HOSTS entry on my other box and hit the site it allowed me to log in without issue. My question was slightly incomplete as I should have mentioned this and the fact that http://localhost/ was working just fine.
Don't use the web.config to set access. Thats how you would do it in asp.net web forms.
Configure your web.config to use windows authentication.
Use an [Authorize] attribute on any admin controller you have.
Any controllers without an [Authorize] attribute should be open to the public automatically. So, only put your attribute on the controllers you want to lock down.
Related
I'm using webmatrix, razor, c#. I've created a web site for friends, it's on godaddy. I've created web pages to upload or delete images for the gallery, they work ok on webmatrix on my laptop, but get an "access denied" error with godaddy, understandably since I'm an anonymous user.
Godaddy says it is doing windows authentication and the godaddy gui shows me the folders and the user accounts and their permissions.
Can anyone tell me please how to keep the rest of the web site anonymous but to do this with the web pages which amend the gallery:
1. some kind of authentication to get into
2. they also authenticate to godaddy so they have permissions to create/delete files in the relevant folders
I can't see how the WebSecurity class can help. I've read that by default it creates its own database of user accounts, so this could achieve 1, but not 2. I've also read that it can be configured to use windows authentication instead of its own database, but that to do this anonymous access must be disabled.
I'd be grateful for any help, I certainly am stuck. For anyone kind enough to reply, please bear in mind I'm not a web developer, I'm a server admin!
I'm not sure if you're attempting to allow the end users to go to their galleries using GoDaddy AND thru the website. That sounds like a difficult security challenge.
One approach is to only allow the web application to have access to all the files and folders on the server. Then you can forget about Windows authentication. Have the users authenticate using the WebSecurity classes and pages.
_PageStart.cshtml is a file whose code runs everytime a page is opened by a user. In there you can put code which controls who has access including anonymous activity. For example, users are always allowed to go to the account pages in the account folder, because that's where they sign in. So they are still anonymous before signing in. The code is simple:
// You're always allowed to go to the login pages
if ( Request.RawUrl.StartsWith( "/Account") )
{
return;
}
If the code returns from here and doesn't take any other action, the page will open normally.
We have a site that uses Windows Authentication to allow access to the webpages. Most if not all pages are written in classic asp. I recently added a "public" homepage written in asp.net so that users can change their password if they forget it. I tried setting up the homepage as the default in IIS 6, and set all the associated files with that homepage to allow anonymous access.
Problem is, we still get the popup for Windows Authentication. If you type in directly: http://www.website.com/default.aspx the page pulls up no problem. But when you try to navigate to simply http://www.website.com, we keep getting the windows authentication prompt.
I tried removing the global.asa file and an unused global.asax file thinking it was hitting one of these first, but that didn't work. Here are the files that allow anonymous access:
default.aspx
/Homepage -- directory with all code files and other public webpages
web.config
/bin -- folder containing the code generated by VS 2010]
I feel like something that doesn't allow anonymous access is getting accessed first, but can't figure out what it is. Any ideas?
I imagine you have two applications under your Default Website in IIS Manager (IIS 6.0?) One is your classic asp application, with anonymous authentication, and it uses an application pool with "No Managed Code". The other is your ASP.NET application, with windows authentication, which uses an application pool set up for .NET 4.0, or something.
Make sure the Default Website is set for anonymous authentication. Those settings get inherited.
I have am asp.net 3.5 web site with a asmx web service and a test aspx page (the page tests the web service using javascript).
I need to run this site with anonymous authentication, so I setup the site in IIS as such.
Now, if I am trying to open the test page in the browser, I get 401.3-Unauthorized error.
Any ideas what should I do to fix it? Do I have to give read access for the physical file to Anonymous Login?
Also, what version of IIS are you using? Also if you are using the IIS mgr and you check anonymous authentication, you need to give it a valid username and password, have you done this?
A 403 can mean several things. It can mean you don't have authentication correctly configured, or it can mean that the ASP.NET worker process does not have rights to access the pages (the security is set to only allow you to access them, for instance). There are other scenarios as well, but these are the two most common.
I would like to apply a basic 2nd level of security by adding some form of web folder password protection, so that we only allow users with the global username and password to be able to access the logon page, where we are using forms based authentication.
I am not sure whether this is done from the IIS Manager (Windows 7) or by editing a web.config file ?
If you google for "Forms Authentication IIS", first item returned is this:
http://msdn.microsoft.com/en-us/library/ff647070.aspx
This does a good cover of the issue.
If you need to apply that to a particular folder, use location and authorization in web.config as below:
http://msdn.microsoft.com/en-us/library/b6x6shw7(v=vs.100).aspx
I have been in the same situation. Given that you can't enable forms authentication and basic/windows authentication at the same time in IIS we ended up using Helicon Ape and .htaccess files for the digest based authentication and configured the web app itself to use forms authentication. It works well so far. We needed this because of client requirements. I wouldn't really recommend this in practice. It's fairly annoying for users having to log in twice.
I have an application that uses Forms Authentication to authenticate one type of user. There is a section in this application that needs to be authenticated for another type of user using a different table in the database. The problem happens if the second type of user's session times out, she is taken to the login page defined in the Forms Authentication section of the main Web.Config instead of the login page for the second type of user. I am looking for solutions to this problem. One idea is to create an application in IIS for the section and create a Web.Config for the folder and add another Forms Authentication section. In my experiments, it seems this doesn't work. Am I missing something obvious? Any insights?
IIRC, the authentication works per folder. So you should be able to do it if all of the pages that require the 2nd type of authentication live in a specific sub-folder with it's own config.
Not 100% sure on this, though, so if someone more knowledgeable can contradict me I'll just delete the response.
You may need to double check me on the syntax, but the top level web.config can have any number of tags.
<location>...</location>
Inside you can specify separate config parameters for whatever folder/file you want. Look here for a reference.
EDIT: Apoligies, I neglected to format the code properly
You cannot have an <authentication> section inside of a <location> tag, so you must have the subfolder set up as an IIS (and ASP.NET) application of it's own. So, you should be able to run the subsection on it's own.
I think 500.19 is the "can't read or parse web.config" error - does it have details? You may need to turn on remote errors (or check Event Viewer) to see them. If you're still having issues, post a snippet of web.config.
As an aside - I've never been a fan of nested apps, and would probably prefer having your normal Login.aspx page handle it either with as a MemberOf or perhaps redirecting to a SpecialUserLogin.aspx or something. Nested apps are a PITA to setup and test, IME (for instance - I don't think you can even get it working under Cassini - though you can do 2 separate projects for it, and combine when you deploy).
Yes you can. The Web.config files have a tree-like inheriting arhitecture with override capabilities. Meaning you can modify the settings inside a sub-folder by placing a web.config file there and specifying different configuration settings.
The way I understand this problem, you have two solutions and the first is to look at Roles and the whole Provider Model would be a great place to start. Otherwise, the best bet would be to separate the application into two parts, breaking out the second user type area and then including it back into the main project via a Virtual Directory. Just remember that Virtual Directories inherit their permissions from the parent directories web.config, so you will need to use the <Location>tags to remove authentication for the virtual directory and then within the virtual directories web.config define your new forms authentication. This works well if you need Windows Authentication (NTLM) under Forms Authentication.