I am using the authorization section in web.config:
<authorization>
<allow roles="Administrator,Attorney,Director of Operations,Office Manager,Paralegal,Partner,Processor,Salary Admin,Unit Manager"/>
<deny users="*"/>
</authorization>
With this code in place, my master page CSS, as well as my images go away, and when I remove this from the web.config it displays properly. Any idea why it is showing that way? Your help will be appreciated.
This authorization section also applies to your CSS files and images. You need to use the location element to give anonymous access back to these files. Here's a knowledge base article about this. Your web.config should look something like this:
<configuration>
<system.web>
<!-- This is your section from your question -->
<authorization>
<allow roles="Administrator,Attorney,Director of Operations,Office Manager,Paralegal,Partner,Processor,Salary Admin,Unit Manager"/>
<deny users="*"/>
</authorization>
</system.web>
<!-- Now give everyone access to your "images" folders -->
<location path="Images">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
Related
config I have :
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode ="Forms">
<forms name ="loginpage" loginUrl="login_to_secure3700.aspx" />
</authentication>
</system.web>
<location path ="securedpages/bob.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
This way the pag bob.aspx will only be accessible when the username and password were entered ok.
BUT , this works only for page bob.aspx, how can I make this work for eg 50 pages, but all with different logins and passwords. ?
There are two options:
Secure each page with deny all users and only allow bob on bob.aspx and helen to helen.aspx. Given the answers above you will manage that fore sure but it is cumbersume: for every new user you need to change your config.
I think the better way is to create one! page (user.aspx) and take the user that is logged in and personalize that single page for this user. This is a lot easier to maintain and you will have all the code on one page.
If you want to keep the personalized approach in the pagename (bob.aspx) you can have a look into URL rewriting.
You could add multiple paths like this:
<location path ="securedpages/bob.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path ="securedpages/bob2.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Or more simple, just add the dir of the secured pages:
<location path ="securedpages">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
you can put all the 50 pages in one folder and the add 1 web.config for them in this folder that contains
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
It does not matter if they have different logins and password.
Heey Stackoverflowers
My question is: how do I protect a Page using web.config or Global.asax?
Example:
Direct url www.Yoururlhere.com/Account/Edit.aspx is currently accesible from url bar, but that is not what I want. I have a login page already with database etc working, only it's missing the protection to remove direct access or by Login.
Can you help me? My second web.config for Folder Account is as following:
<?xml version="1.0"?>
<configuration>
<system.web>
<location path="Edit.aspx"/>
</system.web>
<system.web>
<authorization>
<allow users="*"/>
<deny users="?" />
</authorization>
</system.web>
</configuration>
You are writing in the wrong way. It should be like...
<configuration>
<location path="Account/Edit.aspx">
<system.web>
<authorization>
<allow users="*"/>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
I want to do the following
I have some pages on my website that can be viewed only by registered users with certain roles.
I'm using the ASP.NET membership for creating the users and roles.
How to redirect users to login page if they try to access a certain page without logging in.
I tried the asp configuration page. But it allows me to allow/deny permissions only at the folder level. How do I implement the same at page level with minimal effort?
Hello Friends, thank you so much for the quick responses. They were really helpful. Can you also suggest me where to look for explanation on different tags available under this security tag with some examples and explanations. Tried googling.. not much use.
You can use location attribute in config file, like:
<location path="somefile.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
or you can use this code in page_load function:
if (!Page.User.Identity.IsAuthenticated)
{
FormsAuthentication.RedirectToLoginPage();
return;
}
Specifying Login Page:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Index.aspx" timeout="2880" />
</authentication>
</system.web>
You ought to be able to do something like this (obviously change authorization section to your needs):
<location path="MyPage.aspx" allowOverride="true">
<system.web>
<authorization>
<allow roles="Registered User"/>
<deny users="*"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
Configure your web.config, you can apply allow/deny rules at page level as such:
<?xml version="1.0"?>
<configuration>
<location path="SecuredPage.aspx">
<system.web>
<authorization>
<allow roles="SuperUsers" />
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
<authentication mode="Forms">
<forms loginUrl="Login.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
I am using forms authentication, and when i place the arguments cited above, the css formatting I have done for the whole document is not being implemented, it's vanishing. what should i be doing so that the CSS remains intact.
I assume that your login form has an external CSS file, and that you're using Cassini or IIS 7 integrated mode.
Your <deny users="?"/> is preventing anonymous users from seeing the login form's CSS files.
You need to use the <location> element to allow anonymous users to see the CSS files, like this:
<location path="CSS">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
Use the location element to allow access to your css:
<configuration>
<location path="style.css">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
<location path="Images">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
**
please add this code in web config file
<globalization requestEncoding="utf-8" responseEncoding="utf-8"
culture="en-GB"/>
Assume I have the following in my web.config (most of the file omitted for brevity):
<configuration>
<location path="somefolder/somepage.aspx">
<system.web>
<authorization>
<allow roles="SomeRole" />
<deny users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
<!--
Lots of other settings.
-->
</system.web>
</configuration>
If I navigate to somefolder/somepage.aspx, whose access is limited to users in the SomeRole role (and I am a member of that role), what happens with the settings in the commented area? Do they still apply, even though they are outside the location element where the page is specified?
Yes, they still apply, provided that they aren't enclosed in <location> elements of their own.