How to allow anonymous user to browse the Style folder - asp.net

In my web application I want the anonymous user to browse only the login page, and It's OK now but it appears without style!
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
<location path="Style">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
Any help!

From this article:
Images and CSS files
Say you have all your images and CSS in a seperate folder called images and you are denying anonymous access to your website. In that case you might see that on your login page you cannot see images(if any) and css(if any) applied to your login page controls.
In that case you can add a web.config to the images and css folder and allow access to everyone to that folder. So your web.config in images folder should look as below:
<configuration>
<system.web>
<authorization>
<allow users="*"/> //Allow everyone
</authorization>
</system.web>
</configuration>

The most popular answer of:
<configuration>
<system.web>
<authorization>
<allow users="*"/> //Allow everyone
</authorization>
</system.web>
</configuration>
..is correct.. but if this fails to work then you need to verify that the Authentication is setup as you expect and that the user under which Anonymous is configured to run has read access to all of the folders you need.
NOTE: If you have multiple web.configs you may need to check each folder with its own web.config.
Check the Web Application
Open the "IIS/Authentication" for your web application and click "edit" on the entry marked "Anonymous Authentication".
If a specific user is specified then ensure that the specified user has access to your folders.
If "Application pool identity" is set then you will need to check the application pool configuration.
Check the Application Pool
Find the Application Pool for your app and click on "Advanced Settings" and search for the item named "Identity".
If the identity is "ApplicationPoolIdentity" then the group you will need to give access to your files to "IIS_IUSRS".
For more information on "IIS_IUSRS" please see: http://learn.iis.net/page.aspx/140/understanding-built-in-user-and-group-accounts-in-iis/

use
<allow users="*" />
for styles folder, so every user can use the style.
using
<location path="admin">
<system.web>
<authorization>
<deny users="*" />
<allow users="?" />
</authorization>
</system.web>
</location>
you can allow access to Admin folder for only authenticated users.

Related

Provide anonymous access to multiple dynamically uploaded images in location of web.config

How can I specify multiple images in one location 'uploaded' folder elements in web.config? I want to provide anonymous access to all users to one of the application page with uploaded images, images have some random unique name which get decided at run time only. On top that I am using windows authentication for my application or rest of the pages. I cannot specify each every image file name in web.config. Please suggest.
<location path="Dashboard.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="uploaded">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>

asp.net (IIS 7.5) images/css give 500 error but work fine after login

I have a smart-card enabled website where in IIS, Anonymous Authentication is disabled, SSL is enabled.
The IIS root also has Anonymous Authentication disabled, but Active Directory Client Certificate Authentication enabled.
Static Content role service is also installed.
In the web.config, I have
<authorization>
<deny users="?"/>
</authorization>
Following that, I have
<location path="/css/main.css">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
In both the css and images folders, I also have web.config's consisting of:
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
I use an AppPool running with a custom identity, let's say APUser
On the web server for those folders, I have permissions set to read for APUser, IUSR, Anonymous Logon, Users, IIS_IUSRS, and Everyone.
The url is in trusted sites on the browser.
Initially, the images and css return error 500 (using network capture with dev tools). After logging in, they show fine.
Same issue running on the server itself.
If I enable Anonymous Authentication in IIS, disable Active Directory Client Certificate, and change deny users="?" to allow users="*", everything works fine.
What am I missing to disable Anonymous Authentication, but still show images/css?
web.config authorization settings works sequentially. That is since you are denying unauthenticated users by using following, it does not read anymore of your config.
<authorization>
<deny users="?"/>
</authorization>
Read here.
Remarks At run time, the authorization module iterates through the
and tags until it finds the first access rule that fits
a particular user. It then grants or denies access to a URL resource
depending on whether the first access rule found is an or a
rule. The default authorization rule in the Machine.config file
is so, by default, access is allowed unless
configured otherwise.
Change it so that they come before your deny unauthenticated user part.
<location path="/css/main.css">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<authorization>
<deny users="?"/>
</authorization>
From "Allow" on MSDN here
"users
Required String attribute.
A comma-separated list of user names that are denied access to the resource. A question mark (?) denies anonymous users and an asterisk (*) indicates that all users are denied access."
Now, I take it that there's an error in there and they want to say "allow".
So you want <allow users="?,*" />
Under Group Policy for "Impersonate a client after authentication", add IIS_IUSRS

Access Rules on individual pages ASP.net

I am using site map for navigation in my website. Is there any way that I could imply access rules on specific pages based on individual user, not on roles based. Each user will have its access right to each page.
I have explored access rules security, its implying on individual user but on folder based, not page based.
I don't want to create new table in database that will have each page path info.
You can use a <location> element in web.config to specify users per-page.
<configuration>
<location path="JohnsPage.aspx">
<system.web>
<authorization>
<allow users="John" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
This works based from the username the user is logged in as. If you're using integrated windows authentication don't forget you might need to specify the domain too like <allow users="DOMAIN\John" />
You can confugure it in web.config as follows:
<?xml version="1.0"?>
<configuration>
<location path="AnyUserPage.aspx">
<system.web>
<authorization>
<allow users="AnyUser" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>

Forms authentication Of Asp.net

I am working on Asp.net Application where I have 4 roles in my application. 1. Admin 2. User 3. Reseller 4. Affiliate. And I am Using Form Authentication for this everything was working fine for single role(User). But now i have 4 roles and I am not getting how to manage this. I have 4 folders for different Users.
If i login with reseller account and if i change the url for user then its allowing me to access user part also. But i don't want this. I need in my app that user can access only his access area. Means If your reseller logged in then he can only access reseller pages or same folder nothing else.
Please help me to find this solution.
You can use the web.config to set the permission or you can also get more granular and decorate the class or method you want to lock down like this:
[PrincipalPermissionAttribute(SecurityAction.Demand, Role = #"Administrators")]
All of this is part of the role manager that you can set up. Start by reading this article that explains what to do.
There's two things to look at here. First of all, restricting access to each folder by role ought to be straightforward enough if you use <location> elements in your web.config e.g.
<location path="Resellers">
<system.web>
<authorization>
<allow roles="Reseller"/>
<deny roles="*"/>
</authorization>
</system.web>
</location>
<location path="Users">
<system.web>
<authorization>
<allow roles="User"/>
<deny roles="*"/>
</authorization>
</system.web>
</location>
...
Also in your individual pages, you can call the IsUserInRole function to check whether your user is in the correct role to access the page.
You might want to get hold of a copy of Beginning ASP.NET Security, it's got great information on how to do this.
You need to set the appropriate authentication settings in a web.config file for each folder you are restricting access to, i.e.
<authorization>
<deny users="?" />
<allow roles="Administrators" />
<deny users="*" />
</authorization>
Will allow access only to validated users with the role of "Administrators".
In each of the folders you have to place a web.config file that restricts access to the role in question. For example, in the resellers folder you have a web.config containing:
<authorization>
<deny users="*"/>
<allow roles="Resellers"/>
</authorization>
And so on for the other folders.
use like below code:
<location path="Users">
<system.web>
<authorization>
<allow roles="Users"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

Permission on Admin folder, only for role=admin

I have an Admin folder which contains 4-5 aspx pages. I want to that only user with role="admin" can view those files. What settings i need in web.config?
Add a location identifyier in your authorization area of your web.config file.
<location path="Admin">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
This is pretty basic forms authentication use. Maybe you should check out some tutorials of usage of forms authentication.
Google forms authentication:
http://www.15seconds.com/issue/020220.htm

Resources