Is it possible to use multiple authorization elements in a single web.config to allow additional users access to one file?
E.g., I would like to allow User1 access to the whole application (including Page1.aspx), and User2 access to only Page1.aspx:
<system.web>
<authorization>
<allow users="DOMAIN\User1" />
<deny users="*" />
</authorization>
</system.web>
<location path="~/Page1.aspx">
<system.web>
<authorization>
<allow users="DOMAIN\User2" />
<deny users="*" />
</authorization>
</system.web>
</location>
I believe you can use a comma delimited list of users, so there should be no need for using multiple authorization elements for a single resource.
Also, it is generally better to rely on roles instead of specific users. Since it appears you are using AD, then you can use a security group or something similar for the roles.
If you remove the <deny users="*" /> from the Page1.aspx authorization section, you should get what you want. It will allow User2 to use just that page, and User1's authorization to everything will still apply to this page as well.
Here's a pretty good tutorial on all things related to authorization.
Related
I want to allow anonymous users to browse only few files like default.aspx, aboutus.aspx, contactus.aspx etc. Is there a way to write all these file names in one place or I will have to repeat the below code again and again for all the files?
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
It is not possible to specify multiple paths in a single location element. I think you are asking to do is something like this:
<location path="Default.aspx,aboutus.aspx,contactus,aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Unfortunately, I do not believe that is possible.
You have several options for how to do this.
A) specify the location element multiple times, one for each file that you want to allow anonymous access:
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="aboutus.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="contactus,aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
B) Put all of the files that you want to allow anonymous access to in a separate directory, as Admirer mentioned above.
C) You may wan to explore using File Authorization instead of URL authorization. With File Authorization, you can assign windows ACL permissions directly to files. It might be possible to assign files you want protected to one Windows account, and files that you want to allow anonymous access to another ACL account. You task would then be to use ASP.Net impersonation to map requests from anonymous access requests to execute in the security context of the windows account that has access only to the un-protected files, and map requests from authenticated requests to the windows account that has access to all files.
I am not sure you want to go down this road, since it is probably much easier simply to replicate the "location" element multiple times, once for each resource you want to expose to anonymous access. But if you do want to look into this, there are some good resources here or here
I think you can group based on folder name. Check this out http://weblogs.asp.net/gurusarkar/archive/2008/09/29/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config.aspx
I have an app with two pages: pagein.aspx and pageout.aspx. Pagein.aspx must be accessible ONLY to intranet users of my company, but pageout.aspx must be accessible to extranet users (world). My last option is to use the authorization (user and password), but I prefer to use the logic I described. Is this possible in asp.net? If yes, how?
You can do this via web.config
<location path="Pagein.aspx">
<system.web>
<authorization>
<allow users="*" allow role="YourDomain\Domain Users" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="PageOut.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
The simpler solution is to have two websites (two virtual directories), in one enable windows authentication: http://msdn.microsoft.com/en-us/library/ff647405.aspx
In the other, use ASP.NET membership, or leave it public and accessible by anonymous users.
If you need both in the same application, then use the various authorization techniques to require authorization for some pages and leave other pages open to the public.
I am using site map for navigation in my website. Is there any way that I could imply access rules on specific pages based on individual user, not on roles based. Each user will have its access right to each page.
I have explored access rules security, its implying on individual user but on folder based, not page based.
I don't want to create new table in database that will have each page path info.
You can use a <location> element in web.config to specify users per-page.
<configuration>
<location path="JohnsPage.aspx">
<system.web>
<authorization>
<allow users="John" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
This works based from the username the user is logged in as. If you're using integrated windows authentication don't forget you might need to specify the domain too like <allow users="DOMAIN\John" />
You can confugure it in web.config as follows:
<?xml version="1.0"?>
<configuration>
<location path="AnyUserPage.aspx">
<system.web>
<authorization>
<allow users="AnyUser" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
I am working on Asp.net Application where I have 4 roles in my application. 1. Admin 2. User 3. Reseller 4. Affiliate. And I am Using Form Authentication for this everything was working fine for single role(User). But now i have 4 roles and I am not getting how to manage this. I have 4 folders for different Users.
If i login with reseller account and if i change the url for user then its allowing me to access user part also. But i don't want this. I need in my app that user can access only his access area. Means If your reseller logged in then he can only access reseller pages or same folder nothing else.
Please help me to find this solution.
You can use the web.config to set the permission or you can also get more granular and decorate the class or method you want to lock down like this:
[PrincipalPermissionAttribute(SecurityAction.Demand, Role = #"Administrators")]
All of this is part of the role manager that you can set up. Start by reading this article that explains what to do.
There's two things to look at here. First of all, restricting access to each folder by role ought to be straightforward enough if you use <location> elements in your web.config e.g.
<location path="Resellers">
<system.web>
<authorization>
<allow roles="Reseller"/>
<deny roles="*"/>
</authorization>
</system.web>
</location>
<location path="Users">
<system.web>
<authorization>
<allow roles="User"/>
<deny roles="*"/>
</authorization>
</system.web>
</location>
...
Also in your individual pages, you can call the IsUserInRole function to check whether your user is in the correct role to access the page.
You might want to get hold of a copy of Beginning ASP.NET Security, it's got great information on how to do this.
You need to set the appropriate authentication settings in a web.config file for each folder you are restricting access to, i.e.
<authorization>
<deny users="?" />
<allow roles="Administrators" />
<deny users="*" />
</authorization>
Will allow access only to validated users with the role of "Administrators".
In each of the folders you have to place a web.config file that restricts access to the role in question. For example, in the resellers folder you have a web.config containing:
<authorization>
<deny users="*"/>
<allow roles="Resellers"/>
</authorization>
And so on for the other folders.
use like below code:
<location path="Users">
<system.web>
<authorization>
<allow roles="Users"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Can I use <authorization> to protect webforms from being accessed if a person does not have a specific role?
I tried this:
<authentication mode="windows" />
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
but if the role Admin is not available then I can still visit the page by typing in the URL. How can I protect this page?
I read the documentation on MSDN (ASP.NET Authorization).
I also put the UrlAuthorizeModule extra in the web.config to make sure that it gets hit.
Best to read this: ASP.NET Authorization
It explains how to set the allow/deny elements for users and roles.