Membership implemenation in ASP.NET - asp.net

I want to do the following
I have some pages on my website that can be viewed only by registered users with certain roles.
I'm using the ASP.NET membership for creating the users and roles.
How to redirect users to login page if they try to access a certain page without logging in.
I tried the asp configuration page. But it allows me to allow/deny permissions only at the folder level. How do I implement the same at page level with minimal effort?
Hello Friends, thank you so much for the quick responses. They were really helpful. Can you also suggest me where to look for explanation on different tags available under this security tag with some examples and explanations. Tried googling.. not much use.

You can use location attribute in config file, like:
<location path="somefile.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
or you can use this code in page_load function:
if (!Page.User.Identity.IsAuthenticated)
{
FormsAuthentication.RedirectToLoginPage();
return;
}
Specifying Login Page:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Index.aspx" timeout="2880" />
</authentication>
</system.web>

You ought to be able to do something like this (obviously change authorization section to your needs):
<location path="MyPage.aspx" allowOverride="true">
<system.web>
<authorization>
<allow roles="Registered User"/>
<deny users="*"/>
<deny users="?"/>
</authorization>
</system.web>
</location>

Configure your web.config, you can apply allow/deny rules at page level as such:
<?xml version="1.0"?>
<configuration>
<location path="SecuredPage.aspx">
<system.web>
<authorization>
<allow roles="SuperUsers" />
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>

Related

Allow anonymous authentication for a single folder in web.config?

So here is the scenario, I have an Asp.Net application that is using a custom authentication & membership provider but we need to allow completely anonymous access (i.e.) to a particular folder within the application.
In IIS manager, you can set the authentication mode of a folder, but the settings are saved within C:\Windows\System32\inetsrv\config\applicationHost.config file as described here
To make installation easier, it would be great if I could set this within my web.config but after a couple of attempts I think this may not be possible.
Does anyone know otherwise?
Many thanks
The first approach to take is to modify your web.config using the <location> configuration tag, and <allow users="?"/> to allow anonymous or <allow users="*"/> for all:
<configuration>
<location path="Path/To/Public/Folder">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
If that approach doesn't work then you can take the following approach which requires making a small modification to the IIS applicationHost.config.
First, change the anonymousAuthentication section's overrideModeDefault from "Deny" to "Allow" in C:\Windows\System32\inetsrv\config\applicationHost.config:
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
overrideMode is a security feature of IIS. If override is disallowed at the system level in applicationHost.config then there is nothing you can do in web.config to enable it. If you don't have this level of access on your target system you have to take up that discussion with your hosting provider or system administrator.
Second, after setting overrideModeDefault="Allow" then you can put the following in your web.config:
<location path="Path/To/Public/Folder">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
Use <location> configuration tag, and <allow users="?"/> to allow anonymous only or <allow users="*"/> for all:
<configuration>
<location path="Path/To/Public/Folder">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
<location path="ForAll/Demo.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
In Addition: If you want to write something on that folder through website , you have to give IIS_User permission to the folder
To make it work I build my directory like this:
Project
Public
Restrict
So I edited my webconfig for my public folder:
<location path="Project/Public">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
And for my Restricted folder:
<location path="Project/Restricted">
<system.web>
<authorization>
<allow users="*"/>
</authorizatio>
</system.web>
</location>
See here for the spec of * and ?:
https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/authorization/add
I hope I have helped.
I added web.config to the specific folder say "Users" (VS 2015, C#)
and the added following code
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Initially i used location tag but that didn't worked.

secured pages in asp.net c#

config I have :
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode ="Forms">
<forms name ="loginpage" loginUrl="login_to_secure3700.aspx" />
</authentication>
</system.web>
<location path ="securedpages/bob.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
This way the pag bob.aspx will only be accessible when the username and password were entered ok.
BUT , this works only for page bob.aspx, how can I make this work for eg 50 pages, but all with different logins and passwords. ?
There are two options:
Secure each page with deny all users and only allow bob on bob.aspx and helen to helen.aspx. Given the answers above you will manage that fore sure but it is cumbersume: for every new user you need to change your config.
I think the better way is to create one! page (user.aspx) and take the user that is logged in and personalize that single page for this user. This is a lot easier to maintain and you will have all the code on one page.
If you want to keep the personalized approach in the pagename (bob.aspx) you can have a look into URL rewriting.
You could add multiple paths like this:
<location path ="securedpages/bob.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path ="securedpages/bob2.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Or more simple, just add the dir of the secured pages:
<location path ="securedpages">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
you can put all the 50 pages in one folder and the add 1 web.config for them in this folder that contains
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
It does not matter if they have different logins and password.

Allow access for unathenticated users to specific page using ASP.Net Forms Authentication

I am using ASP.Net Forms Authentication. My Web.config looks like this.
<authentication mode="Forms">
<forms loginUrl="login.aspx"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>
So currently every aspx page requires authentication.
I want to allow access to even unauthenticated users to a specific page named special.aspx.
How can I do this?
Take a look at the example on MS Support
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this
application except for those that you have not explicitly
specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated
user access to the ThePageThatUnauthenticatedUsersCanVisit.aspx
page only. It is located in the same folder
as this configuration file. -->
<location path="ThePageThatUnauthenticatedUsersCanVisit.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated
user access to all of the files that are stored
in the TheDirectoryThatUnauthenticatedUsersCanVisit folder. -->
<location path="TheDirectoryThatUnauthenticatedUsersCanVisit">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
Put the following in your web.config:
<location path="special.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="register.aspx"> //path here is path to your register.aspx page
<system.web>
<authorization>
<allow users="*"/> // this will allow access to everyone to register.aspx
</authorization>
</system.web>
</location>
For more detail follow the below link
http://weblogs.asp.net/gurusarkar/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config
Allow everyone to access a particular page
Sometimes you want to allow public access to some page and want to restrict access to rest of the site only to logged / authenticated users .i.e. do not allow anonymous access. Say your special.aspx is in your site's root folder. In the web.config of your website's root folder you need to have following setup.
<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization> <deny users="?"/> //this will restrict anonymous user access
</authorization>
</system.web>
<location path="special.aspx"> //path here is path to your special.aspx page
<system.web>
<authorization>
<allow users="*"/> // this will allow access to everyone to special.aspx
</authorization>
</system.web>
</location>
</configuration>

anonymous access to aspx page fails

I've a web site that uses forms authentication. For the most part, my web site requires authentication to do anything. My privacy statement page is an exception and has to be accessible to anonymous users.
The page is in a folder, and I've set the location path information in the web.config as follows:
<location path="about">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location allowOverride="true">
<system.web>
<authentication mode="Forms">
<forms name="FDAuth"
cookieless="UseCookies"
protection="All"
loginUrl="login.aspx"
requireSSL="false"
slidingExpiration="false"></forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
That configuration allows anonymous access to other file types, but still prompts for a log in for aspx pages.
In other words, anonymous access is allowed to this page
www.mywebsite.com/about/privacy.asp
but I go to the login.aspx page if I try to access access this page
www.mywebsite.com/about/privacy.aspx
What do I need to do to allow anonymous access to
www.mywebsite.com/about/privacy.aspx?
just remove the <location allowOverride="true"> element and configure <authorization/> within <system.web/>
<location> tags are used to define exceptions to the global policy, which is typically defined in the <authorization/> within <system.web/>.
Just one more thing : Add the line <allow users="?"/>
* users match any authenticated usernames, while ? matches all unauthenticated ones.
So, you would have this :
<location path="about">
<system.web>
<authorization>
<allow users="*"/>
<allow users="?"/>
</authorization>
</system.web>
</location>
You should try:
<location path="about">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
As per this MSDN example.
Notice the ? instead of the * used for anonymous access.
This should fix your problem but if not you can specify a specific resources:
<location path="about\privacy.aspx">
Got it. The problem was that the page uses a master page. Moving the master page into the about folder solved the problem.
Thanks to the quick responses!

How to use ASP.NET Authorization Yet Permit Access to .css Files?

<authentication mode="Forms">
<forms loginUrl="Login.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
I am using forms authentication, and when i place the arguments cited above, the css formatting I have done for the whole document is not being implemented, it's vanishing. what should i be doing so that the CSS remains intact.
I assume that your login form has an external CSS file, and that you're using Cassini or IIS 7 integrated mode.
Your <deny users="?"/> is preventing anonymous users from seeing the login form's CSS files.
You need to use the <location> element to allow anonymous users to see the CSS files, like this:
<location path="CSS">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
Use the location element to allow access to your css:
<configuration>
<location path="style.css">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
<location path="Images">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
**
please add this code in web config file
<globalization requestEncoding="utf-8" responseEncoding="utf-8"
culture="en-GB"/>

Resources