My site (WebForms, C# 4.0) is using Forms Auth and by default requires login:
<authorization>
<deny users="?"/>
</authorization>
I allow unauthenticated access to the public folder (http://siteurl.com/member/public):
<location path="member/public">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
It all works fine. Then, I added a route (RouteTable.MapPageRoute(...)), so that
http://siteurl.com/member/public/view.aspx?username=someusername
can be accessed by going to:
http://siteurl.com/member/view/someusername
My problem is - now I also need to add member/view location to web.config to allow unauth access to it, so I have to have two entries for technically the same location:
<location path="member/public"> <!-- physical location -->
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="member/view"> <!-- route -->
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
I will have a bunch of those routes to pages in member/public folder, so looks like I'd have to list each of them in web.config, and it doesn't sound right...
Is there any way to tell ASP.NET to automatically apply physical path auth rules to the routing so that I woudl only need to specify unauth access to member/public and all routes to the location would automatically gain access?
Thanks!
Related
We deny unauthenticated access by default with:
<authorization>
<deny users="?"/>
</authorization>
Then allow certain locations like:
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
But we actually need to allow access to all CSS files, regardless of where they are (for Auryc session replays).
I know I could allow them like this:
<location path="folder/whatever.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
But the problem is they are scattered all over the place, not contained in one folder.
Is there an easy way to allow all requests of a certain file type (like .css)? Or am I stuck having to add and maintain a separate entry for each individual file?
I am using Forms Authentication with ASP.NET Web Forms and it successfully authenticates the user.
With these authorization settings in the web.config an anonymous user can only access the Login page.
<authorization>
<deny users="?" />
</authorization>
or
<location path="SubFolder">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
I am trying to use location tags to further allow anonymous access to additional pages, but they are ignored:
<location path="SubFolder/LoggedOut.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
Following ASP.NET settings inheritance the authorization tag in the location tag should overwrite the global authorization tag.
The system determines which rule takes precedence by constructing a merged list of all rules for a URL, with the most recent rules (those nearest in the hierarchy) at the head of the list. (link)
How can I deny anonymous access to all pages but those that I specify?
The answers to this question state that what I am doing is correct. But it doesn't seem to work for me. So why does this happen? Is there a way to find out what setting blocks the acccess when I try to access a page? Is there anything I am missing?
Apparently a less-restricted file can not be in a restricted directory.
However, doing the same with a less-restricted directory is ok.
I ended up placing the public files in the root and all secured files in a subfolder using following web.config:
...
<authorization>
<allow users="*" />
</authorization>
...
<location path="SubFolder">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
...
Tested in .NET-Framework 4.5, Visual Studio Enterprise 2015.
I want to do the following
I have some pages on my website that can be viewed only by registered users with certain roles.
I'm using the ASP.NET membership for creating the users and roles.
How to redirect users to login page if they try to access a certain page without logging in.
I tried the asp configuration page. But it allows me to allow/deny permissions only at the folder level. How do I implement the same at page level with minimal effort?
Hello Friends, thank you so much for the quick responses. They were really helpful. Can you also suggest me where to look for explanation on different tags available under this security tag with some examples and explanations. Tried googling.. not much use.
You can use location attribute in config file, like:
<location path="somefile.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
or you can use this code in page_load function:
if (!Page.User.Identity.IsAuthenticated)
{
FormsAuthentication.RedirectToLoginPage();
return;
}
Specifying Login Page:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Index.aspx" timeout="2880" />
</authentication>
</system.web>
You ought to be able to do something like this (obviously change authorization section to your needs):
<location path="MyPage.aspx" allowOverride="true">
<system.web>
<authorization>
<allow roles="Registered User"/>
<deny users="*"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
Configure your web.config, you can apply allow/deny rules at page level as such:
<?xml version="1.0"?>
<configuration>
<location path="SecuredPage.aspx">
<system.web>
<authorization>
<allow roles="SuperUsers" />
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
I've a web site that uses forms authentication. For the most part, my web site requires authentication to do anything. My privacy statement page is an exception and has to be accessible to anonymous users.
The page is in a folder, and I've set the location path information in the web.config as follows:
<location path="about">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location allowOverride="true">
<system.web>
<authentication mode="Forms">
<forms name="FDAuth"
cookieless="UseCookies"
protection="All"
loginUrl="login.aspx"
requireSSL="false"
slidingExpiration="false"></forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
That configuration allows anonymous access to other file types, but still prompts for a log in for aspx pages.
In other words, anonymous access is allowed to this page
www.mywebsite.com/about/privacy.asp
but I go to the login.aspx page if I try to access access this page
www.mywebsite.com/about/privacy.aspx
What do I need to do to allow anonymous access to
www.mywebsite.com/about/privacy.aspx?
just remove the <location allowOverride="true"> element and configure <authorization/> within <system.web/>
<location> tags are used to define exceptions to the global policy, which is typically defined in the <authorization/> within <system.web/>.
Just one more thing : Add the line <allow users="?"/>
* users match any authenticated usernames, while ? matches all unauthenticated ones.
So, you would have this :
<location path="about">
<system.web>
<authorization>
<allow users="*"/>
<allow users="?"/>
</authorization>
</system.web>
</location>
You should try:
<location path="about">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
As per this MSDN example.
Notice the ? instead of the * used for anonymous access.
This should fix your problem but if not you can specify a specific resources:
<location path="about\privacy.aspx">
Got it. The problem was that the page uses a master page. Moving the master page into the about folder solved the problem.
Thanks to the quick responses!
I am using forms authentication in a MVC 2 project.
I have this in my web.config:
<authorization>
<deny users="?" />
</authorization>
I want the /Content folder to be available to users that haven't been authenticated yet. The login view uses the css in that folder, which should be available at login time.
Thanks
you can use the css file as a location in your config file like this:
<location path="whatever.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
This would be external of your main system.web block i believe
if this content folder is a separate folder it can have its own web.config file that you can set to allow=*
do you mean:
<authorization>
<allow users="*" />
</authorization>