When i tried to implement form authentication in various subfolders i am getting an error as follows:it is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
implementation in my webconfig was as follows
<location path="HelpDesk">
<system.web>
<authentication mode="Forms">
<forms loginUrl="Helpdesk/Default.aspx" />
</authentication>
</system.web>
</location>
You have forget/copy a web.config inside a subdirectory on your project that contains commands that is only for the main web.config.
If this is not your main config, then you need to change it for sub folder users... for example something like:
<configuration>
<system.web>
<authorization>
<allow roles="whatever" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
This is what I had to do to make my WFC service to use form authentication
<modules runAllManagedModulesForAllRequests="true"/>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" minFreeMemoryPercentageToActivateService="0"/>
<authorization>
<allow roles="itvserver" />
<deny users="?"/>
</authorization>
<system.web.extensions>
<scripting>
<webServices>
<authenticationService enabled="true" />
</webServices>
</scripting>
</system.web.extensions>
Related
I want to configure the application and prevent the user from going directly to any page in the application without signing in but any user can access the websites homepage.
But when I run the homepage ,login page or any page of the website, I am getting this error:- The requested page cannot be accessed because the related configuration data for the page is invalid.
I can't find out where I am making mistake. I have posted my web.config file . have a look over it .show me where I am making mistake and what is the solution.
web.config
<?xml version="1.0"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<connectionStrings>
<add name="ConnectionString" connectionString="Data Source=(LocalDB)\MSSQLLocalDB;AttachDbFilename=|DataDirectory|\Database.mdf;Integrated Security=True"
providerName="System.Data.SqlClient" />
</connectionStrings>
<authentication mode="Forms">
<forms loginUrl="/Registration/LoginPage.aspx">
</forms>
</authentication>
<system.web>
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
</system.web>
<location path="FIRST PAGE">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Registration">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="AdminHome">
<system.web>
<authorization>
<allow users="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Student">
<system.web>
<authorization>
<allow roles="Student"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Teacher">
<system.web>
<authorization>
<allow roles="Teacher"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<appSettings>
<add key="ValidationSettings:UnobtrusiveValidationMode" value="None"/>
</appSettings>
</configuration>
ERROR
the homepage of the website is under the folder FIRST PAGE and login and register page is under the folder Registration
The <authentication> part of your configuration should be inside the <system.web> section
MSDN authentication Element
Just edit your web.config:
<system.web>
<authentication mode="Forms">
<forms loginUrl="/Registration/LoginPage.aspx">
</forms>
</authentication>
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
</system.web>
My web application uses forms authentication mode.
<authentication mode="Forms">
<forms loginUrl="Logon.aspx" protection="All" path="/" timeout="60" slidingExpiration="false" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
There is a folder in my web application, named "Documentos", that has a lot of PDF files.
My program allow the user to load a PDF file using its URL address:
http://MyHost/MyWebApp/Documentos/1.pdf
However, I need to restrict that functionality only to authenticated users.
For that, I put in my web.config:
<location path="Documentos">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
But it doesn't make any difference. Any one can still load any PDF file in folder Documentos doing:
http://MyHost/MyWebApp/Documentos/1.pdf
Can I accomplish what I'm looking for or should I approach it in a different way?
EDIT
Win's solution and Richard's solution are correct. This is the way to put those settings in web.config:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
<location path="Documentos">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Yo have two options -
Option 1
Use ~/ if your web application is not root level.
<location path="~/Documentos">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Option 2
Create a web.config with following content, and place it inside Documentos folder.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
The problem is that by default, the auth section only applies to requests that go through the pipeline, not to static files. To do what you want, add the following attribute to your modules section:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
...
Parallel Plesk is not opening default page on my domain name which I've set in the default directories, instead it is opening a login page of my ASP.NET web application. However it opens default page on my domain name once I logged in by giving right credentials.
Here is my web.config file:
<system.web>
<compilation debug="true" targetFramework="4.5" />
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH"></forms>
</authentication>
<httpRuntime targetFramework="4.5" maxRequestLength="20896" />
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="UserPanel.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
If you are hosting on IIS (7 or later), inside the <system.webServer> (of your web.config) add:
<defaultDocument>
<files>
<clear/>
<add value="UserPanel.aspx" />
</files>
</defaultDocument>
I am trying to get the simplest example of allowing access by default, denying access unless authenticated to specific directories in IIS, to work. When you Google around, everyone says it's as simple as this:
<location path="~/pages">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Somehow it hasn't been for me.
Here's the project structure:
Here's the Web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/" />
</authentication>
<authorization>
<!--<deny users="*"/>-->
</authorization>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
<location path="~/pages">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
The goal is to allow all users to access index.html and to deny access to everything in pages.
Here's my observations:
<!--<deny users="*"/>--> works when un-commented.
It doesn't work at all without <modules runAllManagedModulesForAllRequests="true" />. Remove this, deny doesn't work anywhere.
The deny in <location path="~/pages"> doesn't work. Setting the path to pages or pages/secure.html or ~/pages/secure.html also doesn't work.
What's the problem here?
it doesn't like the path "~/pages" . The following works for me
<configuration>
<system.web>
<authentication mode="Forms"/>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"></modules>
</system.webServer>
<!-- note the change below -->
<location path="pages" >
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
I'm using Asp.Net Identity. I need to allow admins and deny users to access all pages in my management folder, so I've put a web.config file in that folder.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>
But anybody can still access all files in folder. I've also tried to put it into main config file with location tag,but no results. Have you any ideas where to start looking for a problem?
Update: I've found a question on asp.net forum which explains a lot:
http://forums.asp.net/t/1955560.aspx?ASP+NET+Identity+Are+web+config+files+no+longer+acting+in+the+capacity+of+a+security+guard+for+our+ASP+NET+applications+files+and+folders+
There also one thing to mention. When creating new web application project with asp.net Identity. Visual Studio 2013 sets these parameters:
<system.web>
<authentication mode="None"/>
</system.web>
and
<system.webServer>
<modules>
<remove name="FormsAuthenticationModule" />
</modules>
<system.webServer>
change your code to ** ** it prevent any user that aren't authenticated:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="?" />
</authorization>
</system.web>
</configuration>
try this
<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="[mymanagementfolder]">
<system.web>
<authorization>
<deny users ="?" />
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
MSDN SOURCE
If Directory Browsing Is enabled in IIS then you should turn it OFF
EDIT:
I Think You Should Enable Form/windows authentication. Above code is working fine on My Computer as It redirects to ReturnUrl