I've a web site that uses forms authentication. For the most part, my web site requires authentication to do anything. My privacy statement page is an exception and has to be accessible to anonymous users.
The page is in a folder, and I've set the location path information in the web.config as follows:
<location path="about">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location allowOverride="true">
<system.web>
<authentication mode="Forms">
<forms name="FDAuth"
cookieless="UseCookies"
protection="All"
loginUrl="login.aspx"
requireSSL="false"
slidingExpiration="false"></forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
That configuration allows anonymous access to other file types, but still prompts for a log in for aspx pages.
In other words, anonymous access is allowed to this page
www.mywebsite.com/about/privacy.asp
but I go to the login.aspx page if I try to access access this page
www.mywebsite.com/about/privacy.aspx
What do I need to do to allow anonymous access to
www.mywebsite.com/about/privacy.aspx?
just remove the <location allowOverride="true"> element and configure <authorization/> within <system.web/>
<location> tags are used to define exceptions to the global policy, which is typically defined in the <authorization/> within <system.web/>.
Just one more thing : Add the line <allow users="?"/>
* users match any authenticated usernames, while ? matches all unauthenticated ones.
So, you would have this :
<location path="about">
<system.web>
<authorization>
<allow users="*"/>
<allow users="?"/>
</authorization>
</system.web>
</location>
You should try:
<location path="about">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
As per this MSDN example.
Notice the ? instead of the * used for anonymous access.
This should fix your problem but if not you can specify a specific resources:
<location path="about\privacy.aspx">
Got it. The problem was that the page uses a master page. Moving the master page into the about folder solved the problem.
Thanks to the quick responses!
Related
I am using ASP.NET forms authentication for my web app. I have a folder to which I would like to grant access to unauthenticated users. I am using IIS 7 and the app pool is in the integrated mode. As a test, I created hello.txt inside ScriptsHandlers folder. When I try to browse it using IIS, I get redirected to the login page despite the location element. Also, when I am running my application, I get 401 Unauthorized errors when querying asmx web services stored in the folder.
Here is a snippet of my web.config:
<location path="ScriptsHandlers">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location allowOverride="true">
<system.web>
<authentication mode="Forms">
<forms loginUrl="Views/Login.aspx" name=".ASPXFORMSAUTH" cookieless="UseUri" slidingExpiration="true" />
</authentication>
<authorization>
<deny users="?" />
<allow users="*"/>
</authorization>
</system.web>
</location>
Allow access to everything inside ScriptsHandlers folder
ScriptsHandlers Or /ScriptsHandler depending on where you keep this web.config
<location path="ScriptsHandlers">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
config I have :
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode ="Forms">
<forms name ="loginpage" loginUrl="login_to_secure3700.aspx" />
</authentication>
</system.web>
<location path ="securedpages/bob.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
This way the pag bob.aspx will only be accessible when the username and password were entered ok.
BUT , this works only for page bob.aspx, how can I make this work for eg 50 pages, but all with different logins and passwords. ?
There are two options:
Secure each page with deny all users and only allow bob on bob.aspx and helen to helen.aspx. Given the answers above you will manage that fore sure but it is cumbersume: for every new user you need to change your config.
I think the better way is to create one! page (user.aspx) and take the user that is logged in and personalize that single page for this user. This is a lot easier to maintain and you will have all the code on one page.
If you want to keep the personalized approach in the pagename (bob.aspx) you can have a look into URL rewriting.
You could add multiple paths like this:
<location path ="securedpages/bob.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path ="securedpages/bob2.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Or more simple, just add the dir of the secured pages:
<location path ="securedpages">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
you can put all the 50 pages in one folder and the add 1 web.config for them in this folder that contains
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
It does not matter if they have different logins and password.
I want to do the following
I have some pages on my website that can be viewed only by registered users with certain roles.
I'm using the ASP.NET membership for creating the users and roles.
How to redirect users to login page if they try to access a certain page without logging in.
I tried the asp configuration page. But it allows me to allow/deny permissions only at the folder level. How do I implement the same at page level with minimal effort?
Hello Friends, thank you so much for the quick responses. They were really helpful. Can you also suggest me where to look for explanation on different tags available under this security tag with some examples and explanations. Tried googling.. not much use.
You can use location attribute in config file, like:
<location path="somefile.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
or you can use this code in page_load function:
if (!Page.User.Identity.IsAuthenticated)
{
FormsAuthentication.RedirectToLoginPage();
return;
}
Specifying Login Page:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Index.aspx" timeout="2880" />
</authentication>
</system.web>
You ought to be able to do something like this (obviously change authorization section to your needs):
<location path="MyPage.aspx" allowOverride="true">
<system.web>
<authorization>
<allow roles="Registered User"/>
<deny users="*"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
Configure your web.config, you can apply allow/deny rules at page level as such:
<?xml version="1.0"?>
<configuration>
<location path="SecuredPage.aspx">
<system.web>
<authorization>
<allow roles="SuperUsers" />
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
I am using ASP.Net Forms Authentication. My Web.config looks like this.
<authentication mode="Forms">
<forms loginUrl="login.aspx"/>
</authentication>
<authorization>
<deny users="?" />
</authorization>
So currently every aspx page requires authentication.
I want to allow access to even unauthenticated users to a specific page named special.aspx.
How can I do this?
Take a look at the example on MS Support
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this
application except for those that you have not explicitly
specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated
user access to the ThePageThatUnauthenticatedUsersCanVisit.aspx
page only. It is located in the same folder
as this configuration file. -->
<location path="ThePageThatUnauthenticatedUsersCanVisit.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated
user access to all of the files that are stored
in the TheDirectoryThatUnauthenticatedUsersCanVisit folder. -->
<location path="TheDirectoryThatUnauthenticatedUsersCanVisit">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
Put the following in your web.config:
<location path="special.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="register.aspx"> //path here is path to your register.aspx page
<system.web>
<authorization>
<allow users="*"/> // this will allow access to everyone to register.aspx
</authorization>
</system.web>
</location>
For more detail follow the below link
http://weblogs.asp.net/gurusarkar/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config
Allow everyone to access a particular page
Sometimes you want to allow public access to some page and want to restrict access to rest of the site only to logged / authenticated users .i.e. do not allow anonymous access. Say your special.aspx is in your site's root folder. In the web.config of your website's root folder you need to have following setup.
<configuration>
<system.web>
<authentication mode="Forms"/>
<authorization> <deny users="?"/> //this will restrict anonymous user access
</authorization>
</system.web>
<location path="special.aspx"> //path here is path to your special.aspx page
<system.web>
<authorization>
<allow users="*"/> // this will allow access to everyone to special.aspx
</authorization>
</system.web>
</location>
</configuration>
<authentication mode="Forms">
<forms loginUrl="Login.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
I am using forms authentication, and when i place the arguments cited above, the css formatting I have done for the whole document is not being implemented, it's vanishing. what should i be doing so that the CSS remains intact.
I assume that your login form has an external CSS file, and that you're using Cassini or IIS 7 integrated mode.
Your <deny users="?"/> is preventing anonymous users from seeing the login form's CSS files.
You need to use the <location> element to allow anonymous users to see the CSS files, like this:
<location path="CSS">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
Use the location element to allow access to your css:
<configuration>
<location path="style.css">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
<location path="Images">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
**
please add this code in web config file
<globalization requestEncoding="utf-8" responseEncoding="utf-8"
culture="en-GB"/>