Like the title states - I have a web.config file that looks like,
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms name="login" protection="All" timeout="30" loginUrl="login" defaultUrl="~/">
<credentials passwordFormat="Clear">
<user name="admin" password="password" />
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
I want to do exactly what it says it should do... I want to deny all users who try to enter the site.
It works however, it redirects to a "Account/Login?ReturnUrl=%2flogin" url I have never heard of...
Is there a place I can change this?
I've seen this problem before. No doubt you're also getting this error:
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.
And you're being redirected to "/Account/Login" which doesn't even exist. I believe it's some kind of default that get's pulled in due to using MVC components even if you're using an ASP.NET Forms website. Perhaps you have some Razor pages and the following was added to your web.config:
<appSettings>
<add key="webpages:Enabled" value="true" />
</appSettings>
Having this in there seems to be enough to mess up your login page as defined normally:
<authentication mode="Forms">
<forms loginUrl="login" timeout="43200"/>
</authentication>
I've solved this by adding an extra "loginUrl" key to appSettings:
<appSettings>
<add key="webpages:Enabled" value="true" />
<add key="loginUrl" value="~/Login.aspx" /><!-- Override default -->
</appSettings>
The loginUrl param does not have an absolute path, so the path get mixed with the relative folder the website is.
Solution:
loginUrl="~/login"
or
loginUrl="/login"
The problem is
loginUrl="login"
This is the URL to send unauthenticated users to. If the URL to your login page is "Login.aspx" then thats what you should set it too.
loginUrl="login.aspx"
The piece at the end, ReturnURL, is the address to redirect the user to if they successfully login.
The LoginUrl is created with the code UrlPath.Combine(HttpRuntime.AppDomainAppVirtualPathString, loginUrl);, so I'm guessing somehow your root of your website is set to "Application".
http://www.ureader.com/msg/15372322.aspx
Related
I have an ASP.NET 4.5 / C# site where I am trying to do the following. When users hit the root of the site, www.blah.com, they should be redirected to Default.aspx. This page is open and does not require login. There is a link on this page if they would like to login. However, I need to automatically redirect them to login if they try to access other pages. Some are open to all and some are not. I'm cool with assigning permissions via roles per page or per folder. The issue I have is with Default.aspx.
If a user comes to my site by typing: www.blah.com/Default.aspx then the page comes up with no redirect for a login.
If a user comes to my site by typing: www.blah.com/Admin.aspx then they are redirected to login.
My life is good so far, but...
If a user comes to my site by typing: www.blah.com then they are redirected to login instead of just loading Default.aspx. Here is the relevant web.config.
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx" requireSSL="false" protection="All" slidingExpiration="true" path="/" timeout="240" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" />
</authentication>
<authorization>
<deny users= "?"/>
</authorization>
<system.web>
I assume my specific permission on Default.aspx overrides the generalized deny. Again, this appears to work. The issue I have is the automatic redirect to Default.aspx when someone hits the root of my site, www.blah.com.
As always, thanks!
update
I have moved everything into one of 3 directories: _public, _private, _admin. Let's not worry about _admin for now. Here is how my web.config is set up:
<defaultDocument>
<files>
<clear />
<add value="~/_public/Default.aspx" />
</files>
</defaultDocument>
.
.
.
<location path="_public">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="_private">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
.
.
.
<forms name=".ASPXFORMSAUTH" loginUrl="~/_public/Login.aspx" defaultUrl="~/_private/landingPage.aspx" slidingExpiration="true" path="/" />
I am still doing something wrong. Shouldn't my users come to ~/_public/Default.aspx when they hit www.blah.com? Now it is telling me I don't have a default page specified.
Also, regarding the defaultUrl property of the forms tag. How does this tie in with the DestinationPageUrl of my login control?
Thx!
update
I updated the paths in the location tag to "~/folder" instead of "folder". Now instead of an error is just keeps taking me to the login screen. I don't have another authorization tag in the root of web.config, but I am handling the subfolders from the main web.config instead of putting a separate file in each subfolder.
Thank you all for the detailed replies. They were all very helpful and let me to a better overall solution. However, the root of my issue was something very small and annoying. Take a look at my default page again:
<defaultDocument>
<files>
<clear />
<add value="~/_public/Default.aspx" />
</files>
</defaultDocument>
Notice the path in the value. I experimented with this and found that if I lead with a tilde or a forward slash that this value is completely ignored. Once I specified it as "_public/Default.aspx" everything else fell into place and worked as expected.
I did change a few things up though. I am using three subfolders for pages: _public, _private, and _admin. _public is for anyone, _private is for anyone authenticated, and _admin is for those with special privs. I want to mention that I DO NOT have any Default.aspx file in the root of my website whatsoever. To verify the way I was specifying the path in the web.config was wrong, I have tried switching it back with exactly the same failure.
I'm curious if anyone has spotted this, and do you see it as inconsistent? Most everywhere else in my web.config I can specify a path from root by beginning with a tilde.
So, my site acts as expected...anonymous users hitting public pages works fine. Hitting private or admin pages redirects to login. Once logged in, if you were trying to get to a specific page you go there...if not, you are redirected via the defaulturl in the forms tag. Most importantly, when you type in the name of the site with no page specified, you are taken to the default page...which should have been the simplest part of it all if not for the syntax issue. So there it is....doh!
I would recommend making a landing page that will be the result of the root URL being typed in by the user.
The issue you are seeing is that default.aspx is the default document for a root URL request in IIS and is also the defaultUrl for your Forms Authentication.
Create a Landing.aspx page that has whatever message you want, link to log-in, etc.
Now make this Landing.aspx be the first default document in IIS (make sure it is before default.aspx in the list) so that a root URL request will redirect to Landing.aspx and not get involved with the Forms Authentication at all.
Also, add a <location> entry in web.config to allow all users access to the Landing.aspx page:
<location path="Landing.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
If you want to restrict users to folders, you want to create *web.config*s inside each folder (which is a lot easier to maintain than added all in main web.config).
Note: for good design practice (in traditional ASP.Net), you want to place Admin.aspx inside a separate folder. Same for user pages too which required login.
Here is an example -
Main web.config
<system.web>
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" loginUrl="~/Login.aspx" defaultUrl="~/Default.aspx" requireSSL="false" protection="All" slidingExpiration="true" path="/" timeout="240" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" />
</authentication>
<system.web>
Users/web.config
Deny anonymous access. In other words, user is required to login before accessing any pages inside User folder.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Admin/web.config
Deny everyone except users in Administrator role.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator" />
<deny users="*"/>
</authorization>
</system.web>
</configuration>
try the following:
Create a folder for example admin and put the Login.aspx there
Set authentication to forms
<authentication mode="Forms">
<forms name="HIVLogin" loginUrl="~/admin/Login.aspx" timeout="20" protection="All"/>
</authentication>
then under system.web
<location path="Admin">
<system.web>
<authorization>
<allow roles="Admin" />
<allow users="Admin" />
<deny users="*" />
</authorization>
</system.web>
There is no need to write any code to set a page as your default page in ASP.NET. Got to Solution Explorer and right click on the page you like to set as default and click on Set As Start Page.
You need to add following mappings under section<system.web>.
<urlMappings enabled="true">
<add url="~/" mappedUrl="~/Default.aspx" />
</urlMappings>
This will redirect to default.aspx when you browse root url i.e www.domain.com or localhost.
Thanks.
I spent about 6 hours debugging the issue. Our website was working fine, and suddenly it started redirecting to login page instead of default page (unauthenticated). Our web.config included all authentication/authorization settings correctly.
<authentication mode="Forms">
<forms name="MyAuth" path="/" loginUrl="login.aspx" protection="All" timeout="30" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="default.htm" />
</files>
</defaultDocument>
...
</system.webServer>
<location path="default.htm">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
...
SOLUTION: You need to remove Extensionless URL feature from your website. Ref: https://support.microsoft.com/en-us/help/2526854/users-may-be-redirected-to-the-login-page-of-an-asp-net-4-application
<system.webServer>
<handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
</handlers>
<validation validateIntegratedModeConfiguration="false" />
</system.webServer>
After the fix, the website was back to normal.
I wanted to make my login as the default page before the user accesses the home page. This is my code.
<system.webServer>
<defaultDocument>
<files>
<clear/>
<add value="Login.aspx"/>
</files>
</defaultDocument>
</system.webServer>
Thanks! :)
just Right click on that page and click on set as start up page.
What you need to do is first establish the authorization and authentication mechanism. You can use FormsAuthentication and configure the settings in a web.config file. For example, to enable forms authentication you would set the following value in the config file:
<authentication mode="Forms">
<forms
name=".ASPXAUTH"
loginUrl="login.aspx"
defaultUrl="default.aspx"
protection="All"
timeout="30"
path="/"
requireSSL="false"
slidingExpiration="true"
cookieless="UseDeviceProfile" domain=""
enableCrossAppRedirects="false">
<credentials passwordFormat="SHA1" />
</forms>
<passport redirectUrl="internal" />
</authentication>
Here you can see that loginUrl is set to login.aspx. This way, if a user is not authenticated, he or she will be redirected to login.aspx
This is much better approach than establishing your own logic for redirection to login or setting login.aspx as a start page.
I'm trying to implement the ActiveDirectoryMembership provider so I can use forms authentication against active directory.
I can browse to the application, and be redirected to the signin page. If I enter the incorrect password I get the correct error. If I enter the correct password it redirects me to the default url (/Secure/Default.aspx), but immediately get redirected back to the signin page. I can see the two redirects because I'm using fiddler. So I know for sure that it is authenticating against AD correctly, but still taking me back to the signin page. I also know that the browser does accept cookies, because I built a test page in the application to prove that. I've included the web.config and relevant code below, just can't figure out what I am missing...
Edit:
I have found that if I specify UseUri instead of UseCookies, everything starts working. But I have validated that I can store data in a cookie on one page, and retrieve it on another page, so why wouldn't it work for the authentication piece?
Edit 2
I've also removed my code from the signin page and used the standard login control, same problem.
Web.config file:
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://YNET" />
</connectionStrings>
<system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH"
path="/FormsAuth"
loginUrl="~/SignIn.aspx"
defaultUrl="~/Secure/Default.aspx"
timeout="20"
requireSSL="false"
protection="All"
slidingExpiration="true"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
<authorization>
<!-- Deny unauthenticated users will cause automatic redirect to the sign in page when using forms authentication. -->
<deny users="?"/>
<allow users="*"/>
</authorization>
<!-- For non AD passthrough authentication, specify the defaultProvider property -->
<membership defaultProvider="ActiveDirectoryMembershipProvider">
<providers>
<clear/>
<add name="ActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConnectionString"
attributeMapUsername="sAMAccountName"/>
</providers>
</membership>
</system.web>
Signin page:
bool bIsValid = System.Web.Security.Membership.ValidateUser(txtUsername.Text, txtPassword.Text);
//Authenticate the user credentials against the default membership provider specified in configuration
if (bIsValid)
{
System.Web.Security.FormsAuthentication.SetAuthCookie(txtUsername.Text, true);
System.Web.Security.FormsAuthentication.RedirectFromLoginPage(txtUsername.Text, true);
}
else
{
//display error
....
}
The cookie issue (and likely the login issue) is due to the fact that you are setting the cookie path to be /FormsAuth. That means the cookie is only valid for that URL path and will be discarded otherwise. Also, your <authorization> section can be tweaked a bit as I have adjusted in the following full update of your partial Web.config:
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://YNET" />
</connectionStrings>
<system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH"
path="/"
loginUrl="~/SignIn.aspx"
defaultUrl="~/Secure/Default.aspx"
timeout="20"
requireSSL="false"
protection="All"
slidingExpiration="true"
cookieless="UseCookies"
enableCrossAppRedirects="false"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
<!-- For non AD passthrough authentication, specify the defaultProvider property -->
<membership defaultProvider="ActiveDirectoryMembershipProvider">
<providers>
<clear/>
<add name="ActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider"
connectionStringName="ADConnectionString"
attributeMapUsername="sAMAccountName"/>
</providers>
</membership>
</system.web>
<location path="Secure">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
If the /Secure folder is truly the only folder you want to protect with the login, then the above works, but if you want to lock everything down except the login page, you simply need <deny users "?" /> in your main <authorization> section.
I have a basic ASP.NET website set up in IIS7 with forms authentication enabled on the server. Just for grins, I deny everyone:
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="Login.aspx" defaultUrl="Test.aspx" protection="All" timeout="30" path="/" requireSSL="false" slidingExpiration="true"/>
</authentication>
<authorization>
<deny users="*"/>
</authorization>
<compilation debug="true"/>
</system.web>
</configuration>
When I visit the default.aspx page, I get dutifully redirected to the Login.aspx page. However, I can browse to a .txt file or .png file on the root of the same site, and it displays it with no challenge.
This is odd, because in the Cassini dev server, access to those files is blocked. This only occurs once I publish to my IIS7 server.
I must be missing something in IIS7, but I can't figure it out for the life of me.
I have the site on it's own .NET 4.0 app pool with integrated mode enabled.
Forms Authentication is enabled at the server
On the Edit managed Module popup for the FormsAuthentication module, I tried unchecking the "invoke only for requests...", but that tosses some kind of strange error when I do so (assembly of some sort missing? This is a fresh server install with no frills, so I can't imagine what that's about).
Can anyone point me in the right direction on this?
Thanks!
Droidilate
first of all you have to use integrated pipeline and then add this in your web.config:
<system.webServer>
<modules runAllManagedModulesForAllRequests="false">
<remove name="FormsAuthenticationModule" />
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
</modules>
</system.webServer>
I am sure I am just doing this wrong but for the life of me I can not get things to play nicely. I am just starting to install and configure CruiseControl.net on a WS2008 X64 VM. The install seemed to go a little funny as it didn't create an IIS site for the dashboard, I ended up just doing that my self and pointing it at:
C:\Program Files (x86)\CruiseControl.NET\webdashboard
(had to add permissions for iis_iusrs for it to deal with config files, not sure how good that actually is).
Anyway, so I can view the web dashboard now and get into the admin section etc. Ultimately I want this site to be accessible online for ease of use by the team so it needs to be locked down and secure. So to that end I put the following sections on the web.config:
<authentication mode="Forms">
<forms name="appNameAuth" path="/" loginUrl="server/local/SimpleUserLogin.aspx" protection="All" timeout="30">
<credentials passwordFormat="Clear">
<user name="jon" password="test" />
<user name="mike" password="test" />
</credentials>
</forms>
</authentication>
If I put the following section in I can get to the login screen but will always be sent back to it even after I login and can never see any other pages:
<authorization>
<deny users="?" />
</authorization>
I also have this outside of the system.web section:
<location path="server/local/SimpleUserLogin.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
My goal is to direct all non logged in users to the login page and no where else, once logged in they can view any page. Am I being a blonker here?
Thanks
Ok, So found out I was going about this all wrong. As I am using 1.5 there is a new feature for security:
http://confluence.public.thoughtworks.org/display/CCNET/Configuring+the+Server
The link above shows all the settings with some example configs. Basically I put the following in the ccnet.config:
<internalSecurity>
<users>
<!-- Authenticated users -->
<passwordUser name="bob" display="Bob (Team Lead)" password="bob1"/>
<passwordUser name="jane" display="Jane (BA)" password="jane2"/>
<passwordUser name="john" display="John (QA)" password="john3"/>
<passwordUser name="joe" display="Joe (QA)" password="joe4"/>
<!-- Generic role -->
<simpleUser name="*"/>
</users>
<permissions>
<!-- Roles -->
<rolePermission name="Testers" forceBuild="Allow" defaultRight="Deny">
<users>
<userName name="john"/>
<userName name="joe"/>
</users>
</rolePermission>
<rolePermission name="Releasers" forceBuild="Allow" defaultRight="Deny">
<users>
<userName name="bob"/>
<userName name="jane"/>
</users>
</rolePermission>
</permissions>
this worked great with a bit of tweeking. Hope it can help someone else.
Have found link to security documentation:
http://ccnetlive.thoughtworks.com/ccnet/doc/CCNET/Security.html