How can I change loginurl using Forms Auth?
I am using web.config to configure all permissions.
At root web.config, I set login url. Now I need to change loginurl at a subfolder, but ASP.NET give me a error if I try to re-configure at inner web.config.
The only way to get this to work (to my knowledge) would be to configure the subfolder as a virtual/application directory, which will allow you to place another web.config in that directory.
Related
Current installation
I have two web applications app_A and app_B (same app with app_A but for test purposes) under IIS default website. A domain www.mydomain.com that points to the server needs to access app_A. That can be done by changing the physical path from \inetpub\wwwroot\ to \inetpub\wwwroot\app_A.
The second application should be access under www.mydomain.com/app_B/
Problem
When accessing www.mydomain.com/app_B/ because it's now a sub-directory of app_A it sees the web.config from app_A and I got error like "duplicate entries in web.config" when accessing the www.mydomain.com/app_B/ application. I can eliminate the errors by using the tag to remove first and declare again the entries in app_B web.config.
Questions
Is there any other way to make the installation in order app_A would be access from www.mydomain.com/ and app_B from www.mydomain.com/app_B without messing the web.config files as described above?
For the current installation, is there a way to set something on IIS in order for app_B not to see at all web.config from app_A because is a subdirectory?
For the current installation, do you see any real problems (possibly on security) by using the remove tag for the app_B application?
For the current installation I observer a strange behaviour. If I login to app_A and app_B and logout from app_A it also logout from app_B (not always). I am using Active Directory for authentication. Do I need to change something in app_B's web.config in order to say that it's totally different application?
I know this is an old question and you might have found out the solution. I am replying in case you need an answer.
There are two ways to avoid merging of parent’s config file and child’s config file. Either you can add
inheritInChildApplications="false" Tag in the parent’s config file. For example:
<location path="." inheritInChildApplications="false">
<connectionStrings>
</connectionStrings>
</location>
Or
you can add "Remove" tag or "Clear" in child’s config file to clear the parent’s settings.
Also, I don’t see any security threats by clearing parents settings.
By any chance are you using same cookie name in authentication for parent and child applications? If this is the case, once you login to child application, the cookie generated by the parent application will be overridden. Try specifying name of the cookie for at least one of the application.
I created a custom http module and want to add this module to the web config. The web application is a project that contains several "sub applications". A sub application is just a folder, and within that folder it has its own web.config. I'm doing this so each application has its own application related contents.
Now I created a custom http module. When adding this to the root web.config, the module is working properly. When adding the http module config to the directory-level web.config (e.g. /Applications/MyApplication/web.config) the module is not initialized anymore.
This is the root config which is working fine.
<httpModules>
<add name="MyFirstHttpModule" type="CustomModule.CustomModule,CustomModule" />
</httpModules>
Kindly help
ASP.net configuration already supports configuration inherance. You just have to add a new web.config in the specified folder.
ASP.NET website's Web.config is part of an inheritance chain. Your website's subfolders can have Web.config. This allows for setting general settings at the site level and overriding them when necessary. Any settings in the base Web.config that aren't overridden in the subfolder stay in effect, so the "child" Web.config can be pretty small. You can continue to nest them, so sub-sub-subfolders can get their own Web.config if needed.
A good example is the Web.config file in an ASP.NET MVC application's View folder which does things like preventing directly viewing the View templates
You can read more here.
If a request is received for a file in the SubDir1 directory that does
not exist, ASP.NET begins to search the configuration hierarchy,
starting at the most local Web.config file (which is located in the
current directory, if it exists, or a parent directory). ASP.NET is
searching for an error Element for customErrors (ASP.NET Settings
Schema) element where the statusCode attribute equals "404". Once
ASP.NET finds the configuration setting for the 404 error, the URL in
the redirect attribute is returned as the response.
When I submit a form to other page in my ASP.NET site, it asks for windows authentication. How do I remove this?
There are two ways to set up windows authentication. One is in IIS and one is in web.config. So basically you need to check that there is no <authentication mode="windows"> tag in your main web.config or in a web.config in the specific folder where the aspx page in question is located. Furthermore you also need to go to the IIS manager (inetmgr) and make sure that windows authentication is not enabled in the folder in question.
Trying to prevent access to a specific file, not any files with a certain extention, just one specific file.
The issue is that the end user can just type: /filename.xml into their browser and can see the contents of this file, i'd rather they not be able to see this.
Things I have tried:
1) Putting the file elsewhere
I have a "secure" folder as part of my hosting account. So I figured i'd just change the path to: "..\..\..\SSL\FileName.xml" and move the file there. ASP.NET crashes on this one with the error:
Cannot use a leading .. to exit above the top directory
So I presume that's in place for security purposes.
2) Location in web.config
So next I tried to use this in the web.config:
<location path="FileName.xml">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
This doesn't seem to do anything.... anyone know why? I'm not specifically using ASP.NET authentication in this app, is that why this doesn't work?
3) Using IIS to prevent access
Alas, I do not have access to IIS as I have a terrifically lame hosting account.
So does anyone know what i'm doing wrong with the above attempts or have any alternative solutions I can try?
kthxbye!
Can you add the ASP.Net folder "App_Data" to your application, and put the xml file in there? This folder is specifically meant to hold this type of data and hide it from browsers/users, but keep it within your application scope.
alt text http://img178.imageshack.us/img178/7708/appdata.png
As to why the authorization directive in your web.config file is not working, it's because the ".xml" file extension is not handled by the ASP.Net pipeline. You would need to configure your IIS to send all requests for xml files through the ASP.Net request handlers in order to apply that security directive to it.
IIS Doesn't handle xml files (just post them to requester) and thus security does not work. Surprisingly on Mono platform in would work... anyway, You can make this workarounds:
Store file in really secure folder and access it using aspx page (file name as parameter)
Store file in db and rest like in 1
Store file whatever in Your hosting account folders and give it GUID name, then store GUID and real file name connection in DB and handle file download thru aspx page.
In our project we have many folders.I have authenticate my folder separately,without the help of root web.config.because web.config is always update by x person.i need all my control to a separate folder.
When i am trying to changing the "authentication mode" to root web.config,its working .but not in the subfolder, it is not working in my subfolderfolder web.config.
My question is : can web.config permission is associated to particular folder?
,without the help of root config?if not why it is not possible?(looking for the theory)
You can override the root web.config by putting a new web.config under your own subdirectory, or defining a <location> element to the root web.config.