I am using
<authentication mode="Forms" >
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH" />
</authentication>
Every thing works fine except that, there are some pages like About Us, Contact Us, Privacy Policy etc, which do not need to login to view them.
In my case i need to login to view all pages. I want these common pages to be viewable without having to log on.
I have tested my application on local IIS as well as on deployment server, but same problem occurs.
Please help!
Thanks for sharing your valuable time.
You need to create exceptions to your security policy:
<!-- files in the "Public" folder don't require authorization -->
<location path="Public">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Alternately, you can make page-specific exceptions:
<location path="AboutUs.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Appearantly you want some pages to be available without logging in. The way to go about this is to set permission on subdirectories instead of the website root, and put these pages in the web root (usually they are in teh root)
If thats too much work, put your pages in a directory and allow anonymous users to access it.
There could be a large number of possible answers to such an open question. We will need more specifics to answer. Here are just a few places to look:
Have you checked your web.config file to see if anonymous authentication is off?
Have you checked the web.config to see if you are denying anonymous users access to your root directory?
Have you checked IIS to see if anonymous authentication is off?
Have you checked the pages' source code files to see if you are doing manual denial of service to anonymous users?
Related
I am quite new to ASP.NET technologies
<configuration>
<system.web>
<authorization>
<allow roles="Agency,Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
I have the above web.config for a folder, there is a requirement to give an elevated priviledge to some users in Agency role to access a page called AddOrganisation.aspx.
To solve this, I think I can add the following markup to the web.config but this will be static
<location path="AddOrganization.aspx">
<system.web>
<authorization>
<allow users="wale, etc, etc"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
How can I enable adding users programmatically instead of updating the web.config for each change?
I will be grateful for your responses. Thank you
You should not make changes the web config at runtime, this will restart your application, every time you add a user. MSDN says this
Configuration Changes Cause a Restart of the Application Domain
Changes to configuration settings in Web.config files indirectly cause
the application domain to restart. This behavior occurs by design. You
can optionally use the configSource attribute to reference external
configuration files that do not cause a restart when a change is made.
For more information, see configSource in General Attributes Inherited
by Section Elements.
Instead you should give those users a different role, so that only those users can access the
"AddOrganisation.aspx" page.
Or else you can also do another thing if you dont want to create another role for these users. You keep on adding these users to a table and whenever a request is made to the page you can check if the users name is present in the table or not and then allow/deny the user.
I have a directory on the root of my website which contains some files(usually html). These files should be accessed only for the logged-in user. How can I achieve this? I believe this could be done using impersonation but I don't have any idea about how exactly I can implement it. Could you please guide me on right direction?
Currently, I have added these settings to my Web.config file:
<location path="TestData"> <!-- 'TestData' is the directory which I want to deny access for -->
<system.web>
<identity impersonate="true"/>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Is there anything that I have to do in coding?
PS: This is a webservice application.
Update: It works partially!!! to be specific:
It denies only the .aspx pages and even the logged-in user too cannot access the files.
I'm using Windows authentication.
You don't need to impersonate. If you have forms or windows authentication, your <deny users="?"/> will deny all anonymous users. To answer your question: no, you don't have to explicitly deny any users within your code.
How to: Implement Simple Forms Authentication
In order to secure non-ASP.NET files, you will need to register an HttpHandler that will do this. Please see this reference on how to register the handler.
you don't need impersonate. Impersonate is for making the app run as a different user from the user of the app pool in iis. source
If you're using forms/windows authentication then
<authorization>
<deny users="?"/>
</authorization>
should be enough and will block users who are not logged in
You need to add
<authorization>
<deny users="?"/>
</authorization>
in <system.web></system.web>
And use form authentication like
[Update] : As you use windows authentication see
MSDN
i have a simple question
How to disable a folder with aspx pages in asp.net
Thw folder is "Administration" and i want to disable it that it cannot be called in browser by typing .../Administratin/edit.aspx, or that simple to redirect to a login page if we want to go to the administration part
First enable forms based authentication. This can be done for VB and C#.
Next you have to specify who will have access to what. This can be done in the web.config.
Apologies if these articles are a little out of date.
Use a locations element and config settings to restrict access to folders.
<location path="Administration">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>
Change the NTFS security permissions on the Administration Folder for
<drive>:\intepub\wwwroot\...\Administration
and restrict access via that way.
You can also right click go to properties in IIS for the folder and remove various granular browsing permissions.
You can also edit the web.config and change permissions there.
Many thanks in advance. When running the ASP.NET Development Server, everything is working fine. However, when I deploy my asp.net application to the production server (IIS 7.0 integrated mode, fresh install), my location tags in my web.config file are being ignored.
Case in point: I'm using forms authentication, and when the user arrives at my login.aspx page, the external css & js files are not being loaded...even though I have specified that those files should be available to all users (auth'd or not). However, once the user is logged in, the files do in fact load.
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
<authorization>
<deny users="?" /> <!-- Restrict anonymouse user access -->
</authorization>
And the exception to my css file...
<location path="Styles/xtools.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I've verified that the path to the css file is accurate. Any suggestions?
Thanks, --Dan
--EDIT
Forgot to mention, I have tried creating a web.config file in the targetted folder as well...still not working.
Just got it. It wasn't enough to give IIS_IUSRS permissions on the folders containing the app ...I needed to give IUSR permissions, as well.
Problem solved. Thanks, ben f!
I have an asp.net web site, I want restrict all users to access a folder named "log" and I have this element in web.config:
<location path="log">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
and this element before it in system.web:
<authorization>
<allow users="*"/>
</authorization>
but still I have access to this url: http://www.mydomain.com/log/log.txt
Any ideas?
Thanks.
.txt files are not handled by ASP.NET by default. You'll have to block access to the folder from within IIS.
If you're using IIS 7 you can use Request Filtering to achieve this.
to avoid this confusions I usually create one web.config file at the directories i need to set different permissions.
If you place a web.config file inside your log folder it will work ok (and it will become easier to check the applied permissions at the folder)
Example:
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
I typed up a summary since many were facing the same situation regarding subfolder authentication.
Subfolder Authorization
ASP.NET can only have a single
authentication mode for one
application.
The different
applications CANNOT share resource
among them.
Scenario
Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.
The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.
1 In IIS, configure Authentication as follows:
Enable Anonymous Authentication,
Enable Windows Authentication
2 Add the followings in Web.Config.
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>