Does anyone know of a good link to explain how to use the web.config......
For example, i am using forms authentication... and i notice there is a system.web and then it closed /system.web and then below configuration there are additional location tags
here is an example, if you ntoice there is an authentication mode=forms with authorization i presume this is the ROOT....... It is also self contained within a system.web .... Below this there are more location= with system.web tags....
I have never really understand what i am actually doing.. I have tried checkign the MSDN documentation but still i don't fully understand up....
Can anyone help?
If you notice with my example.... everything is stored in 1 web.config... i thought the standard waas create a standard web.config and then create another web.config in the directory where i wish to protect it..???
<configuration>
<system.web>
<compilation debug="true" strict="false" explicit="true" targetFramework="4.0" />
<authentication mode="Forms">
<forms loginUrl="Login.aspx" defaultUrl="Login.aspx" cookieless="UseCookies" timeout="60"/>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="Forms">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Forms/Seguridad">
<system.web>
<authorization>
<allow roles="Administrador"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
Standard entries (web.config is extensible) are well documented therein.
http://msdn.microsoft.com/en-us/library/aa719558.aspx
is a good start.
It is - as should be obvious - XML based, btw.
You can place following web.config file in Forms/Seguridad:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
Related
My web application uses forms authentication mode.
<authentication mode="Forms">
<forms loginUrl="Logon.aspx" protection="All" path="/" timeout="60" slidingExpiration="false" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
There is a folder in my web application, named "Documentos", that has a lot of PDF files.
My program allow the user to load a PDF file using its URL address:
http://MyHost/MyWebApp/Documentos/1.pdf
However, I need to restrict that functionality only to authenticated users.
For that, I put in my web.config:
<location path="Documentos">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
But it doesn't make any difference. Any one can still load any PDF file in folder Documentos doing:
http://MyHost/MyWebApp/Documentos/1.pdf
Can I accomplish what I'm looking for or should I approach it in a different way?
EDIT
Win's solution and Richard's solution are correct. This is the way to put those settings in web.config:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
<location path="Documentos">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Yo have two options -
Option 1
Use ~/ if your web application is not root level.
<location path="~/Documentos">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Option 2
Create a web.config with following content, and place it inside Documentos folder.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
The problem is that by default, the auth section only applies to requests that go through the pipeline, not to static files. To do what you want, add the following attribute to your modules section:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
...
I have a web.config file, which I want to transform using SlowCheetah. The relevant fragment looks like this:
<configuration>
<location path="ui/cms">
<system.web>
<authorization>
<allow roles="AAA" />
</authorization>
</system.web>
</location>
<location path="WebServices">
<system.web>
<authorization>
<allow roles="BBB" />
</authorization>
</system.web>
</location>
</configuration>
I want to transform value BBB to CCC, so I wrote my Web.CCC.config transformation file:
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location path="WebServices">
<system.web>
<authorization>
<allow roles="CCC" xdt:Transform="Replace" />
</authorization>
</system.web>
</location>
</configuration>
Unfortunately, it results in CCC being inserted into <location path="ui/cms"> instead of <location path="WebServices"> - probably because it is the first one it locates in my web.config file.
How can I make SlowCheetah notice the different path parameter, and replace the correct node in my xml file?
As it turns out, this can be obtained using xdt:Locator in a transformation file.
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<location path="WebServices" xdt:Locator="Match(path)>
<system.web>
<authorization>
<allow roles="CCC" xdt:Transform="Replace" />
</authorization>
</system.web>
</location>
</configuration>
Hope it helps anyone. Rubber duck debugging seems to work even with SO.
I have a test site on the web that I want to block all annoymous access to except logged in users. I also want to have annoymous access to just my login page (account/login)
I don't know how to exclude one path but even the below does not work, forgetting about the path.
<location path="">
<system.web>
<authorization>
<deny users="*" />
<allow users="?" />
</authorization>
</system.web>
</location>
Ideally, the following web.config setting should work. Make sure you update two Login.aspx with your login page.
It basically does not allow anonymous access except Login page.
<configuration>
<system.web>
...
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" />
</authentication>
<authorization>
<deny users="?"/>
<allow users="*" />
</authorization>
</system.web>
<location path="~/Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
when i use:
<deny users="?"/>
in "authorization" tags, CSS stop working for unauthorized visitors. how can i define a exception for css files. i want them to apply to all visitors.
this is my web.config file:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
<roleManager enabled="true"/>
<authentication mode="Forms">
<forms loginUrl="welcome.aspx" defaultUrl="Default.aspx"/>
</authentication>
<compilation debug="true" targetFramework="4.0"/>
</system.web>
</configuration>
i did edit my web.config to this:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
<roleManager enabled="true"/>
<authentication mode="Forms">
<forms loginUrl="welcome.aspx" defaultUrl="Default.aspx"/>
</authentication>
<compilation debug="true" targetFramework="4.0"/>
</system.web>
<location path="styles">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="styles/welcome.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
and it's working.
thank you.
Add the location of your CSS to your web.config. You can put it completely at the end, just before the </configuration>
<location path="css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Of course, change "css" to the real folder of your css file... It is the easiest to put it in a separate folder where all items are public. Just like your images etc.
You are probably blocking access to the folder where you store css files.
Try to allow everybody to access your css-folder even if they are not autorized.
You can use the Location element to define which part of your site the configuration applies to:
(from MSDN)
<location allowOverride="True|False" path="path" />
Heey Stackoverflowers
My question is: how do I protect a Page using web.config or Global.asax?
Example:
Direct url www.Yoururlhere.com/Account/Edit.aspx is currently accesible from url bar, but that is not what I want. I have a login page already with database etc working, only it's missing the protection to remove direct access or by Login.
Can you help me? My second web.config for Folder Account is as following:
<?xml version="1.0"?>
<configuration>
<system.web>
<location path="Edit.aspx"/>
</system.web>
<system.web>
<authorization>
<allow users="*"/>
<deny users="?" />
</authorization>
</system.web>
</configuration>
You are writing in the wrong way. It should be like...
<configuration>
<location path="Account/Edit.aspx">
<system.web>
<authorization>
<allow users="*"/>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>