I am building an ASP.NET 3.5 Web Application and I am NOT using the membership provider for security. In the application I have a role named Admin and all the files for this role are inside the Security folder in the project. Currently for all the pages inside the security folder I am checking to see if the logged in user's role is an Admin or not. This to me seems very redundant, can do something like "If the user is requesting a page inside the security folder then check his role". Is this possible?
You can place a separate web.config file in the Security folder that will deny access to every request to that folder if the user isn't in the Admin role.
Here's a quick walkthrough.
It would basically look like this:
<location path="Security">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Related
I am working on ASP.NET web application hosted on IIS 7.
I have to provide access to only authenticated users to a particular list of pdf kept in a folder "PdfFiles" in root directory.
I was trying below configuration settings in web.config, but it did not work, with this setting still this folder is accessible to all the users. I have form authenticated enabled for this site.
<location path="PdfFiles">
<system.web>
<authorization>
<deny users="?" />
<allow users="*"/>
</authorization>
</system.web>
</location>
Also I noticed that anonymous authentication was enabled for "PdfFiles" folder in IIS. If I disable this, it does not allow authenticated or anonymous, any of the user to access the pdfs.
So configuration change or IIS change, none of them worked. Can any one help me out on this issue?
I am trying to limit folder access to allow only users with the admin role access using the following Web.config file:
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
This file is located under the sub-directory "Views/Admin/". I have another file located under "Views/Admin/Main/" that only the admin should have access to (based on the above rules), however all test cases allow any anonymous user to access the file. I am currently only working with localhost, in case that makes a difference.
The problem is that any users are being granted access to these files. Are there any extra steps that must be taken in order for the Web.config file to be recognized?
I currently access the page through an "Admin" button, and this wrongly allows any user to access the admin page (Note that I also have code here that hides this admin button when the user is not an admin that seems to work):
<li>#Html.ActionLink("Admin", "Admin", "Admin")</li>
Using the following Web.config file still allows users access to the web page which makes me think there is simply an extra step that I missed along the way (Note that not even the admin should be able to access the page with these rules):
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
Any idea what I'm doing wrong?
Why aren't you using the [Authorize] attributes in your controllers, using the built-in ASP.Net identity mechanisms?
https://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api
Or did I completely misunderstand the question?
I have some created web forms and I need to check whether the user is authenticated or not, before displaying the other web forms. All the users can access Default.aspx and About.aspx pages.
And I have three types of users namely- Admin,User and Super User. Also, I keep the authentication details in my own SQL server db.
How can I do this?
Thanks in advance!
First establish membership and role provider. There is whole story about it. I will give a help here.
Here is link to SqlMembershipProvider (one of the options you can take):
http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.aspx
Here is link to SqlRoleProvider (again only one of the options you can take)::
http://msdn.microsoft.com/en-us/library/system.web.security.sqlroleprovider.aspx
After you have established this you can limit user/role access on folder level. Put this code to web.config (inside configuration tag):
<location path="AdminPages">
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="UserPages">
<system.web>
<authorization>
<allow roles="Administrator,User"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Here is little explaination. Root folder "AdminPages" will be alowed only to users in role "Administrators". Root folder "UserPages" to users in role "Administrator" and "User". In both cases unknown users will not be allowed to access folders. This is all you need. Alternative to this is to create class that inherits from Page and then there handle page access... however I would not go that way.
When managing access rules in the login module. Is there an explicit deny all at the end?
Let's say I have two roles: Administrator and Member
Administrators are allowed into the folder iPhone and Members are allowed in the folder Blackberry
I manage my rules and get the following code in each web.config:
"iPhone"
<system.web>
<authorization>
<allow roles="Administrator" />
</authorization>
</system.web>
"Blackberry"
<system.web>
<authorization>
<allow roles="Member" />
</authorization>
</system.web>
But can Administrators access the Blackberry folder and Members the iPhone folder? Or do I need to add a rule saying deny roles="Administrator"in the Blackberry folder and deny roles="Member" in the iPhone folder?
Thanks!!
I take it you mean using an ASP.net application...
Add in a:
<deny users="*">
after your authorized users.
I think you should also be using user rather than role
http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx
When you create a new web application, all web.config settings (global, site and local) are merged together to form the configuration that's really in effect for this application. By default a local web.config does not contain an authorization section but inherits the one defined globally. So you alway end up with a entry.
http://www.leastprivilege.com/ASPNETAuthorizationSettings.aspx
I have an asp.net web site, I want restrict all users to access a folder named "log" and I have this element in web.config:
<location path="log">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
and this element before it in system.web:
<authorization>
<allow users="*"/>
</authorization>
but still I have access to this url: http://www.mydomain.com/log/log.txt
Any ideas?
Thanks.
.txt files are not handled by ASP.NET by default. You'll have to block access to the folder from within IIS.
If you're using IIS 7 you can use Request Filtering to achieve this.
to avoid this confusions I usually create one web.config file at the directories i need to set different permissions.
If you place a web.config file inside your log folder it will work ok (and it will become easier to check the applied permissions at the folder)
Example:
<?xml version="1.0"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
I typed up a summary since many were facing the same situation regarding subfolder authentication.
Subfolder Authorization
ASP.NET can only have a single
authentication mode for one
application.
The different
applications CANNOT share resource
among them.
Scenario
Let's say the home page should not prompt login dialog. It should let users pass through without whatever login is. However, in the same applicatiopn, in a different folder presumably, another page needs to check user permission against database table using user network login ID. By default IE treats all web site with only hostname a Intranet. By its default intranet setting, it will not prompt the login dialog and pass user login and password to the application if Windows Authentication is used. However, the tricky party is, if the application has an actual domain, IE will think it is an Internet site, and it will prompt the login and password if Windows Authentication is used.
The only way to not to promopt login dialog for Internet site using Windows Authentication, is to also turn on the anonymous authentication in IIS. However, you will lose the ability to capture the login info because the Anonymous has precedence over the Windows Authentication. The good news is there is a way to resolve that issue. If an application subfolder needs to capture the login information, you will need to overwrite the parent authorization in Location element in web.config.
1 In IIS, configure Authentication as follows:
Enable Anonymous Authentication,
Enable Windows Authentication
2 Add the followings in Web.Config.
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
<!-- secured is the relative subfolder name. deny anonymous user, so only the authenticated login will pass through -->
<location path="secured" allowOverride="true">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>