I currently have an ASP.NET 3.5 SP1 running on IIS 7. I have enabled forms authentication using .NET Membership and setup some folders that are restricted according to roles I have created. For instance, if an anonymous visitor tries to access the file http://www.example.com/restricted/foo.txt, he/she will be redirected to a login page, as expected. So far so good.
What I would like to do is provide access to protected files by allowing visitors to specify their login credentials in a query string, something alone the lines of:
http://www.example.com/foo.txt?user=username&pass=pwd
Is this possible at all?
you should be able to write an http module that intercepts the request and authenticates the user based on the querystring. However, just for the sake of completeness, I'd like to question whether it's a good idea to provide users their username and (in particular) password in plaintext.
You could easily create a download page that would authenticate the user and then forward them to the requested file. Something like navigating to Download.aspx?user=username&pass=pwd&file=foo.txt.
This however is NOT recommended. You should never require users to pass login information via a URL.
A secondary answer based on comments you've made to other questions is that you could simply put your download page in a directory. The subfolder could have a web.config that allows unauthenticated users access to the contents within :-)
something like:
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
Related
I've got an ASP.NET MVC 4 application that I run under the site level of an IIS web site.
So the dir structure looks like this:
\IIS
\Site
\bin
\Content
\Views
The MVC 4 app uses Forms Authentication via Username and Password, but I have a requirement to lock down the full site and turn off anonymous authentication at the IIS level.
The goal of this requirement is to allow users only to land on a home page and logon page. The problem is if I turn off anonymous authentication then users can't even get to home or login.
Another thing we want to prevent a user from being able to go to /Content/Scripts/MyScript.js in their browser.
I'm using bundling so those file are there and don't get used by me besides when I bundle things up.
Is this even possible since IIS and MVC 4 auth are at completely different level? If it is possible what options do I have?
Chris Pratts answer is correct. You can successfully turn of anonymous authentication and let MVC4 handle all of that for you.
Make sure in your web.config you have the following
<modules runAllManagedModulesForAllRequests="true"></modules>
In your system.webserver section.
Another thing you can do is make use of the locations tags in IIS to prevent user access to different parts of the site.
For example, you could put this in your web.config
<location>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
This ensures that only authenticated users can access the site. You can then further refine this.
<location path="External">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Basically, now any request to /External will be allowed for all users (regardless of authentication). You will probably want to put all your scripts in here that you need unauthenticated users to access.
If there was a specific directory you didn't want anyone to access, you could do something like
<location path="/Content/Scripts">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
Now any access to that location will be prevented by default in IIS. Give that a try, it should satisfy your requirement to have the scripts available for bundling, but not accessible if someone browses directly to it.
I only halfway got what I wanted, but here is what I ended up doing. I have anonymous authentication enabled at the site level and used Forms authentication for specific controllers. This was how I originally had it so nothing changed here.
Since I am using bundles the users never really need to look at the .js so I used Request Filtering by file extension so block any .js and even .css I don't want exposed.
This works because the bundling doesn't make http requests to those files and the bundles themselves don't have the normal JavaScript and CSS file extensions.
You don't handle this at the IIS-level. You simply allow Anonymous Auth and then add [Authorize] to every controller. Then only on your home and login actions add the attribute [AllowAnonymous].
As to the second part of your question, you can't really stop this. MVC bundles on the fly, so it needs the actual files to be there. If they're never referenced, though, they're black holes: the user would have no way of knowing what file to request, so it's kind of security by obscurity.
I've been searching around the internet and I can't find an exact solution. Sorry it's a bit long but I'm hoping someone can help me.
I'm working on a web-based system using ASP.Net (4.0). This system allows an administrator to add new roles. Apart from adding new roles, the administrator can also set permissions to a role to access different pages.
For example, by default the User role can only access the Home page and. Say the administrator decides to set a new permission to this role and allows it to access another page (for example: ManageUsers.aspx)
I am using the Forms Authentication via the web.config. The web-pages are in two separate folders, one for each role (Admin and User). In each folder another web.config defines which roles can access the pages in this folder.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="2"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
The problem is that if the administrator grants access to the User role for a page (for example: ManageUsers.aspx) that is allocated in the Admin folder, the User role is denied access to this page since only an Admin role can access these pages.
The first solution I thought of was changing the web.config on run-time but this will restart the application every time the web.config is changed.
The second solution is listing the pages each role can access from a database table or an XML file. I'm not sure if it will work if I still use the Forms Authentication. Shall I use locations in the web.config files? Or maybe there's another way to solve this? I can't get my head around it.
Thanks in advance for any help!
I'm making a project on ASP.NET and I want that if the user is not registered with my site or not Login then he/she will not able to download. If I'm using session ID then I've to pass it on every link and page so is there a simple way to accomplish it?
If you're using the ASP.NET stock authentication system, you can just add a tag like this to your <system.web> element in web.config:
<authorization>
<deny users="?" />
</authorization>
StriplingWarriors answer will work for all unauthenticated users but if you are attempting to restrict specific users from doing/viewing specific things on the site (and assuming you are using the ASP.NET membership API to manage users) you can just check User.Identity.IsAuthenticated
Firstly I just want to say I'm not an ASP developer, I'm PHP through n through...
So my problem is this, all of a sudden a client site has started prompting for users to be logged in when viewing pages in a sub directory, when I download the web.config file I can see the authentication mode set to "Windows" this would appear to be an issue but it was working up until now, so I set it to None and uploaded the file (there isn't a web.config in the sub directory, just the site root) and it continues to prompt me for the login.
Is there something I need to do to "refresh" the server or something? I've looked through the hosting control panel and can't find anything about anonymous access or restarting the server, its on a shared hosting account and the control panel is pretty below average
Any help is greatly appreciated!! I'm in a panic and the hosting company don't have ASP support on hand
Thanks,
Mark
In the folder that you want anonymous access, just use the web.config authorization section to allow anonymous users:
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
The * essentially means Everyone so it just saying that for the current directory, everyone is allowed access- you only need this in the web.config...nothing more.
If you are still receiving prompts after this, then the folder itself must have permissions at the operating centre level (NTFS permissions) which do not allow Anonymous access...Although you say the ASP support isn't at hand, I presume you can raise help tickets with them to enable this access?
Edit
I should add that this setting of authorization is different to setting an Authentication scheme (Windows Authentication, Forms Authentication etc). For example, you might have Forms Authentication for your website but specifically want anonymous access to a folder (like this case) so setting your authentication option isn't actually relevant.
I've got an ASP .NET website which uses Forms authentication to secure certain parts of the site. We have a test version of the site on a server and are making it available to partners over the web, e.g. at test.mydomain.com.
I need to secure all parts of the site so that only our partners can use it. Ideally it would be nice to have basic authentication pop up when they first hit the site, then have it work as normal thereafter, i.e. forms auth for certain areas.
However it seems ASP .NET and IIS don't support this. I'm aware of MADAM but that achieves something slightly different to what I need.
I'm considering restricting access by IP but that has two drawbacks, one it requires parters to "sign up" with their IP, and two, their IP could change.
Does anyone else have any suggestions?
One solution is to check for the existence of a 'basic authentication' cookie on each request. If it doesn't exist or doesn't have valid data, don't allow access to the site. This could be checked in a base page that all pages inherit from or masterpage etc.
In order to set the cookie, you could create page that you send your partners to. It might just be at a obscure url, or require that they enter a password. Basically what ever security mechanism suits you, but once they 'pass the test', you set the cookie that gives them access to the site.
Then they would have access and be able to login using your existing forms authentication.
Does that make sense.
Assuming your site implements roles, you can block access using traditional forms authentication and the location attributes. Something like:
<configuration>
<location path="Testing">
<system.web>
<authorization>
<allow roles="partners" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
You would then need to make sure all of the users that need access to that part of the site were in the partners role.
Ummm....
Well, the above solutions will work, but overall there is a better way. But does require some planning ahead.
your development and staging servers shouldn't be open to the general public, search bots, ect.. ect..
your dev and stg boxes can be locked down buy firewall or even ip access controls via IIS
No code solution
In the end we decided that securing the entire site via Forms authentication, and issuing test accounts to our partners, was the best solution.
Thanks to all for your suggestions.