I have an ASP.NET 3.5 application which is using the Visual Studio Development Server. I set ELMAH up, and it is working fine. I set up the AXD "file" and XML files (using XML as the storage medium) to be in a folder under the root:
v3/elmah/
Now, I'd like to have it so that when elmah or elmah/elmah.axd (or anything in this directory) is requested, that a username/password dialog is presented. Right now, I have this in the web.config:
Which is allowing all authenticated users, I believe. I've tried to disable anonymous access to that directory, but the file is still being served. Is there something I need to change in the Security of the file system?
BTW, this is XP SP3.
Thanks all!
Did you add something like this to your web.config?
<location path="admin/elmah.axd">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
There is also a requirePermission attribute available for the ELMAH section nodes in the web.config.
<sectionGroup name="elmah">
<section name="security" requirePermission="true" type="Elmah.SecuritySectionHandler, Elmah" />
<section name="errorLog" requirePermission="true" type="Elmah.ErrorLogSectionHandler, Elmah" />
<section name="errorMail" requirePermission="true" type="Elmah.ErrorMailSectionHandler, Elmah" />
<section name="errorFilter" requirePermission="true" type="Elmah.ErrorFilterSectionHandler, Elmah" />
</sectionGroup>
Update to avoid a mess in the comments:
In my web.config I use something like:
<authentication mode="Forms">
<forms loginUrl="Users/SignIn"
timeout="30"
.. moreStuffHere />
</authentication>
Related
How can I disable forms authentication? Every time I navigate to a page, the page tries to authenticate through an SQL instance on server. I have set forms authentication to none, but still no change.
http://go.microsoft.com/fwlink/?LinkId=169433 -->
<system.web>
<httpRuntime maxRequestLength="65536" executionTimeout="3600"/>
<compilation debug="true" targetFramework="4.0" />
<!--<authorization>
<allow users="*"/>
</authorization>-->
<!--<authentication mode="None">
<forms loginUrl="~/Account/Login" timeout="2880" defaultUrl="~/" />
</authentication>-->
<profile defaultProvider="DefaultProfileProvider">
<providers>
<add name="DefaultProfileProvider" type="System.Web.Providers.DefaultProfileProvider,
System.Web.Providers, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35"
connectionStringName="DefaultConnection" applicationName="/" />
Okay, so I went with leaving Forms Authentication enabled, and rather setup IIS to have access rights to an instance of SQL Express installed the server. All pages work fine now.
Well, I'm at a loss. I've looked everywhere and I'm still getting errors. I have a folder with a couple of pdf files stored in it. The folder is called "docs" and it's in the root directory of my project. I placed a web.config file in the folder with the following code...
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
I also tried placing the code in my root web.config file using the following code...
<location path="/docs">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Both of these code blocks produce a 500 server error. Unfortunately, I don't have access to the detailed server error since I'm on shared hosting. Any ideas?
Edit: Sorry... That's what I get for posting a question a 1am. I want to secure the folder so that only those users who are logged in and authorized can access it and download files.
I had a similar problem (see here). The solution was to add the web.config to the directory but also to add a handler directive to it. This worked for me.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<system.webServer>
<handlers>
<add name="PDFHandler" verb="*"
path="*.pdf"
type="System.Web.StaticFileHandler"
resourceType="Unspecified" />
</handlers>
</system.webServer>
</configuration>
I want to secure the folder so that only those users who are logged
in and authorized can access it and download files.
If you just want to restrict downloads to logged-in and authenticated users, then GlenBee’s solution is by far the simplest and most effective one.
If you need to restrict access by role and/or claim, you have two choices:
If you are comfortable with security by obscurity, you can control access to the page that has the links to the files. The files are stored within the wwwroot, so that all you need to do is link to them on a page that does the role/claim filtering. The downside is that anyone can guess the file paths and names, and gain access to them without having the correct role/claim (although you should still secure the file directory for only authenticated users as per GlenBee’s solution).
If you need to ensure that, without exception, no-one can access the files except those people authorized to do so by virtue of their role/claim (or some other requirement, such as direct ownership), you will have to protect not just the page with the links (filtering for role/claim/ownership), but also create a file handler that passes the files off to the user to be downloaded (filestream, etc.), and to have the files themselves stored outside of wwwroot so they cannot be accessible via plain HTTP. This ‘file hand-off script’ ensures that the user being handed the file actually has the role/claim/ownership required, instead of just being able to blindly guess the path to the file; and storing the file outside of wwwroot ensures that only the script can grab the file in the first place.
I am doing the same thing, here is the contents of the web.config that I placed in the folder:
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
And with the errors:
A simple solution I do is turn on health monitoring and have it email me errors, this is in my root web.config:
<system.web>
<healthMonitoring enabled="true">
<eventMappings>
<clear/>
<!-- Log ALL error events -->
<add name="All Errors" type="System.Web.Management.WebBaseErrorEvent, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" startEventCode="0" endEventCode="2147483647"/>
<!-- Log application startup/shutdown events -->
<!--<add name="Application Events" type="System.Web.Management.WebApplicationLifetimeEvent" startEventCode="0" endEventCode="2147483647"/>-->
</eventMappings>
<providers>
<clear/>
<!-- Provide any customized SqlWebEventProvider information here (such as a different connection string name value -->
<add name="SqlWebEventProvider" connectionStringName="ConnectionString" maxEventDetailsLength="1073741823" buffer="false" type="System.Web.Management.SqlWebEventProvider"/>
<add name="EmailWebEventProvider" buffer="false" type="System.Web.Management.SimpleMailWebEventProvider" from="website#example.com" to="webmaster#example.com" subjectPrefix="Website Error: "/>
</providers>
<rules>
<clear/>
<add name="All Errors Default" eventName="All Errors" provider="SqlWebEventProvider" profile="Default" minInstances="1" maxLimit="Infinite" minInterval="00:00:00"/>
<!--<add name="Application Events Default" eventName="Application Events" provider="SqlWebEventProvider" profile="Default" minInstances="1" maxLimit="Infinite" minInterval="00:00:00"/>-->
<add name="All Errors To E-Mail" eventName="All Errors" provider="EmailWebEventProvider" profile="Default" minInstances="1" maxLimit="Infinite" minInterval="00:00:00"/>
</rules>
</healthMonitoring>
</system.web>
<system.net>
<mailSettings>
<smtp from="no_reply#example.com">
<network host="mail.example.com" userName="website#example.com" password="P#$$w0rd"/>
</smtp>
</mailSettings>
</system.net>
Well, to be honest, problem is why 'currentUser.Identity.Name' is blank.
Options are:
`<authentication mode="Windows">
</authentication>
<identity impersonate ="false"/>`
And IIS 7 Integrated Windows Authentication is enabled, 'Anonymous access’ disabled.
(It was mantioned here)
App is executing on local computer, in the same domain.
When I'm trying to write:
<authorization>
<allow users="MY_USER_NAME"/>
<deny users="?"/>
</authorization>
I get page 401.2, access forbidden.
And now, i think, options are inhereted from somwhere, and 'Anonymous access’ is still enabled. So, how i need to check the actual value in code.
UPDATE
Role manager is this:
<roleManager defaultProvider="DefaultRoleProvider" enabled="true">
<providers>
<add name="DefaultRoleProvider" type="System.Web.Providers.DefaultRoleProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/"/>
</providers>
</roleManager>
I'm developing a MVC2 application and using Forms Authentication on it.
The scripts, images and styles are all blocked to unlogged users and, consequently, the login page looks awful.
It works well local, the problem is when I publish to the server.
Does anyone has any idea WHY????
PS: The server IIS is version 7.5
My Web.config:
<configuration>
<system.web>
<globalization culture="pt-BR" uiCulture="pt-BR" />
<httpRuntime requestValidationMode="2.0"/>
<customErrors mode="Off" />
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
<add assembly="System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
</assemblies>
</compilation>
<pages>
<namespaces>
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Routing" />
<add namespace="Admin.Models" />
</namespaces>
</pages>
<authentication mode="Forms">
<forms name="AGAuth" loginUrl="~/Home/Login" timeout="120" />
</authentication>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
<bindingRedirect oldVersion="1.0.0.0" newVersion="2.0.0.0" />
</dependentAssembly>
</assemblyBinding>
</runtime>
<connectionStrings>
<add name="DBContainer" connectionString="metadata=res://*/Database.DB.csdl|res://*/Database.DB.ssdl|res://*/Database.DB.msl;provider=System.Data.SqlClient;provider connection string="Data Source=thewebserver.com,5158;Initial Catalog=thedatabase;Persist Security Info=True;User ID=theuser;Password=thepassword;MultipleActiveResultSets=True"" providerName="System.Data.EntityClient" />
</connectionStrings>
</configuration>
Add a web.config to the scripts, images and styles folders telling asp.net to allow access to all users (make sure you you don't have anything in there that you don't want anonymous users to have access to):
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
As for the reason, the following is telling IIS to let asp.net process all the requests:
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
I had exactly the same problem.
The cause turned out to be the IIS authentication configuration. By enabling Anonymous Authentication (and enabling Forms Authentication and disabling Windows Authentication) the scripts, styles and images became accessible when logged off.
You can set permission to required folders like this:
<location path="App_Themes">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="images">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
Take a look at the documentation for the location element. I think the first example will give you what you need.
For convenience, here is the example mentioned:
<configuration>
<location path="Logon.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
The group IIS_WPG need read access to the fold. Now it works fine... hope this helps someone else
You can set the permission to required folders like this
<location path="App_Themes">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
This is a complete stab in the dark but what are the rights on the image and css folders? If they are set so that only authorised people can get to them then you have a problem. You might try setting the rights on those folders to everyone, or for the .net default user and see what you get.
Did you accidentally copy or create a Web.config file in your Content folder that has an <authorization> element that may be denying access?
I had the same problem too and I tried what Scott H suggested but it didn't work...
It turns out the user assigned to Anonymous Authentication was set to IUSR (right-click 'Anonymous Authentication' -> Edit), which didn't have access to my code. I had given access to the Application pool identity, so I selected that option, clicked 'OK', and bingo it worked.
I am trying to setup elmah for asp.net 1.1 application.
i have following entry in my web.config
<httpHandlers>
<add verb="POST,GET,HEAD" path="elmah.axd" type="Elmah.ErrorLogPageFactory, Elmah" />
</httpHandlers>
<httpModules>
<add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah"/>
</httpModules>
<configSections>
<sectionGroup name="elmah">
<section name="security" type="Elmah.SecuritySectionHandler, Elmah"/>
<section name="errorLog" type="Elmah.ErrorLogSectionHandler, Elmah" />
<section name="errorMail" type="Elmah.ErrorMailSectionHandler, Elmah" />
<section name="errorFilter" type="Elmah.ErrorFilterSectionHandler, Elmah"/>
</sectionGroup>
did i missing anything?
We need to log error into XML files and it should be available from remote location. my web.config looks
<configSections>
<sectionGroup name="elmah">
<section name="security" type="Elmah.SecuritySectionHandler, Elmah"/>
<section name="errorLog" type="Elmah.ErrorLogSectionHandler, Elmah" />
<section name="errorMail" type="Elmah.ErrorMailSectionHandler, Elmah" />
<section name="errorFilter" type="Elmah.ErrorFilterSectionHandler, Elmah"/>
</sectionGroup>
<httpModules>
<add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah"/>
</httpModules>
<!--
<elmah>
<security allowRemoteAccess="yes" />
<errorLog type="Elmah.XmlFileErrorLog, Elmah" logPath="C:\Inetpub\wwwroot\LearnElmah\App_Data\Elmah" />
</elmah>
-->
<!-- DYNAMIC DEBUG COMPILATION
Set compilation debug="true" to enable ASPX debugging. Otherwise, setting this value to
false will improve runtime performance of this application.
Set compilation debug="true" to insert debugging symbols (.pdb information)
into the compiled page. Because this creates a larger file that executes
more slowly, you should set this value to true only when debugging and to
false at all other times. For more information, refer to the documentation about
debugging ASP.NET files.
-->
<compilation
defaultLanguage="c#"
debug="true"
/>
<!-- CUSTOM ERROR MESSAGES
Set customErrors mode="On" or "RemoteOnly" to enable custom error messages, "Off" to disable.
Add <error> tags for each of the errors you want to handle.
"On" Always display custom (friendly) messages.
"Off" Always display detailed ASP.NET error information.
"RemoteOnly" Display custom (friendly) messages only to users not running
on the local Web server. This setting is recommended for security purposes, so
that you do not display application detail information to remote clients.
-->
<customErrors
mode="Off"
/>
<!-- AUTHENTICATION
This section sets the authentication policies of the application. Possible modes are "Windows",
"Forms", "Passport" and "None"
"None" No authentication is performed.
"Windows" IIS performs authentication (Basic, Digest, or Integrated Windows) according to
its settings for the application. Anonymous access must be disabled in IIS.
"Forms" You provide a custom form (Web page) for users to enter their credentials, and then
you authenticate them in your application. A user credential token is stored in a cookie.
"Passport" Authentication is performed via a centralized authentication service provided
by Microsoft that offers a single logon and core profile services for member sites.
-->
<authentication mode="Windows" />
<!-- AUTHORIZATION
This section sets the authorization policies of the application. You can allow or deny access
to application resources by user or role. Wildcards: "*" mean everyone, "?" means anonymous
(unauthenticated) users.
-->
<authorization>
<allow users="*" /> <!-- Allow all users -->
<!-- <allow users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
-->
</authorization>
<!-- APPLICATION-LEVEL TRACE LOGGING
Application-level tracing enables trace log output for every page within an application.
Set trace enabled="true" to enable application trace logging. If pageOutput="true", the
trace information will be displayed at the bottom of each page. Otherwise, you can view the
application trace log by browsing the "trace.axd" page from your web application
root.
-->
<trace
enabled="false"
requestLimit="10"
pageOutput="false"
traceMode="SortByTime"
localOnly="true"
/>
<!-- SESSION STATE SETTINGS
By default ASP.NET uses cookies to identify which requests belong to a particular session.
If cookies are not available, a session can be tracked by adding a session identifier to the URL.
To disable cookies, set sessionState cookieless="true".
-->
<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
cookieless="false"
timeout="20"
/>
<!-- GLOBALIZATION
This section sets the globalization settings of the application.
-->
<globalization
requestEncoding="utf-8"
responseEncoding="utf-8"
/>
You also need the elmah section that defines the type of logger you are going to use, and, depending on which logger you use, possibly a connectionstring :
<elmah>
<security allowRemoteAccess="yes" />
<!--<errorLog type="Elmah.XmlFileErrorLog, Elmah" logPath="~/App_Data/Elmah" />-->
<errorLog type="Elmah.SqlErrorLog, Elmah" connectionStringName="elmah" applicationName="MyApp" />
</elmah>
<connectionStrings>
<add name="elmah" connectionString="" providerName="System.Data.SqlClient" />
</connectionStrings>
this is a very late entry but anyone trying to set up ELMAH with .NET 1.1 and Visual Studio 2003, browse to following location:
https://code.google.com/p/elmah/source/browse/samples/web.config?repo=1x&r=c1d14a9e1626b74a4a606bae8bf9ae829ec641c5