I want, when I type http://localhost/Admin, to take me to the page http://localhost/Something/Login.aspx. How can I do this?
What you are looking for is called Forms Authentication. A very short introduction follows.
You need to create a login page that makes a call like this, after verifying the identity of the user:
FormsAuthentication.RedirectFromLoginPage(userName);
Then you need to wire up the login page in the web.config file:
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Something/Login.aspx" />
</authentication>
</system.web>
Furthermore, you will need to tell the framework that all URLs below ~/Admin/ requires the user to be authenticaticated. This can be done by adding an another web.config file within that folder:
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
Read the article linked above, or search the web for "ASP.NET forms authentication" and you will soon be on the right track.
EDIT 1 - If all you want to do is really to "make a redirect to a specific URL", then this is sufficient:
Response.Redirect("~/Something/Login.aspx")
From the URLs you mention in the your questions, it seems that you are trying to enforce some kind of authentication/authorization scheme. If this is true, forms authentication is a better answer.
EDIT 2 - If you want to rewrite, not redirect, requests from ~/Admin to ~/Something/Login.aspx you can do so by mapping a URL mapping in your root web.config file
<system.web>
<urlMappings>
<add url="~/Admin/Default.aspx" mappedUrl="~/Something/Login.aspx"/>
</urlMappings>
</system.web>
In most setups, the web server will only pass the request to ASP.NET if the requested URL ends with a known suffix, such as .aspx. On approach to trick the web server to pass requests for ~/Admin to ASP.NET, is to use the "default document" feature in the web server. For this to work, you must add an empty file named Default.aspx in the ~/Admin folder.
Related
I have created a brand new web form application from Visual Studio 2013 and set the following in the web.config file:
<authentication mode="Forms">
<forms defaultUrl="~/Home.aspx" loginUrl="~/Login.aspx"
slidingExpiration="true" timeout="2880" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
When I run the project I get 404.15 error.
This is not an MVC site.
I found a similar error that said I need to remove the "deny users" but I don't want to do that.
I need all users to be directed to the login page if they have not authenticated.
* New Asp.Net MVC5 project produces an infinite loop to login page *
I also tried this but I get "This webpage has a redirect loop"
* How to configure the web.config to allow requests of any length *
EDIT: Added more links to explain the problem.
So I found and article about login page loops.
* http://erlend.oftedal.no/blog/?blogid=55 *
So if I add a break point on the ProcessRequest I can see that there is an infinite loop calling the Login.aspx page.
So the problem does not seem to be that the URL is too long but more likely that there is an infinite loop calling the Login.aspx page.
If I place a breakpoint on the Page_Load in side the Login.aspx page, the breakpoint never gets hit.
There must be something higher up causing the redirect.
Here is how I got it to work.
Excluded all the items under the Account folder except Login.aspx
Excluded IdentityConfig and Startup.Auth under the App_Start folder
Excluded IdentityModels under the Models folder
Excluded Startup under the root folder of the application
Commented out all the code under Page_Load and LogIn inside the Login.aspx code file
Commented out code with OpenAuthProviders in the Login.aspx markup
Added the following key to the appSettings section inside the web.config file
<add key="owin:AutomaticAppStartup" value="false" />
The solution it's not completely deactivating the whole authentication system.
The problem may be caused by the access control not correctly setting Login.aspx permission when using the FriendlyUrls module. So you must force the permissions also for the Login page by it's "friendly" name. In the folder where login page it's stored, possibly will already be a web.config file that you may setup like this:
<?xml version="1.0"?>
<configuration>
...
<location path="Login">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
...
</configuration>
Note: Take care with other pages currently in the same folder and setup accesses accordingly.
I'm working on restricting access of static PDF files to only logged-in users. I only want to use a server-side redirect from the resource when a request comes that doesn't have the proper credentials.
I could use an IHttpHandler and set the path value, but I don't want to have to hand-serve the file. I would like requests from logged-in users to pass straight through, more like an IHttpModule, except I can't set a path to restrict the files that the module will act on.
Is there a way to pass requests through a handler, or limit the path of a module?
EDIT
It may also be useful to note that I want to redirect the user to a login page with a specific query string parameter redirecting the user back to the resource if login is successful.
If these are really static resources (exist on disk) then you could just stick them in a folder and restrict that folder using a location element in the web.config
<location path="MyPDFs">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
This will prevent any unauthorized users from being able to access any files located in the MyPDFs folder within your site.
If you only want a subset of those files, then you can create a sub directory, and secure it in a similar fashion.
<location path="PDF/SecureSubDirectory">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
UPDATE:
It may also be useful to note that I want to redirect the user to a
login page with a specific query string parameter redirecting the user
back to the resource if login is successful.
This is all handled for you by default when using Forms Authentication in ASP.Net
Any request for a resource that fails because a user is not yet authenticated will automatically be redirected to the configured login page defined in your web.config.
<system.web>
<authentication mode="Forms">
<forms loginUrl="Logon.aspx" name=".ASPXFORMSAUTH">
</forms>
</authentication>
</system.web>
It appends a query string parameter that referes to the originally requested resource. Once the user successfully authenticates, they are redirected back to the URL they originally requested.
All this is baked into the framework :)
NET MVC project i have following tag in in web.config file
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880"/>
</authentication>
This causes even the authenticated users but unauthorized resource requested users to redirect to logon page. but i need only to redirect this page if user try to access unauthorized page and not already authenticated(logged on) and redirect to custom page.
Is there easy way to do this without writing custom action filter?
All that this line does in web.config is to simply define the timeout of the authentication cookie and the login url. It is your code that decides which parts of the site are authenticated or no, by for example decorating your controllers and/or actions with the [Authorize] attribute.
please check your "authorization" setting in web.config file. It should be somewhat
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
also when user authenticates successfully make sure you call
FormsAuthentication.SetAuthCookie(<username>, false);
I am using
<authentication mode="Forms" >
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH" />
</authentication>
Every thing works fine except that, there are some pages like About Us, Contact Us, Privacy Policy etc, which do not need to login to view them.
In my case i need to login to view all pages. I want these common pages to be viewable without having to log on.
I have tested my application on local IIS as well as on deployment server, but same problem occurs.
Please help!
Thanks for sharing your valuable time.
You need to create exceptions to your security policy:
<!-- files in the "Public" folder don't require authorization -->
<location path="Public">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Alternately, you can make page-specific exceptions:
<location path="AboutUs.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Appearantly you want some pages to be available without logging in. The way to go about this is to set permission on subdirectories instead of the website root, and put these pages in the web root (usually they are in teh root)
If thats too much work, put your pages in a directory and allow anonymous users to access it.
There could be a large number of possible answers to such an open question. We will need more specifics to answer. Here are just a few places to look:
Have you checked your web.config file to see if anonymous authentication is off?
Have you checked the web.config to see if you are denying anonymous users access to your root directory?
Have you checked IIS to see if anonymous authentication is off?
Have you checked the pages' source code files to see if you are doing manual denial of service to anonymous users?
I have an existing ASP.NET application that implements Forms Authentication site-wide. The application is deployed in multiple instances (e.g., customer1, customer2, test, dev, etc...), with a separate database per instance. SSL is in play. Instance configuration is via an XML config file.
I have a new requirement to allow upload/download of certain data, which I would like to implement as a public web service.
My initial thought here was to selectively disable forms authentication for a subdirectory of the application (e.g., ~/Services), and then do authentication via a SOAP header or similar.
However, I'm not finding a way to selectively disable forms auth.
Question: Is there a way to do this? I've tried the <location> tag in web config to no avail.
If not, what are your recommendations for how to set this up? I can think of the following options:
1) Create a new "Services" project in my solution, and then configure a separate IIS ASP.NET application on that directory in each instance. (Pro: easy access to instance configuration, which may be needed in the future. Con: configuration burden for each relevant instance).
2) Create a separate "Services" solution that references needed assemblies from the application solution and host it as a separate ASP.NET application. Then, lookup the db connection string based on the UserName provided in SOAP Header. (Pro: single app to configure in IIS. Con: No easy access to instance config.)
3) ??
Clarification: I did see the answer here: Override ASP.NET forms authentication for a single page, but the use of a location tag is not helping (requests for the web service are still redirected). The relevant sections in my web.config look like this:
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx"/>
</authentication>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
<location path="~/Services/MyService.asmx">
<system.web>
<authentication mode="None" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
I would think the location tag would work, where you specify the services folder and allow all users, something like:
<location path="services">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
But you said that didn't work, have you tried putting a web.config file in the services folder and disabling forms authentication and allowing all users in that file?
You could also have a (overriding) web.config file in the services folder with the access control set to anonymous.
what worked for me was to allow users all users access in the folder where my webservices is located.
Firstly i added a configuration file in that folder and inserted the code below to allow all users.
<authorization>
<allow users="*"/>
</authorization>
</system.web>