I'm working on a internal web based tool for my company. Part of this tool is another application (The Cruise Control Dashboard) that runs in its own Virtual Directory under my root application.
I wanted to limit access to this internal application by setting up Forms Authentication on it, and having a login form in the root application.
I put the following into the root applications web.config:
<location path="ccnet">
<system.web>
<authentication mode="Forms">
<forms loginUrl="/default.aspx" timeout="5000"/>
</authentication>
<authorization>
<allow users="?"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
However, the Forms Authentication does not appear to be working, it does not redirect back to the login page when I access that application directly.
I have a feeling I have the <allow> and <deny> tags set wrong. Can someone clarify?
You might also need to put path="/" in the
That was it!
So, Summary, inorder todo this;
In root web.config add:
<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1" />
This must be done because by default it is "AutoGenerate,IsolateApps".
Second, you must name the form Auth cookie the same in both, I did this all in my root, using the location tag:
<authentication mode="Forms">
<forms name="ccAuth" loginUrl="/default.aspx" path="/" timeout="5000"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
Finally:
<location path="ccnet">
<system.web>
<authentication mode="Forms">
<forms name="ccAuth" loginUrl="/default.aspx" path="/" timeout="5000"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Thanks everyone for your help. This was a stumper.
FormsAuthentication encrypts the tokens that it gives to the user, and by default it encrypts keys different for each application. To get Forms Auth to work across applications, there are a couple of things you need to do:
Firstly, set the Forms Auth "name" the same on all Applications. This is done with:
<authentication mode="Forms">
<forms name="{name}" path="/" ...>
</authentication>
Set the "name" to be the same in both applications web.configs.
Secondly, you need to tell both applications to use the same key when encrypting. This is a bit confusing. When I was setting this up, all I had to do was add the following to both web.configs:
<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1" />
According to the docs, thats the default value, but it didnt work for me unless I specified it.
You might also need to put path="/" in the <forms tag(s) I think. Sorry, its been a while since i've done this
That does not work, it still allows all users, (Authenticated or not) to access.
I would think you could even omit the allow tag, as it's redundant. Just:
<deny users="?"/>
Where does that code sit Jonathan? In my experience I have a login control and in the OnAuthenticate event I would set Authenticated to false...
If CustomAuthenticate(Login1.UserName, Login1.Password) Then
FormsAuthentication.RedirectFromLoginPage(Login1.UserName, False)
Else
e.Authenticated = False
End If
But that's using the Microsoft Way
you are allowing all unauthenticated. You might be looking for something like this
<deny users="?"/>
What is the file extension for this cruise control application? If it is not a file type that ASP.NET is registered to handle (e.g. jsp, java, etc), then ASP.NET will not act as an authentication mechanism (on IIS 5 and 6). For example, for static html files, unless you have wildcard mapping implemented, IIS does all the authentication and authorization and serves up the file without involving the ASP.NET isapi extension. IIS7 can use the new integrated pipeline mode to intercept all requests. For IIS6, you'll want to look at Scott Gu's article on the matter.
None of the above suggestions worked for me. Turns out in the root web.config set:
<forms loginUrl="/pages/login.aspx" enableCrossAppRedirects="true"...
and make sure that both the root and child app have in system.web
<machineKey validationKey="AutoGenerate" decryptionKey="AutoGenerate" validation="SHA1"/>
which turns off the IsolateApps default.
Then everything just worked!
Related
I am using FormAuthencation in my current web application with ASP.NET 4.5. I have placed a check on Login page if (User.Identity.IsAuthenticated){ } then redirect to main page , but strange without even login i am getting User.Identity.IsAuthenticated = true i do not understand why that giving true.
Web.Config
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" name=".ASPNETAUTH" defaultUrl="~/Account/Welcome.aspx" protection="All" timeout="30" path="/"></forms>
</authentication>
Thanks
Ravi Mittal
If this is published in IIS, you need to disable anonymous access via IIS (you can see how to do that on this page).
It would also help to make sure the <authorization> section of your web.config has something like this:
<authorization>
<deny users="?"/>
</authorization>
This will block "unauthorized" users from your app.
I am making a ASP.NET web page in C#. I'm finding that if the web page is left alone for a short period of time, I start getting 401 Unauthorized Errors whenever the page attempts to call a WebMethod. I think this is probably caused by the Session timing out.
I only make use of the Session for a short time when the user first enters this page, when I am doing some backend caching and using the Session to keep track. At that time the page is hitting the backend continuously for updates, which would be refreshing the Session. Once this is finished I no longer need any Session state.
Is it possible to have a WebMethod that works without requiring a session state, but it able to find and access it if it one exists? Or if it created an empty session automatically when the WebMethod was called, this would also be fine.
Thanks!
apart from the ans given by #Jupaol
you can easily use Location element of web config
with something like this
<configuration>
<location path="Url_To_WebMethod">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
this would remove the need of authentication from your web method and then you would be able to use it without requiring any auth cookie
Well if my understanding is correct, you should place your Web Service in a sub-folder and configure it to allow anonymous users:
Your typical root web.config would look like:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880">
</forms>
</authentication>
<authorization>
<deny users="*"/>
</authorization>
In the sub-folder, create a new web.config file and override the authorization settings:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
I'm searching for this, but I can't find it, yet I know that this can be done with an htaccess file, since this is what the screenshot below does.
I want to secure a folder behind a preset username and password. I can't create a Windows user since I do not own the server and we don't need an authentication form. We want to use the default authentication form of the browser.
How is this possible from the web.config?
This i what I have but it does not work
<system.web>
<authentication mode="Forms">
<credentials passwordFormat="Clear">
<user name="test" password="test" />
</credentials>
</authentication>
<authorization>
<allow users="test" />
<deny users="*" />
</authorization>
</system.web>
This is not possible with forms authentication.
There seems to be a third party library to use htaccess/htpasswd style directory access configuration on IIS:
http://www.helicontech.com/ape/
See also .htaccess or .htpasswd equivalent on IIS?
Many thanks in advance. When running the ASP.NET Development Server, everything is working fine. However, when I deploy my asp.net application to the production server (IIS 7.0 integrated mode, fresh install), my location tags in my web.config file are being ignored.
Case in point: I'm using forms authentication, and when the user arrives at my login.aspx page, the external css & js files are not being loaded...even though I have specified that those files should be available to all users (auth'd or not). However, once the user is logged in, the files do in fact load.
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
<authorization>
<deny users="?" /> <!-- Restrict anonymouse user access -->
</authorization>
And the exception to my css file...
<location path="Styles/xtools.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I've verified that the path to the css file is accurate. Any suggestions?
Thanks, --Dan
--EDIT
Forgot to mention, I have tried creating a web.config file in the targetted folder as well...still not working.
Just got it. It wasn't enough to give IIS_IUSRS permissions on the folders containing the app ...I needed to give IUSR permissions, as well.
Problem solved. Thanks, ben f!
I have one asp.net web application.
It is using two membership provider.
Two sign-in pages one for each provider.
Now i have two folders in root Folder1 & Folder2
Folder1 uses 1st membership provider
Folder2 uses 2nd membership provider
I got almost everything working including signin, create user etc in both provider.
Only issue is in Form authentication i can define only one loginpath. So when session expires or need login to access secure pages. it can only redirct to one sign in page.
Also that section can't be defined by location. by application only.
How can i get folder2 to use 2nd sign in page?
if there is anything i can define by location?
See How to override/change FormsAuthentication LoginUrl in certain cases
It appears from various people researching, that you cannot tell FormsAuthentication to have two different Login pages. But there is nothing preventing you from creating some base page class or other code in your two folders that can determine which login page to direct to. Or, I think that the Application_BeginRequest event fires before the FormsAuthentication module fires, so you could examine requests before they get redirected by FormsAuthentication. Either way though, you would be forced to allow anonymous users to Folder1 and Folder2, which is not ideal.
You need to use the <location> element in your web.config. You can use the <location> tag to apply authorization settings to an individual file or directory.
<location path="/root">
<system.web>
<authentication mode="Forms" >
<forms name="LoginForm" defaultUrl="default.aspx"
loginUrl="/root/login.aspx" protection="Encryption"
timeout="30" path="/"/>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="/root/admin">
<system.web>
<authentication mode="Forms" >
<forms name="formName" defaultUrl="login.aspx"
loginUrl="/root/admin/login.aspx" protection="Encryption"
timeout="30" path="/"/>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
MSDN
For centralized administration,
settings can be applied in the
Machine.config file. The settings in
the Machine.config file define
machine-wide policy and can also be
used to apply application-specific
configuration using <location>
elements. Developers can provide
application-configuration files to
override aspects of machine policy.
For ASP.NET Web applications, a
Web.config file is located in the
application's virtual root directory
and optionally in subdirectories
beneath the virtual root.
If you would like 1 login location and different access levels you might want to use roles.
<location path="/root">
<system.web>
<authorization>
<allow roles="admin,root" />/*admin, root is allowed */
<deny users="*" />
</authorization>
<system.web>
</location>
<location path="/root/admin">
<system.web>
<authorization>
<allow roles="admin" />/*admin is allowed */
<deny users="*" />
</authorization>
<system.web>
</location>
Users can belong to more than one
role. For example, if your site is a
discussion forum, some users might be
in the role of both Members and
Moderators. You might define each role
to have different privileges on the
site, and a user who is in both roles
would then have both sets of
privileges.
You can access all these element at
the code level if you would like to
manipulate the roles/authentication
programmatically
Page.User.Identity.Name
Page.User.Identity.IsAuthenticated
Page.User.Identity.AuthenticationType
Page.User.IsInRole("string");
Additional Links
Using 2 Membership Providers in asp.net
4 Guys From Rolla Tutorial
The ASP.NET web.config File Demystified