I am trying to restrict users(except admin) to access my folder images. For example the path is:
~/content/images/coverBeg.jpg
If the user navigates to domain/content/images/coverBeg.jpg, he can see the file.
I've tryied different sort of things but none of them worked for me. In web config file i've added :
<location path="~/content/images">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users ="*" />
</authorization>
</system.web>
</location>
With no success. After that i've added a web config file to images folder and add those lines of code :
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users ="*" />
</authorization>
</system.web>
</configuration>
Neither this worked for me. Still everyone can access coverBeg.jpg file
It's because static content, like images, are served directly by IIS, not involving MVC pipeline.
To change that, you can do the following:
add
<modules runAllManagedModulesForAllRequests="true">
to <system.webServer> section of site's web.config. It will run MVC pipeline for every request, including static files - like css, js and images.
Then your config from above will work (I mean your 2nd approach).
Related
I have links to static files that people can access in my application. However they can access these files without logging in. I'd like the static files to be behind login. How can I achieve this? I just access them directly by URL. I tried making a method but still the static files are accessible.
You can make a Web.config file in the downloads folder with content like this:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles ="administrator"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>
The objective:
Deny access for anonymous users to an specific folder and their content on web.config file.
The problem
In that folder we have some folders and inside each folder we have html files,
Example:
"Demos/beta1/index.html"
"Demos/beta2/index.html"
If we introduce on the browser the following URL ("Demos/beta1/index.html" ) The authoritzation is not working for anonymous users.Why?
<?xml version="1.0"?>
<configuration>
<location path="Demos" allowOverride="true">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
I am doing a web service in .NET containing a server file (.asmx) and a client interface (.aspx). The visitors should be able to visit only the client aspx site ( urlXXX:portYY/Client.aspx)
However, when I remove the "/Client.aspx" part from the URL, I get into the project directory and this should not be possible. (So far, I am running the project just on localhost.)
Is there any way, how restrict getting into other parts of the solution? The only possibility I could think of is creating a separate project for the client aspx site, however, even then the visitor is able to get into the directory containing that site.
You should be able to control explicit access using your web.config. Have a look at this example (exclaimer: I've copied this straight from this MS page):
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
<location path="default1.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder. -->
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
EDIT: Take a look at this question for more info on denying access to explicit folders as well.
So, basically I have managed to find a workaround, by adding the following code into the Web.config:
<system.webServer>
<defaultDocument>
<files>
<add value="Client.aspx" />
</files>
</defaultDocument>
</system.webServer>
...which makes the Client a default web-page, thus preventing to see the directory. However, I will leave this topic open in case someone comes with a more elaborate and sophisticated solution.
Please consider this scenario:
I have a project that it contains some web pages.I add form authentication based on Active Direcotry for my all web pages.For Example :
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://testdomain.test.com/CN=Users,DC=testdomain,DC=test,DC=com" />
</connectionStrings>
<authorization>
<deny users="?" />
</authorization>
Now I want to exclude some pages from form authentication.How I can exclude some pages in web.config?
thanks
Put your page in a separate directory and modify the web.config accordingly.and You can do this also
<configuration>
<location path="CreateAccount.aspx">
<system.web>
<authorization>
<allow users="?"/>
<authorization>
</system.web>
</location>
</configuration>
More discussions
link1
Excluding pages from forms auth - ASP.NET
One easy way of doing it is to make a separate folder within your application for public pages. In that folder you place all the pages that you want to be excluded from authentication. Then you place a web.config within that folder with only the authentication settings, like this:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
I have been working on a website project which restricts access to a certain folder to annonymous users and allows access to the folder to those who are logged in.
This has been working perfectly on my development machine.
However since publishing the website and deploying to a web server (Windows Server 2008, IIS7) the forms authentication appears not to be working. Anonymous users are able to access the "restricted" folder.
I have compared the webconfig on both the development machine and the web server and they are exactly the same.
I set up the access/restriction to the directory on the development machine using the Web Site Administration Tool built into the .NET Framework using this tutorial. However I understand this tool is localhost only?
Please note: I am not using the asp.net login and registration controls. I am using a custom function in the code behind (C#)
Is this problem caused by the change of location?
The development machine directory: C:\Users\Megatron\Documents\Visual Studio 2010\Projects\Osqar - v0.2\OSQARv0.1
The Web server Directory: C:\inetpub\wwwroot\Osqar
I am a little lost here so any advice would be greatly appreciated.
Here is the web config file
<?xml version="1.0" encoding="UTF-8"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<connectionStrings>
<add name="dbConn" connectionString="data source=mssql.database.com; Initial Catalog=devworks_oscar;User ID=myusername;Password=password" providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<authentication mode="Forms">
<forms name="Osqar" loginUrl="/login/login.aspx" protection="All" path="/" timeout="60" />
</authentication>
<compilation debug="true" />
<pages /></system.web>
<system.webServer>
<defaultDocument>
<files>
<add value="index.aspx" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
The authorization section seems to be missing (?). You should have something like
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Without the information about the required level of authorization (deny anonymous users), the application server will let everyone go everywhere.
Put this under <cofiguraation> main tag like:
<configuration>
<location path="~/RestrictedFolder">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
....
if you're restricting specific files do:
<location path="~/securedpage.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Do these changes to the web.config in the deployed project
Alternatively as Wiktor suggested use to block anonymous access to the website as a whole
put it under <system.web> possibly before or after <authentication> tag
<authorization>
<deny users="?"/>
</authorization>
Or create a folder under the root of your project and put secured pages inside that folder. R-click on the folder add new web.config file and put the following under the <system.web> tag
<authorization>
<deny users="?"/>
</authorization>