I started with a default WebForms project with Individual Accounts. I have a bunch of content that I've built with database connections. I want to restrict all content to authenticated users with the exception of the default.aspx
I have successfully established the Identity table structures in my SQL database and can "register" new users. This all works fine. However, when I add the authentication setup to the web.config see below, it all breaks.
<system.web>
<authentication mode="Forms">
<forms name=".FormsAuth" loginUrl="Login.aspx" protection="All" slidingExpiration="false" requireSSL="false" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I would expect this to allow me to view my Default.aspx page and redirect if I moved off of it. Instead I attempts to redirect to \account\login and fails with this message.
HTTP Error 404.15 - Not Found The request filtering module is
configured to deny a request where the query string is too long.
The ReturnURL is huge and seems to repeat itself. I've tried looking around for a start from scratch example but have not found one that works. This should be simple.
http://localhost:58573/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl%253D%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252FAccount%25252525252FLogin%25252525253FReturnUrl%25252525253D%2525252525252FAccount%2525252525252FLogin%2525252525253FReturnUrl%2525252525253D%252525252525252FAccount%252525252525252FLogin%252525252525253FReturnUrl%252525252525253D%25252525252525252FAccount%25252525252525252FLogin%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FAccount%2525252525252525252FLogin%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FAccount%252525252525252525252FLogin%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FAccount%25252525252525252525252FLogin%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FAccount%2525252525252525252525252FLogin%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FAccount%252525252525252525252525252FLogin%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FAccount%25252525252525252525252525252FLogin%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FAccount%2525252525252525252525252525252FLogin%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FAccount%252525252525252525252525252525252FLogin%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252FAccount%25252525252525252525252525252525252FLogin%25252525252525252525252525252525253FReturnUrl%25252525252525252525252525252525253D%2525252525252525252525252525252525252FAccount%2525252525252525252525252525252525252FLogin%2525252525252525252525252525252525253FReturnUrl%2525252525252525252525252525252525253D%252525252525252525252525252525252525252FDefault
I figured this out. I had to remove the general "deny all anonymous" statement from web.config:
<!--<authorization>
<deny users="?"/>
</authorization>-->
...which I was trying to use to restrict ALL but the login page.
I moved all of my content into a few subfolders then called them out with the location tags and the same deny users statement.
<location path="System">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Reports">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
At this point it seems to be working "properly" and now redirects users to login.aspx if not authenticated.
The \account\login.aspx was denyed because of the web.config.
...
<authorization>
<deny users="?"/>
</authorization>
When you redirect to the login page, because anonymous access is forbidden, you are redirected to the login page again, resulting in recursion.
You can create web.config in the account folder.The content is like this:
<system.web>
<authorization>
<allow users="*"/>
</authorization>
Related
MVC5 Application
Report Viewer + Rdlc + aspx included in cshtml(ifram) for view by controller
aspx forms are in folder name ReportFolder
even not login i can access, http://project/ReportFolder/report.aspx for security did this:
<location path="ReportFolder" >
<system.web>
<authorization>
<deny users="*"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>
now i am not able to access even user is admin and authenticated
Usually allow nodes should always come before deny. Try this:
<location path="ReportFolder" >
<system.web>
<authorization>
<allow users="Admin"/>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
I restrict my users for accessing some pages
Web.config code
<location path="Pages/Management.aspx">
<system.web>
<authorization>
<allow users="admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Pages/ShoppingCart.aspx">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
but when I tried to access that page in place of redirecting me to login page it redirects me to this page
Server Error in '/' Application.
The resource cannot be found.
My Question Is
how to redirect users towards login page?
thank you
see the link that Enkode put above for some good info. you could also do something like:
if(!User.IsInRole("str"))
Response.Redirect("str");
I followed this site to integrate WIF in my MVC web app: https://msdn.microsoft.com/en-us/library/hh291061.aspx
It works well, users can log in with SSO and anonymous users are forwarded to the SSO page.
I want to deny access to everyone but a certain AD group / user and I can't figure out where to place the rules.
I tried in system.web
<system.web>
<authentication mode="None" />
<authorization>
<allow users="<domain>\<username>"/>
<deny users="*" />
</authorization>
</system.web>
But that doesn't seem to work, the specified allowed user is denied (401).
I tried in FederationMetadata and that didn't work either
<location path="FederationMetadata">
<system.web>
<authorization>
<allow users="<domain>\<username>"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
I can't for the life of me figure this out. Any suggestions?
You could change the web.config back to:
<authorization>
<allow users="*" />
</authorization>
And then perform your own authz, authn globally for the site in the HttpApplication.PostAuthenticateRequest.
I'm using asp.net Identity 2, In web.config under Account folder I have the following
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
The problem is that when I try to access the register.aspx it redirects me to the login page. I need unauthorized users to be able to access the registration page
You could use the allowOverride on a location to set the global deny authorization:
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location allowOverride="true">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
This will handle your redirect issue on Register, but will leave you having to make additional exceptions for your assets, such as images, scripts, and styles.
As an alternative approach, I find it easier trying to avoid having to manage massive lists of these location tags by leaving authorization to be done by directory. Maybe it makes sense to leave the shared assets and non-secured pages off the root level like this and put your secured pages in different subfolders you secure through web.configs inside those folders.
Project
/images/...
/styles/...
/secured/account.aspx
/secured/web.config (this is where you'd have your `deny` authorization)
/Register.aspx
/web.config (use allow all users at this level)
Now you can easily manage which users access which files, and it's much cleaner.
I am trying to control access to my website with windows integrated.
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
<allow roles="DOMAIN\The_group_that_can_access_it"/>
</authorization>
...
</system.web>
</configuration>
Except that, this code isn't working. I can access it if im a member of that group or not. What is wrong?
I looked through some code, and thought maybe I needed to switch the ? for a *, but then that seems to just deny everything.
Thanks,
You do not have an explicit deny statement, you should add the following entry to the end of the declarations:
<deny users="*" />
And you can remove the <deny users="?"/> which is denying unauthenticated users. The final <deny users="*" /> will deny them anyway. Then only your group should have access. The final outcome should be:
<authorization>
<allow roles="DOMAIN\The_group_that_can_access_it"/>
<deny users="*"/>
</authorization>
As a rule of thumb, always close out your access control lists with an explicit deny all, or deny any any.