I have a web application deployed on IIS with IP domain say 192.168.0.105:1009.
User has login authentication in application with userid and password with userid and password saved in database.
There is a folder in application say MyResource. How can i control the access control of this folder to any unauthorized user.
If someone type the url 192.168.0.105:1009/MyResource/1.xls, it should validate the user authentication. If user not authorised, access should be denied.
You can do as below explanation.
Configure Access to a Specific File and Folder, Set up forms-based authentication.
Request any page in your application to be redirected to Logon.aspx automatically.
In the Web.config file, type or paste the following code.
This code grants all users access to the Default1.aspx page and the Subdir1 folder.
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
<location path="default1.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder. -->
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
Users can open the Default1.aspx file or any other file saved in the Subdir1 folder in your application. They will not be redirected automatically to the Logon.aspx file for authentication.
Repeat configuration Step to identify any other pages or folders for which you want to permit access by unauthenticated users.
For more Reference check Microsoft support page - https://support.microsoft.com/en-us/kb/301240
And also you can check http://www.iis.net/configreference/system.webserver/security/authorization
Related
I've got a webapp running that needs users to login.
Webconfig:
<!--Logging in stuff-->
<authentication mode="Forms">
<forms loginUrl="login.aspx" timeout="2880"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
And in the login.aspx page (doubled checked the name) I have the following logic after verifying the user credentials using my own database:
if (checkCredentials.searchCredentials(attemptedName, passwordBox.Text) != null)
{
FormsAuthentication.RedirectFromLoginPage(attemptedName,false);
}
I know the if statement works, as it did with a previous method I used for logging in.
However, when I run the application, the login page opens up immediately with error 401.2. Help would be much appreciated :)
I am posting another answer since this deals with the typical problem of using Visual Studio 2017 with forms authentication, and is an alternate to my previous answer.
Visual Studio 2017 will automatically add a NuGet package called Microsoft.AspNet.FriendlyUrls to your website or web app project. Because of this package, forms authentication will not work and even the login page will not render many times.
The solution explained in my previous answer is to remove this
package or comment the line in Application_Start event in global.asax
that says RouteConfig.RegisterRoutes(RouteTable.Routes);. Your website will lose the benefits of friendlyUrls if you use this approach.
But, there is a third solution that is mentioned in two different CONFIGURATIONS below; you can use either of them.
CONFIGURATION 1 removes the aspx extension from login and defaultUrl
values.
CONFIGURATION 2 keeps the aspx extensions but adds special access
permissions for freindlyurl corresponding to login.aspx.
(? in access permission means all unauthenticated users and * means all users i.e. authenticated + unauthenticated users)
NOTE: I have tried and tested this solution.
CONFIGURATION 1 for Forms authentication config when using Friendly Urls
<authentication mode="Forms">
<forms loginUrl="login" defaultUrl="home"
slidingExpiration="true" timeout="20" name=".Auth" protection="All">
</forms>
</authentication>
CONFIGURATION 2 for Forms authentication config when using Friendly Urls
<system.web>
<!--keep the aspx extensions for login and default pages-->
<authentication mode="Forms">
<forms loginUrl="login.aspx" defaultUrl="home.aspx"
slidingExpiration="true" timeout="20" name=".Auth" protection="All">
</forms>
</authentication>
</system.web>
<!-- add access permissions for friendly url corresponding to login.aspx-->
<location path="login">
<system.web>
<authorization>
<allow users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
Since you are using Visual Studio 2017, the first thing you need to check is if Microsoft.AspNet.FriendlyUrls package is included. Go through following steps.
comment the line in Global.asax that says
RouteConfig.RegisterRoutes(RouteTable.Routes); and try your page now. But, make sure to clear the cache in your browser else the old cached version of this URL with 401.2 error will keep showing.
If you still see some issues, then just remove the above package by
selecting Solution node in solution explorer and then going to Tools
=> NuGet Package Manager => Manage Packages for solution; check in Installed list for this package, select it and select the solution
checkboxes on right,then click on uninstall button.
Below are some other things that you need to make sure.
Try changing your forms tag in web config to following. Change the value of defaultUrl and timeout according to your requirements.
<authentication mode="Forms">
<forms loginUrl="login.aspx" defaultUrl="home.aspx"
slidingExpiration="true" timeout="20" name=".Auth" protection="All">
</forms>
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Also, your C# code must be in Login button click event; if it's anywhere else then also you could see issues.
Allow Login.aspx for all unauthenticated users. Add this configuration just before </configuration> at end of web config file. Enter the path for Login.aspx if its not in root like Security/login.aaspx if the page is under Security folder of root.
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="?" />
<deny users="*" />
</authorization>
</system.web>
</location>
Open the IIS Management console by going to Control Panel > Administrative Tools > Internet Information Services Manager. Then, expand the websites node and select the website you are using. Now double click Authentication in right pane and make sure Anonymous and Forms authentication are enabled and other options are disabled as shown in following screenshot: Security settings in IIS website
You can check to see if you have this kind of entry. If so, you could try remove it.
<system.webServer>
<modules>
<remove name="FormsAuthentication" />
</modules>
</system.webServer>
Just in case it will helps someone.
I have an IIS8 site which runs ASP.NET 4.0 using Windows Authentication.
In my IIS Authentication Settings, all are disabled except Windows Authentication. Users are able to authenticate properly and use the site as intended.
However, I now have an Uploads folder which contains images which I want to expose to non-authenticated users from other applications.
In my web.config files I have the following lines that relate to Authentication/Authorization:
<system.web>
<authentication mode="Windows"/>
</system.web>
<location path="Uploads">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
How do I allow anonymous access to the uploads folder, while keeping Windows Authentication for everything else? Currently they have to login to the other application, and then when accessing images from the site in question, they have to authenticate in order to gain access to them.
Also, the location path is relative to the web.config file correct?
Edit: Not sure if this matters, but our site is both internally and externally available. If access from computers on our domain, it logs in automatically, if it's a computer that is not on the domain, they are redirected to a login page.
I found the answer on another question: Allow anonymous authentication for a single folder in web.config?
First, I had to go into C:\Windows\System32\inetsrv\config\applicationHost.config
Search for this line , and change to "Allow" instead of "Deny"
Then put the code below into web.config file
Code:
<location path="Path/To/Public/Folder">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
What you need to do is remove the "Deny" rule for anonymous since it gets inherited it will still block users, something like:
<system.webServer>
<security>
<authorization>
<remove users="?" roles="" verbs="" />
<allow users="*" />
</authorization>
</security>
</system.webServer>
Indeed the location path is relative to the folder where the web.config is located.
I also just noticed that you are using system.web instead of system.webServer which is the one you should be using.
I'm trying to get user's windows login from the server and all methods that I tried are returning the network's details.
I did put <identity impersonate="true"> in my web.config but no help.
here's my webconfig:
<?xml version="1.0"?>
<configuration>
<appSettings>
<add key="ValidationSettings:UnobtrusiveValidationMode" value="None"/>
</appSettings>
<system.web>
<authentication mode="Windows"/>
<identity impersonate="true"/>
<compilation targetFramework="4.5" debug="true"/>
<httpRuntime targetFramework="4.5"/>
<sessionState timeout="20"/>
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
</system.webServer>
</configuration>
and here's my C# call:
string id1 = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
string id2 = Page.User.Identity.Name;
string id3 = Request.LogonUserIdentity.Name;
ALL 3 RETURNS EMPTY OR WITH NETWORK DETAILS. any solution??
If your entire web site requires Windows authentication, you should make sure that Anonymous Authentication is disabled. To do so:
Open the Internet Information Services (IIS) Manager.
Select your web application and open the Authentication feature.
Make sure "Anonymous Authentication" is disabled and "Windows Authentication" is enabled.
Once anonymous authentication is disabled, your code for id2 or id3 will have the Windows logon information. Your id1 code will report the identity of the application pool.
If only part of your web site requires authentication and other parts do not, then your web.config should define authorization rules (and Anonymous Authentication should remain enabled). For example, you can deny access by anonymous users to all pages by default but specifically allow anonymous access to Default.aspx.
<configuration>
<system.web>
...
<authorization>
<deny users="?"/>
</authorization>
...
</system.web>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
Windows authentication does not require your application to implement a login process. It will issue the authentication challenge to the browser. Some browsers like IE will supply the Windows credentials automatically and others like Firefox will present a login prompt.
I am doing a web service in .NET containing a server file (.asmx) and a client interface (.aspx). The visitors should be able to visit only the client aspx site ( urlXXX:portYY/Client.aspx)
However, when I remove the "/Client.aspx" part from the URL, I get into the project directory and this should not be possible. (So far, I am running the project just on localhost.)
Is there any way, how restrict getting into other parts of the solution? The only possibility I could think of is creating a separate project for the client aspx site, however, even then the visitor is able to get into the directory containing that site.
You should be able to control explicit access using your web.config. Have a look at this example (exclaimer: I've copied this straight from this MS page):
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
<location path="default1.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder. -->
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
EDIT: Take a look at this question for more info on denying access to explicit folders as well.
So, basically I have managed to find a workaround, by adding the following code into the Web.config:
<system.webServer>
<defaultDocument>
<files>
<add value="Client.aspx" />
</files>
</defaultDocument>
</system.webServer>
...which makes the Client a default web-page, thus preventing to see the directory. However, I will leave this topic open in case someone comes with a more elaborate and sophisticated solution.
I have a web application and it has its default web.config with all the needed settings so now I need to create a folder and in that folder I am implementing a Login page using the same membership tables as for the parent application. I am trying to allow certain roles to access that folder, I tried adding a web.config in that folder with the following mark up:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="customers"/>
<deny users="?" />
</authorization>
</system.web>
</configuration>
The issue I am having is that when I add this and I attempt to login, it sends me to the parent login page with a ReturnUrl and thats because the parent has this line in the web config:
<authentication mode="Forms">
<forms loginUrl="~/login.aspx" timeout="20160" />
</authentication>
So i decided to add that to the web.config in the folder but with the correct url:
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/pages/customerlogin.aspx" timeout="20160" />
</authentication>
<authorization>
<allow roles="customers"/>
<deny users="?" />
</authorization>
</system.web>
</configuration>
But now its telling me that this error:
Exception Details: System.Web.HttpException: Could not load type 'Intelligencia.UrlRewriter.RewriterHttpModule'.
I guess my question is, what should i be adding to that child web.config so it works?, doesnt it inherit from the parent all of the other things it needs?. This is the first time I worked in these kind of issues of web.config settings in a subfolder.
NOTE (UPDATE) : The folder was converted to an Application
If you don't want to inherit from the parent web.config then in your child web.config you can add the following line as the first child element of the config section you don't want to inherit.
Example child config
<system.web>
<clear />
<!-- add child config settings here -- >
</system.web>
When you say:
<deny users="?"/>
you are saying that you don't allow user who are not identified to execute the pages before the login.
Only after that login you can evaluate the user role.
Because of that you only should have one login page and based on the roles of the users redirect them to the different sub-site.
If the folder is now an application, it need the entire configuration file.