The objective:
Deny access for anonymous users to an specific folder and their content on web.config file.
The problem
In that folder we have some folders and inside each folder we have html files,
Example:
"Demos/beta1/index.html"
"Demos/beta2/index.html"
If we introduce on the browser the following URL ("Demos/beta1/index.html" ) The authoritzation is not working for anonymous users.Why?
<?xml version="1.0"?>
<configuration>
<location path="Demos" allowOverride="true">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
Related
I have links to static files that people can access in my application. However they can access these files without logging in. I'd like the static files to be behind login. How can I achieve this? I just access them directly by URL. I tried making a method but still the static files are accessible.
You can make a Web.config file in the downloads folder with content like this:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles ="administrator"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>
I am trying to restrict users(except admin) to access my folder images. For example the path is:
~/content/images/coverBeg.jpg
If the user navigates to domain/content/images/coverBeg.jpg, he can see the file.
I've tryied different sort of things but none of them worked for me. In web config file i've added :
<location path="~/content/images">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users ="*" />
</authorization>
</system.web>
</location>
With no success. After that i've added a web config file to images folder and add those lines of code :
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users ="*" />
</authorization>
</system.web>
</configuration>
Neither this worked for me. Still everyone can access coverBeg.jpg file
It's because static content, like images, are served directly by IIS, not involving MVC pipeline.
To change that, you can do the following:
add
<modules runAllManagedModulesForAllRequests="true">
to <system.webServer> section of site's web.config. It will run MVC pipeline for every request, including static files - like css, js and images.
Then your config from above will work (I mean your 2nd approach).
Please consider this scenario:
I have a project that it contains some web pages.I add form authentication based on Active Direcotry for my all web pages.For Example :
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://testdomain.test.com/CN=Users,DC=testdomain,DC=test,DC=com" />
</connectionStrings>
<authorization>
<deny users="?" />
</authorization>
Now I want to exclude some pages from form authentication.How I can exclude some pages in web.config?
thanks
Put your page in a separate directory and modify the web.config accordingly.and You can do this also
<configuration>
<location path="CreateAccount.aspx">
<system.web>
<authorization>
<allow users="?"/>
<authorization>
</system.web>
</location>
</configuration>
More discussions
link1
Excluding pages from forms auth - ASP.NET
One easy way of doing it is to make a separate folder within your application for public pages. In that folder you place all the pages that you want to be excluded from authentication. Then you place a web.config within that folder with only the authentication settings, like this:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
I have a web application and it has its default web.config with all the needed settings so now I need to create a folder and in that folder I am implementing a Login page using the same membership tables as for the parent application. I am trying to allow certain roles to access that folder, I tried adding a web.config in that folder with the following mark up:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="customers"/>
<deny users="?" />
</authorization>
</system.web>
</configuration>
The issue I am having is that when I add this and I attempt to login, it sends me to the parent login page with a ReturnUrl and thats because the parent has this line in the web config:
<authentication mode="Forms">
<forms loginUrl="~/login.aspx" timeout="20160" />
</authentication>
So i decided to add that to the web.config in the folder but with the correct url:
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/pages/customerlogin.aspx" timeout="20160" />
</authentication>
<authorization>
<allow roles="customers"/>
<deny users="?" />
</authorization>
</system.web>
</configuration>
But now its telling me that this error:
Exception Details: System.Web.HttpException: Could not load type 'Intelligencia.UrlRewriter.RewriterHttpModule'.
I guess my question is, what should i be adding to that child web.config so it works?, doesnt it inherit from the parent all of the other things it needs?. This is the first time I worked in these kind of issues of web.config settings in a subfolder.
NOTE (UPDATE) : The folder was converted to an Application
If you don't want to inherit from the parent web.config then in your child web.config you can add the following line as the first child element of the config section you don't want to inherit.
Example child config
<system.web>
<clear />
<!-- add child config settings here -- >
</system.web>
When you say:
<deny users="?"/>
you are saying that you don't allow user who are not identified to execute the pages before the login.
Only after that login you can evaluate the user role.
Because of that you only should have one login page and based on the roles of the users redirect them to the different sub-site.
If the folder is now an application, it need the entire configuration file.
I have a site, into which users log in using forms authentication, in which I want to restrict access to files in a particular folder to certain users.
So, for instance, folder dir/foo will be accessible to user1 but not user2 or user3 and folder dir/bar will be accessible to user2 but not user1 or user3.
How can I do this?
User roles then setup the locations in web.config
<location path="foo">
<system.web>
<authorization>
<allow roles="fooUsers"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
OR
for each folder created add a new web.config to folder root
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="folderUsers"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>
check the <location> element of web.config