Im using C# and ASP.NET.
I have this file structure on my website:
~\Admin\SecuredFolder\ManageWebsite.aspx
~\Admin\Login.aspx
~\Homepage.aspx
What i'm trying to achieve is pretty much simple but i guess all my attempts till now turned out too complex and i'm kinda confused.
my goals:
Homepage.aspx and Login.aspx should be public for all (anonymous users)
SecuredFolder should be for logged users ONLY (ie: admin users). Whoever attempt to access any page in this folder (without being logged) should be redirected to login page.
Once login succeeds it will successfully redirect to ManageWebsite.aspx
I know this supposed to be a simple implementation but i feel like I have not internalized it properly yet.
Hope any of you could provide me an example.
Put this webconfig in securedfolder ~\Admin\SecuredFolder\
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="admin" />
<deny users="?"/>
</authorization>
</system.web>
</configuration>
put this in webconfig of root folder ~\
<authentication mode="Forms">
<forms loginUrl="~/Admin/Login.aspx" timeout="2880" />
</authentication>
<location>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
To your root web.config add these to make Homepage and Login aspx pages public
<location path="Homepage.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Inside the Secure folder add a web.config file and to that add these to allow all contents inside SecuredFolder to be accessible only to Admin roles
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
After successful authentication, in Login.aspx, check the users role, if the role is that of Admin, redirect him to the ManageWebsite.aspx page
Place a web.config in your SecuredFolder and add
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="admin" />
<deny users ="*" />
</authorization>
</system.web>
</configuration>
Now it will only allow the logged in(admin) user to access its contents.
You can also add <authentication> to your root web.config to automatically redirect an unauthorized user to the login page.
<authentication mode="Forms">
<forms loginUrl="~\Admin\Login.aspx" timeout="20" slidingExpiration="true" cookieless="AutoDetect" protection="All" requireSSL="false" enableCrossAppRedirects="false" defaultUrl="Homepage.aspx" path="/"/>
</authentication>
Related
I am trying to deny access to my admin folder which is off root but it is saying that its inlvalid element. Yet I am using it within my web.config I dont want to post it in its entirity.
What I need is the ability to force login to the backdoor folder and anything that is in root allow annoymous access.
<authentication mode="Forms">
<forms loginUrl="~/BackDoor/Login.aspx">
</forms>
<location path="~/BackDoor/">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</authentication>
The location element must be defined outside of system.web:
<configuration>
<system.web>
<authentication mode="Forms">
<-- loginUrl should be a page that anonymous users can access -->
<forms loginUrl="~/BackDoorLogin.aspx">
</forms>
</authentication>
</system.web>
<location path="~/BackDoor/">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
The scenario is :
I am working on role based project in vs2005 and sql server2005.
I defined the role in database and added custom role provider. I have two roles like "admin" and "user". I created two folder in project and placed the pages in these folder (admin and user) according to roles. Now I want to add code in web.config for accessing the pages according to roles means admin can see only admin folder pages and user can see only user folder pages.
If I define only one page for admin and one page for user in tag with roles authorization then they work fine. But if I used more than one pages in both folder then I need to define all pages in web.config file for both.
I used location tag like this
<location path="user/userpage1.aspx">
<system.web>
<authorization>
<allow roles="user"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Is there any possibility to assign a role for a folder instead of a page in tag.
If yes, Please give some valuable ideas to implement this.
Updates
I added these two location tags in my web config
<!--allow admin role members-->
<location path="admin/adminpage1.aspx">
<system.web>
<authorization>
<allow roles="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<!--allow user role members-->
<location path="user/userpage1.aspx">
<system.web>
<authorization>
<allow roles="user"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Doesn't the following work for you?
<location path="folder">
<system.web>
<authorization>
<allow roles="user" />
<deny users="*" />
</authorization>
</system.web>
</location>
what works for me in the following configuration:
<location path="Content/Images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<allow roles="Admin,Manager,Client" />
<deny users="?" />
</authorization>
</system.web>
allowing anonymous access while in general it's not allowed.
Our you can put in a sub folder a separate location-agnostic Web.config:
<system.web>
<authorization>
<allow roles="user" />
<deny users="*" />
</authorization>
</system.web>
Why when I have forms authentication selected as below in my web config does it go to login.aspx for the request of file default.aspx which is in the root not the ~/account folder any suggestions for what i need to check thanks
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" name=".ASPXFORMSAUTH"></forms>
</authentication>
<location path="~/WebResource.axd">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="~/Account">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="img">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="~/ScriptResource.axd">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="~/contactus.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Telerik.Web.UI.WebResource.axd">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
To allow anonymous users access Default.aspx is root you should try:
<location path="~/Default.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
You have a rule to explicitly let people view contactus.aspx, but no matching rule for default.aspx. Try adding a rule for that area.
I'm assuming you have a deny all rule somewhere that you haven't shown? You could always grant access to all of your site and then explicitly deny access to just /account as you have done.
What is in your authentication section of the web.config?
Its' been a while but I think you have to explicitly grant access to things I think by default it is classed as locked down?
So you will need a root level grant permission.
Add following block in web.config if you wish all users to visit the page without login
<location path="~/Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
it sets to allow anonymous users to this page
My question is rather naive and I apologize for that .My web config file for a restricted access folder is as follows
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Member" />
<allow roles="Admin" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
Now this applies to all the pages in the folder,is there a way I can modify it such that any user with the role Member will have access to say only members.aspx while Admin will have access to a whole bunch of pages .
I guess I could do it by creating different folders and storing different pages in the them and assigning the webconfig as needed but I was wondering if it was possible to have page level authorization (based on roles) in a single folder
Thanks !
You can specify access to different specific URLs in your site by using location elements. Note that you can configure all locations from your parent web.config; having multiple web.config files for this is not necessary.
<location path="members.aspx">
<system.web>
<authorization>
<allow roles="Member" />
<allow roles="Admin" />
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="adminsonly.aspx">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="?" />
</authorization>
</system.web>
</location>
I have an ASP.NET Website. I want to restrict the Admin Folder to only users who are of 'Admin Role' in this SQL Server Table: tbl_Users_Admin having columns UID, PWD, Name, Role, Status). The rest of all the root pages I want to be publicly accessible by any user.
I will not be using ASP.NET Membership.
Admin User is just given the URL (https://www.Website.com/Admin/Login.aspx).
I have two Login.aspx pages in the root as well as in the Admin Folder.
I tried to resolve it through the Forms Authentication, but I am unable to resolve it.
Few forums suggested to create two different Web.Config files (one for root folder of website and another for Admin Folder), but it seems to be an inefficient way to me.
But I have not been successful to resolve it otherwise.
Although I have tried to do this using the as follows in the web.config file at root:
<location path="Admin">
<system.web>
<authentication mode="Forms">
<forms loginUrl="/Admin/Login.aspx" name=".ASPXFORMSAUTH" defaultUrl="/Admin/Login.aspx" >
</forms>
</authentication>
<authorization>
<allow roles="administrators" />
<allow users="admin" />
<deny users="?" />
</authorization>
<sessionState mode="InProc" cookieless="false" timeout="20">
</sessionState>
<customErrors defaultRedirect="~/Admin/ErrorPages/Error.aspx" mode="On">
<error statusCode="404" redirect="~/Admin/ErrorPages/Error.aspx" />
</customErrors>
<compilation debug="true">
<codeSubDirectories>
<add directoryName="CSharp"/>
<add directoryName="VB"/>
</codeSubDirectories>
</compilation>
</system.web>
</location>
And for the rest of the root pages (Public Pages):
<system.web>
For rest of the root pages (Public Pages)
</system.web>
You don't need to add the Admin folder in the web.config.
Just add the following in the web.config under the configuration section.
<location path="Admin">
<system.web>
<authorization>
<deny users="?"/>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>