Please consider this scenario:
I have a project that it contains some web pages.I add form authentication based on Active Direcotry for my all web pages.For Example :
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://testdomain.test.com/CN=Users,DC=testdomain,DC=test,DC=com" />
</connectionStrings>
<authorization>
<deny users="?" />
</authorization>
Now I want to exclude some pages from form authentication.How I can exclude some pages in web.config?
thanks
Put your page in a separate directory and modify the web.config accordingly.and You can do this also
<configuration>
<location path="CreateAccount.aspx">
<system.web>
<authorization>
<allow users="?"/>
<authorization>
</system.web>
</location>
</configuration>
More discussions
link1
Excluding pages from forms auth - ASP.NET
One easy way of doing it is to make a separate folder within your application for public pages. In that folder you place all the pages that you want to be excluded from authentication. Then you place a web.config within that folder with only the authentication settings, like this:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
Related
I am trying to restrict users(except admin) to access my folder images. For example the path is:
~/content/images/coverBeg.jpg
If the user navigates to domain/content/images/coverBeg.jpg, he can see the file.
I've tryied different sort of things but none of them worked for me. In web config file i've added :
<location path="~/content/images">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users ="*" />
</authorization>
</system.web>
</location>
With no success. After that i've added a web config file to images folder and add those lines of code :
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users ="*" />
</authorization>
</system.web>
</configuration>
Neither this worked for me. Still everyone can access coverBeg.jpg file
It's because static content, like images, are served directly by IIS, not involving MVC pipeline.
To change that, you can do the following:
add
<modules runAllManagedModulesForAllRequests="true">
to <system.webServer> section of site's web.config. It will run MVC pipeline for every request, including static files - like css, js and images.
Then your config from above will work (I mean your 2nd approach).
I have used Form Authentication in my web project.I don't want Form Authentication for two pages.How can i avoid this ?.
Write the following location tags replace Logout.aspx and Login.aspx page names with your two pages name.
<location path="Logout.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
You can add a section to the config to allow anonymous access to certain pages:
<configuration>
<location path="Welcome.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Use the <location> element to 'granulate' the authentication requirements:
<location path="path/to/resource">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location>
Other than the MSDN documentation, this is a reasonable post on setting authorization rules, too.
You can also place separate, dedicated web.config files within sub-directories to have self-contained control within that directory - I'm not fond of this though, and much prefer a nicely structured root configuration.
I have been working on a website project which restricts access to a certain folder to annonymous users and allows access to the folder to those who are logged in.
This has been working perfectly on my development machine.
However since publishing the website and deploying to a web server (Windows Server 2008, IIS7) the forms authentication appears not to be working. Anonymous users are able to access the "restricted" folder.
I have compared the webconfig on both the development machine and the web server and they are exactly the same.
I set up the access/restriction to the directory on the development machine using the Web Site Administration Tool built into the .NET Framework using this tutorial. However I understand this tool is localhost only?
Please note: I am not using the asp.net login and registration controls. I am using a custom function in the code behind (C#)
Is this problem caused by the change of location?
The development machine directory: C:\Users\Megatron\Documents\Visual Studio 2010\Projects\Osqar - v0.2\OSQARv0.1
The Web server Directory: C:\inetpub\wwwroot\Osqar
I am a little lost here so any advice would be greatly appreciated.
Here is the web config file
<?xml version="1.0" encoding="UTF-8"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<connectionStrings>
<add name="dbConn" connectionString="data source=mssql.database.com; Initial Catalog=devworks_oscar;User ID=myusername;Password=password" providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<authentication mode="Forms">
<forms name="Osqar" loginUrl="/login/login.aspx" protection="All" path="/" timeout="60" />
</authentication>
<compilation debug="true" />
<pages /></system.web>
<system.webServer>
<defaultDocument>
<files>
<add value="index.aspx" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
The authorization section seems to be missing (?). You should have something like
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Without the information about the required level of authorization (deny anonymous users), the application server will let everyone go everywhere.
Put this under <cofiguraation> main tag like:
<configuration>
<location path="~/RestrictedFolder">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
....
if you're restricting specific files do:
<location path="~/securedpage.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Do these changes to the web.config in the deployed project
Alternatively as Wiktor suggested use to block anonymous access to the website as a whole
put it under <system.web> possibly before or after <authentication> tag
<authorization>
<deny users="?"/>
</authorization>
Or create a folder under the root of your project and put secured pages inside that folder. R-click on the folder add new web.config file and put the following under the <system.web> tag
<authorization>
<deny users="?"/>
</authorization>
My question is rather naive and I apologize for that .My web config file for a restricted access folder is as follows
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Member" />
<allow roles="Admin" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
Now this applies to all the pages in the folder,is there a way I can modify it such that any user with the role Member will have access to say only members.aspx while Admin will have access to a whole bunch of pages .
I guess I could do it by creating different folders and storing different pages in the them and assigning the webconfig as needed but I was wondering if it was possible to have page level authorization (based on roles) in a single folder
Thanks !
You can specify access to different specific URLs in your site by using location elements. Note that you can configure all locations from your parent web.config; having multiple web.config files for this is not necessary.
<location path="members.aspx">
<system.web>
<authorization>
<allow roles="Member" />
<allow roles="Admin" />
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="adminsonly.aspx">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="?" />
</authorization>
</system.web>
</location>
I have an ASP.NET Website. I want to restrict the Admin Folder to only users who are of 'Admin Role' in this SQL Server Table: tbl_Users_Admin having columns UID, PWD, Name, Role, Status). The rest of all the root pages I want to be publicly accessible by any user.
I will not be using ASP.NET Membership.
Admin User is just given the URL (https://www.Website.com/Admin/Login.aspx).
I have two Login.aspx pages in the root as well as in the Admin Folder.
I tried to resolve it through the Forms Authentication, but I am unable to resolve it.
Few forums suggested to create two different Web.Config files (one for root folder of website and another for Admin Folder), but it seems to be an inefficient way to me.
But I have not been successful to resolve it otherwise.
Although I have tried to do this using the as follows in the web.config file at root:
<location path="Admin">
<system.web>
<authentication mode="Forms">
<forms loginUrl="/Admin/Login.aspx" name=".ASPXFORMSAUTH" defaultUrl="/Admin/Login.aspx" >
</forms>
</authentication>
<authorization>
<allow roles="administrators" />
<allow users="admin" />
<deny users="?" />
</authorization>
<sessionState mode="InProc" cookieless="false" timeout="20">
</sessionState>
<customErrors defaultRedirect="~/Admin/ErrorPages/Error.aspx" mode="On">
<error statusCode="404" redirect="~/Admin/ErrorPages/Error.aspx" />
</customErrors>
<compilation debug="true">
<codeSubDirectories>
<add directoryName="CSharp"/>
<add directoryName="VB"/>
</codeSubDirectories>
</compilation>
</system.web>
</location>
And for the rest of the root pages (Public Pages):
<system.web>
For rest of the root pages (Public Pages)
</system.web>
You don't need to add the Admin folder in the web.config.
Just add the following in the web.config under the configuration section.
<location path="Admin">
<system.web>
<authorization>
<deny users="?"/>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>