I have a web application and it has its default web.config with all the needed settings so now I need to create a folder and in that folder I am implementing a Login page using the same membership tables as for the parent application. I am trying to allow certain roles to access that folder, I tried adding a web.config in that folder with the following mark up:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="customers"/>
<deny users="?" />
</authorization>
</system.web>
</configuration>
The issue I am having is that when I add this and I attempt to login, it sends me to the parent login page with a ReturnUrl and thats because the parent has this line in the web config:
<authentication mode="Forms">
<forms loginUrl="~/login.aspx" timeout="20160" />
</authentication>
So i decided to add that to the web.config in the folder but with the correct url:
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/pages/customerlogin.aspx" timeout="20160" />
</authentication>
<authorization>
<allow roles="customers"/>
<deny users="?" />
</authorization>
</system.web>
</configuration>
But now its telling me that this error:
Exception Details: System.Web.HttpException: Could not load type 'Intelligencia.UrlRewriter.RewriterHttpModule'.
I guess my question is, what should i be adding to that child web.config so it works?, doesnt it inherit from the parent all of the other things it needs?. This is the first time I worked in these kind of issues of web.config settings in a subfolder.
NOTE (UPDATE) : The folder was converted to an Application
If you don't want to inherit from the parent web.config then in your child web.config you can add the following line as the first child element of the config section you don't want to inherit.
Example child config
<system.web>
<clear />
<!-- add child config settings here -- >
</system.web>
When you say:
<deny users="?"/>
you are saying that you don't allow user who are not identified to execute the pages before the login.
Only after that login you can evaluate the user role.
Because of that you only should have one login page and based on the roles of the users redirect them to the different sub-site.
If the folder is now an application, it need the entire configuration file.
Related
I have a web application deployed on IIS with IP domain say 192.168.0.105:1009.
User has login authentication in application with userid and password with userid and password saved in database.
There is a folder in application say MyResource. How can i control the access control of this folder to any unauthorized user.
If someone type the url 192.168.0.105:1009/MyResource/1.xls, it should validate the user authentication. If user not authorised, access should be denied.
You can do as below explanation.
Configure Access to a Specific File and Folder, Set up forms-based authentication.
Request any page in your application to be redirected to Logon.aspx automatically.
In the Web.config file, type or paste the following code.
This code grants all users access to the Default1.aspx page and the Subdir1 folder.
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
<location path="default1.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder. -->
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
Users can open the Default1.aspx file or any other file saved in the Subdir1 folder in your application. They will not be redirected automatically to the Logon.aspx file for authentication.
Repeat configuration Step to identify any other pages or folders for which you want to permit access by unauthenticated users.
For more Reference check Microsoft support page - https://support.microsoft.com/en-us/kb/301240
And also you can check http://www.iis.net/configreference/system.webserver/security/authorization
I am doing a web service in .NET containing a server file (.asmx) and a client interface (.aspx). The visitors should be able to visit only the client aspx site ( urlXXX:portYY/Client.aspx)
However, when I remove the "/Client.aspx" part from the URL, I get into the project directory and this should not be possible. (So far, I am running the project just on localhost.)
Is there any way, how restrict getting into other parts of the solution? The only possibility I could think of is creating a separate project for the client aspx site, however, even then the visitor is able to get into the directory containing that site.
You should be able to control explicit access using your web.config. Have a look at this example (exclaimer: I've copied this straight from this MS page):
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
<location path="default1.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder. -->
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
EDIT: Take a look at this question for more info on denying access to explicit folders as well.
So, basically I have managed to find a workaround, by adding the following code into the Web.config:
<system.webServer>
<defaultDocument>
<files>
<add value="Client.aspx" />
</files>
</defaultDocument>
</system.webServer>
...which makes the Client a default web-page, thus preventing to see the directory. However, I will leave this topic open in case someone comes with a more elaborate and sophisticated solution.
Please consider this scenario:
I have a project that it contains some web pages.I add form authentication based on Active Direcotry for my all web pages.For Example :
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://testdomain.test.com/CN=Users,DC=testdomain,DC=test,DC=com" />
</connectionStrings>
<authorization>
<deny users="?" />
</authorization>
Now I want to exclude some pages from form authentication.How I can exclude some pages in web.config?
thanks
Put your page in a separate directory and modify the web.config accordingly.and You can do this also
<configuration>
<location path="CreateAccount.aspx">
<system.web>
<authorization>
<allow users="?"/>
<authorization>
</system.web>
</location>
</configuration>
More discussions
link1
Excluding pages from forms auth - ASP.NET
One easy way of doing it is to make a separate folder within your application for public pages. In that folder you place all the pages that you want to be excluded from authentication. Then you place a web.config within that folder with only the authentication settings, like this:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
I have been working on a website project which restricts access to a certain folder to annonymous users and allows access to the folder to those who are logged in.
This has been working perfectly on my development machine.
However since publishing the website and deploying to a web server (Windows Server 2008, IIS7) the forms authentication appears not to be working. Anonymous users are able to access the "restricted" folder.
I have compared the webconfig on both the development machine and the web server and they are exactly the same.
I set up the access/restriction to the directory on the development machine using the Web Site Administration Tool built into the .NET Framework using this tutorial. However I understand this tool is localhost only?
Please note: I am not using the asp.net login and registration controls. I am using a custom function in the code behind (C#)
Is this problem caused by the change of location?
The development machine directory: C:\Users\Megatron\Documents\Visual Studio 2010\Projects\Osqar - v0.2\OSQARv0.1
The Web server Directory: C:\inetpub\wwwroot\Osqar
I am a little lost here so any advice would be greatly appreciated.
Here is the web config file
<?xml version="1.0" encoding="UTF-8"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<connectionStrings>
<add name="dbConn" connectionString="data source=mssql.database.com; Initial Catalog=devworks_oscar;User ID=myusername;Password=password" providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
<authentication mode="Forms">
<forms name="Osqar" loginUrl="/login/login.aspx" protection="All" path="/" timeout="60" />
</authentication>
<compilation debug="true" />
<pages /></system.web>
<system.webServer>
<defaultDocument>
<files>
<add value="index.aspx" />
</files>
</defaultDocument>
</system.webServer>
</configuration>
The authorization section seems to be missing (?). You should have something like
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
Without the information about the required level of authorization (deny anonymous users), the application server will let everyone go everywhere.
Put this under <cofiguraation> main tag like:
<configuration>
<location path="~/RestrictedFolder">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
....
if you're restricting specific files do:
<location path="~/securedpage.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Do these changes to the web.config in the deployed project
Alternatively as Wiktor suggested use to block anonymous access to the website as a whole
put it under <system.web> possibly before or after <authentication> tag
<authorization>
<deny users="?"/>
</authorization>
Or create a folder under the root of your project and put secured pages inside that folder. R-click on the folder add new web.config file and put the following under the <system.web> tag
<authorization>
<deny users="?"/>
</authorization>
I have an asp.net application with a web.config file in the root and uses Windows authentication by default.
I have an Admin folder that should have Forms authentication. for this, I have added a new web.config file in the Admin folder as below:
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="~/Admin/Login.aspx" name=".ASPXFORMSAUTH" >
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Now when I run a page inside the Admin folder, it gives me the below error:
Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
How to Configure Forms Authentication for the pages inside the Admin folder only and leaving other pages for the Windows authentication which is the default?
thanks
I think this you will need to do something like
In your Admin folder web.config
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
In your root web.config
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
</system.web>
Anyway this might help you Control Authorization Permissions in an ASP.NET Application