I am currently working with my asp.net project. I use web.config settings to allow and deny services !
It works totaly fine ! Now I got some query ( just for knowledge) that if I use deny and allow authentication both what will happen ?
My code seems like that
<system.web>
<authorization>
<deny users="user_name" />
<allow users="user_name" />
</authorization>
</system.web>
Thanks in advance !
Authorization elements are evaluated in the order they are given in the configuration file.
In your example, the user would be denied, as the deny entry is earlier in the list than the allow entry.
Note that your question is referring to ASP.NET URL Authorization Behaviour (i.e. the settings defined in system.web\authorization). The behaviour of IIS URL Authorization is quite different. See the "Differences Table" here.
Related
I have an application with multiple areas. I have no problem navigating to any of them once logged in.
I've added a new 'Reports' area, now when I navigate to that area I get an 'Authentication Required' pop up appear which I think is something to do with Windows authentication which isn't being used in the application.
I'm using <authentication mode="None" /> in web.config.
This only happens when the site is live and not local (which makes sense if it's a windows authentication issue).
All controllers in the areas use the same custom authentication attribute, any ideas why I wouldn't be able to navigate to this new area even though going to others is absolutely fine, any ideas what i'm missing? I don't remember having to do anything in other areas to allow access.
Thanks.
I found the issue. The URL that was causing the issue was
www.domain.co.uk/reports
I remembered a while ago I was doing some testing using SSRS and setup the Report Manager URL as localhost/reports. This must have been causing the issue as once I had changed the Report Manager URL I could access the URL I was having issues with as expected.
That setting in your web.config should be working.
It could be that it's not overriding the settings in the applicationhost.config file as it should.
To test this out navigate to the "\IISExpress\config\applicationhost.config" file and set <windowsAuthentication enabled="false" />
Other things you can try.
Remove forms authentication - sites often default to this.
<system.webServer>
<modules runAllManagedModulesForAllRequests="true>
<remove name="FormsAuthentication />
</modules>
</system.webServer>
Disable security for that path.
<location path="secureddir/newform.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I have two pages: Members.aspx and Admins.aspx. I want to make unlogged users to see none of them, any logged user to see the first one and only certain users to see both.
User's category ("member" or "admin") is detected at login time from the code and is put in a session variable.
I can easily grant access to any logged user to some page using Forms Authentication (basically as described here), but how should I design my web.config in order to take in account not the username but his category?
Note that users could anytime change their category so i can't hard-code their names, and I need this to be db-independent so I shall stick to Forms Authentication login mode.
You really should look into
Asp.net roles management
And
Filtering Site-Map Nodes Based on Security Roles
It would be smarter than trying to build your own security mechanism based upon Session values.
My suggestion is to use Role-based authentication. A user can have one or more roles. .NET has classes to help you manage users along with their roles.
This is one good tutorial: https://web.archive.org/web/20211029043732/https://www.4guysfromrolla.com/articles/082703-1.aspx
Good luck.
You can place your pages in folders grouped by roles, and create a Web.config for each folder:
For your Admin zone you can use:
<configuration>
<system.web>
<authorization>
<allow roles="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
And for your Member zone you can use:
<configuration>
<system.web>
<authorization>
<allow roles="admin"/>
<allow roles="member"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
i have a website made in asp.net 4.0 running in azure webrole.
i am using simple forms authentication and allow unautheticated GET requests to various pages , scripts and styles .
The problem is i have implemented a custom handler for extention ".kl" which actually is serving images based on the code with this extention. so suppose the output for 1.kl and 2.kl would be different.
i need to allow unauthenticated requests to this handler.
how should i do it?
this is the tag in my webconfig
<authentication mode="Forms">
<forms loginUrl="~/UserPages/UserLogin.aspx" timeout="2880" name=".ASPXF2KAUTH" protection="All" path="/" defaultUrl="~/CodeGeneratorPages/SC_WC_CodeGen.aspx">
</forms>
</authentication>
It is purely ASP.NET question, and the solution is one and the same for Azure and on-premis deployment.
You need to decide a single "folder" for where your handler will serve. For example it could be "/dynamic-images" or whatever. And make sure that all references/links you are generating are pointing at this folder ("~/dynamic-images/1.kl").
And now you need to add a location element in your configuration. Note that location is an immediate child of configuration (do not put it inside system.web):
<location path="dynamic-images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
There is no other way (that I know) to achieve your goal.
also one more solution to this quest that i figuredout by myself
is that allow UnAuthenticated access by default to the root directory of the website then deny access to all the folders and child path.. that way any handler would be allowed to be accessed by any anynomous user where as all the child paths wont be allowed.
I'm learning ASP.NET MVC3 and I'm now examining the user handling.
My first problem would be (I know there is a lot about this subject in other threads, I just fail to find a good one with MVC3) that I want the login page to redirect me where I came from, or where I was redirected from.
In php perhaps I would add this url to the querystring, maybe.
But I need a way to do this somehow automatically, and this is a so common design pattern I was wondering if there is a "built in" way to do this.
What would be the cleanest, or preferred way to do this?
Also when I'm redirecting to a login page which would be the best way for checking and storing the url which I'm redirected from? I would check for the referrer in the request object and spit it out in the url as "?redirect=protected.html" but I'm not even sure how to properly do this.
Any advice on this subject would be appreciated.
MVC works the same way as ASP.NET.
If you use Forms Authentication a lot of those questions will be answered for you.
In your Web Config find the line that says authentication="Windows" and then change that to Forms
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" />
</authentication>
MVC 3 will actually give you the Account/LogOn route as part of the MVC 3 template project (check your models and see if you have one called AccountModel).
Then you just add Authorization to deny all users to your site:
<authorization>
<deny users="?"/>
</authorization>
by default this will send any person coming to your site off to your login.
So after you have validated that there login credentials are correct you set the AuthCookie the same as ASP.NET:
FormsAuthentication.SetAuthCookie(userName, false);
Form this you can the redirect to where ever you want.
to redirect back to where you came from use:
FormsAuthentication.RedirectFromLoginPage(userName, false);
Not forgetting the other useful statement of:
FormsAuthentication.SignOut();
Without Authentication the site wont let you access anywhere until you are logged in, so the CSS will stop working.
The locations I have added to make sure this doesnt happen are as follows:
<location path="Content">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="Scripts">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
In asp.net it is a ?returnUrl=...
(1) Make sure you have something like
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
in your root web.config.
(2) In your Controller you want to protect, add [Authorize] attribute above it.
Please create new project and select the Internet Application template rather than Empty one and you will get sample of the simple login process as well as changing password.
Note: Please read this as well: http://www.asp.net/mvc/tutorials/preventing-open-redirection-attacks
The sample shows after logging in process, it make sure the returnUrl is a local url by the Url.IsLocalUrl() helper to protect from Open Redirection Attack.
Update:
The best way is to implement your own custom login process after you really know the standard process for example instead of using the URL to track where the user come from, you can set a new cookie to store the returnUrl with httponly cookie and delete it just before redirect to previous page.
Another common practice is to use roles. You may specific a directory/controller for specific group of user called Role by adding the permitted role like this as an attribute above the controller:
[Authorize(Roles = "Admin")]
See this visual studio administration tool to create sample users and roles with built-in web interface.
You may also want to use sitemap to arrange your pages and menu link with show/hide menu based on current user role. Use this mvcsitemap to add security trimming features in ASP.NET MVC sitemap.
In some cases there happens to be a custom authentication instead of standard forms based (common case for enterprise level applications).
In this case I would recommend manually managing returnUrl parameter in the querystring. Login page reads this URL and redirects back after successful authentication.
Here is my issue. I have an ASPX web site and I have code in there to redirect from the login page with the call to "FormsAuthentication.RedirectFromLoginPage(username, false);" This sends the user from the root website folder to 'website/Admin/'. I have a 'default.aspx' page in 'website/Admin/' and the call to redirect works on a previous version of the website we have running currently, but the one that I am updating on a separate test server is not working. It gives me the error "Directory Listing Denied. This Virtual Directory does not allow contents to be listed." I have this in the config file:
<authorization>
<allow users="*" />
</authorization>
under the "authentication" option and...
<location path="Admin">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
for the location of Admin.
Also, there is no difference in the code between the web.config, Login.aspx, or the default.aspx files on the current server and the one on the test server, so I am confused as to why the redirect will not work on both. It even works in the Visual Studio server environment, for which the code is also identical.
Any suggestions and help is appreciated.
Directory Listing Denied is an IIS error, stating that directory browsing on the server isn't allowed. If you see this, it means when browsing to Website/Admin, the server isn't finding any expected default documents and is then trying to show you the file directory through the browser (expected behavior). IIS is set to not allow this in your case (which is a good thing).
Can you contact the server admins and ask them to verify the default documents for the website, and add Default.aspx to the list? If not, at least find out what the default file names are in the site setup, and name your root page based on that.
I think by default IIS uses Default.htm and maybe one other. Even when registering asp.net with IIS, I don't believe Default.aspx is added. It has to be done manually.