My question is rather naive and I apologize for that .My web config file for a restricted access folder is as follows
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Member" />
<allow roles="Admin" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
Now this applies to all the pages in the folder,is there a way I can modify it such that any user with the role Member will have access to say only members.aspx while Admin will have access to a whole bunch of pages .
I guess I could do it by creating different folders and storing different pages in the them and assigning the webconfig as needed but I was wondering if it was possible to have page level authorization (based on roles) in a single folder
Thanks !
You can specify access to different specific URLs in your site by using location elements. Note that you can configure all locations from your parent web.config; having multiple web.config files for this is not necessary.
<location path="members.aspx">
<system.web>
<authorization>
<allow roles="Member" />
<allow roles="Admin" />
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="adminsonly.aspx">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="?" />
</authorization>
</system.web>
</location>
Related
Im using C# and ASP.NET.
I have this file structure on my website:
~\Admin\SecuredFolder\ManageWebsite.aspx
~\Admin\Login.aspx
~\Homepage.aspx
What i'm trying to achieve is pretty much simple but i guess all my attempts till now turned out too complex and i'm kinda confused.
my goals:
Homepage.aspx and Login.aspx should be public for all (anonymous users)
SecuredFolder should be for logged users ONLY (ie: admin users). Whoever attempt to access any page in this folder (without being logged) should be redirected to login page.
Once login succeeds it will successfully redirect to ManageWebsite.aspx
I know this supposed to be a simple implementation but i feel like I have not internalized it properly yet.
Hope any of you could provide me an example.
Put this webconfig in securedfolder ~\Admin\SecuredFolder\
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="admin" />
<deny users="?"/>
</authorization>
</system.web>
</configuration>
put this in webconfig of root folder ~\
<authentication mode="Forms">
<forms loginUrl="~/Admin/Login.aspx" timeout="2880" />
</authentication>
<location>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
To your root web.config add these to make Homepage and Login aspx pages public
<location path="Homepage.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Inside the Secure folder add a web.config file and to that add these to allow all contents inside SecuredFolder to be accessible only to Admin roles
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
After successful authentication, in Login.aspx, check the users role, if the role is that of Admin, redirect him to the ManageWebsite.aspx page
Place a web.config in your SecuredFolder and add
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="admin" />
<deny users ="*" />
</authorization>
</system.web>
</configuration>
Now it will only allow the logged in(admin) user to access its contents.
You can also add <authentication> to your root web.config to automatically redirect an unauthorized user to the login page.
<authentication mode="Forms">
<forms loginUrl="~\Admin\Login.aspx" timeout="20" slidingExpiration="true" cookieless="AutoDetect" protection="All" requireSSL="false" enableCrossAppRedirects="false" defaultUrl="Homepage.aspx" path="/"/>
</authentication>
The scenario is :
I am working on role based project in vs2005 and sql server2005.
I defined the role in database and added custom role provider. I have two roles like "admin" and "user". I created two folder in project and placed the pages in these folder (admin and user) according to roles. Now I want to add code in web.config for accessing the pages according to roles means admin can see only admin folder pages and user can see only user folder pages.
If I define only one page for admin and one page for user in tag with roles authorization then they work fine. But if I used more than one pages in both folder then I need to define all pages in web.config file for both.
I used location tag like this
<location path="user/userpage1.aspx">
<system.web>
<authorization>
<allow roles="user"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Is there any possibility to assign a role for a folder instead of a page in tag.
If yes, Please give some valuable ideas to implement this.
Updates
I added these two location tags in my web config
<!--allow admin role members-->
<location path="admin/adminpage1.aspx">
<system.web>
<authorization>
<allow roles="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<!--allow user role members-->
<location path="user/userpage1.aspx">
<system.web>
<authorization>
<allow roles="user"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Doesn't the following work for you?
<location path="folder">
<system.web>
<authorization>
<allow roles="user" />
<deny users="*" />
</authorization>
</system.web>
</location>
what works for me in the following configuration:
<location path="Content/Images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<allow roles="Admin,Manager,Client" />
<deny users="?" />
</authorization>
</system.web>
allowing anonymous access while in general it's not allowed.
Our you can put in a sub folder a separate location-agnostic Web.config:
<system.web>
<authorization>
<allow roles="user" />
<deny users="*" />
</authorization>
</system.web>
I have a site, into which users log in using forms authentication, in which I want to restrict access to files in a particular folder to certain users.
So, for instance, folder dir/foo will be accessible to user1 but not user2 or user3 and folder dir/bar will be accessible to user2 but not user1 or user3.
How can I do this?
User roles then setup the locations in web.config
<location path="foo">
<system.web>
<authorization>
<allow roles="fooUsers"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
OR
for each folder created add a new web.config to folder root
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="folderUsers"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>
check the <location> element of web.config
I have used Form Authentication in my web project.I don't want Form Authentication for two pages.How can i avoid this ?.
Write the following location tags replace Logout.aspx and Login.aspx page names with your two pages name.
<location path="Logout.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
You can add a section to the config to allow anonymous access to certain pages:
<configuration>
<location path="Welcome.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
</configuration>
Use the <location> element to 'granulate' the authentication requirements:
<location path="path/to/resource">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location>
Other than the MSDN documentation, this is a reasonable post on setting authorization rules, too.
You can also place separate, dedicated web.config files within sub-directories to have self-contained control within that directory - I'm not fond of this though, and much prefer a nicely structured root configuration.
Why when I have forms authentication selected as below in my web config does it go to login.aspx for the request of file default.aspx which is in the root not the ~/account folder any suggestions for what i need to check thanks
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" name=".ASPXFORMSAUTH"></forms>
</authentication>
<location path="~/WebResource.axd">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="~/Account">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="img">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="~/ScriptResource.axd">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="~/contactus.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Telerik.Web.UI.WebResource.axd">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
To allow anonymous users access Default.aspx is root you should try:
<location path="~/Default.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
You have a rule to explicitly let people view contactus.aspx, but no matching rule for default.aspx. Try adding a rule for that area.
I'm assuming you have a deny all rule somewhere that you haven't shown? You could always grant access to all of your site and then explicitly deny access to just /account as you have done.
What is in your authentication section of the web.config?
Its' been a while but I think you have to explicitly grant access to things I think by default it is classed as locked down?
So you will need a root level grant permission.
Add following block in web.config if you wish all users to visit the page without login
<location path="~/Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
it sets to allow anonymous users to this page