I have an ASP.NET Website. I want to restrict the Admin Folder to only users who are of 'Admin Role' in this SQL Server Table: tbl_Users_Admin having columns UID, PWD, Name, Role, Status). The rest of all the root pages I want to be publicly accessible by any user.
I will not be using ASP.NET Membership.
Admin User is just given the URL (https://www.Website.com/Admin/Login.aspx).
I have two Login.aspx pages in the root as well as in the Admin Folder.
I tried to resolve it through the Forms Authentication, but I am unable to resolve it.
Few forums suggested to create two different Web.Config files (one for root folder of website and another for Admin Folder), but it seems to be an inefficient way to me.
But I have not been successful to resolve it otherwise.
Although I have tried to do this using the as follows in the web.config file at root:
<location path="Admin">
<system.web>
<authentication mode="Forms">
<forms loginUrl="/Admin/Login.aspx" name=".ASPXFORMSAUTH" defaultUrl="/Admin/Login.aspx" >
</forms>
</authentication>
<authorization>
<allow roles="administrators" />
<allow users="admin" />
<deny users="?" />
</authorization>
<sessionState mode="InProc" cookieless="false" timeout="20">
</sessionState>
<customErrors defaultRedirect="~/Admin/ErrorPages/Error.aspx" mode="On">
<error statusCode="404" redirect="~/Admin/ErrorPages/Error.aspx" />
</customErrors>
<compilation debug="true">
<codeSubDirectories>
<add directoryName="CSharp"/>
<add directoryName="VB"/>
</codeSubDirectories>
</compilation>
</system.web>
</location>
And for the rest of the root pages (Public Pages):
<system.web>
For rest of the root pages (Public Pages)
</system.web>
You don't need to add the Admin folder in the web.config.
Just add the following in the web.config under the configuration section.
<location path="Admin">
<system.web>
<authorization>
<deny users="?"/>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Related
I am trying to deny access to my admin folder which is off root but it is saying that its inlvalid element. Yet I am using it within my web.config I dont want to post it in its entirity.
What I need is the ability to force login to the backdoor folder and anything that is in root allow annoymous access.
<authentication mode="Forms">
<forms loginUrl="~/BackDoor/Login.aspx">
</forms>
<location path="~/BackDoor/">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</authentication>
The location element must be defined outside of system.web:
<configuration>
<system.web>
<authentication mode="Forms">
<-- loginUrl should be a page that anonymous users can access -->
<forms loginUrl="~/BackDoorLogin.aspx">
</forms>
</authentication>
</system.web>
<location path="~/BackDoor/">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
Im using C# and ASP.NET.
I have this file structure on my website:
~\Admin\SecuredFolder\ManageWebsite.aspx
~\Admin\Login.aspx
~\Homepage.aspx
What i'm trying to achieve is pretty much simple but i guess all my attempts till now turned out too complex and i'm kinda confused.
my goals:
Homepage.aspx and Login.aspx should be public for all (anonymous users)
SecuredFolder should be for logged users ONLY (ie: admin users). Whoever attempt to access any page in this folder (without being logged) should be redirected to login page.
Once login succeeds it will successfully redirect to ManageWebsite.aspx
I know this supposed to be a simple implementation but i feel like I have not internalized it properly yet.
Hope any of you could provide me an example.
Put this webconfig in securedfolder ~\Admin\SecuredFolder\
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="admin" />
<deny users="?"/>
</authorization>
</system.web>
</configuration>
put this in webconfig of root folder ~\
<authentication mode="Forms">
<forms loginUrl="~/Admin/Login.aspx" timeout="2880" />
</authentication>
<location>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
To your root web.config add these to make Homepage and Login aspx pages public
<location path="Homepage.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Inside the Secure folder add a web.config file and to that add these to allow all contents inside SecuredFolder to be accessible only to Admin roles
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
After successful authentication, in Login.aspx, check the users role, if the role is that of Admin, redirect him to the ManageWebsite.aspx page
Place a web.config in your SecuredFolder and add
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="admin" />
<deny users ="*" />
</authorization>
</system.web>
</configuration>
Now it will only allow the logged in(admin) user to access its contents.
You can also add <authentication> to your root web.config to automatically redirect an unauthorized user to the login page.
<authentication mode="Forms">
<forms loginUrl="~\Admin\Login.aspx" timeout="20" slidingExpiration="true" cookieless="AutoDetect" protection="All" requireSSL="false" enableCrossAppRedirects="false" defaultUrl="Homepage.aspx" path="/"/>
</authentication>
Please consider this scenario:
I have a project that it contains some web pages.I add form authentication based on Active Direcotry for my all web pages.For Example :
<connectionStrings>
<add name="ADConnectionString" connectionString="LDAP://testdomain.test.com/CN=Users,DC=testdomain,DC=test,DC=com" />
</connectionStrings>
<authorization>
<deny users="?" />
</authorization>
Now I want to exclude some pages from form authentication.How I can exclude some pages in web.config?
thanks
Put your page in a separate directory and modify the web.config accordingly.and You can do this also
<configuration>
<location path="CreateAccount.aspx">
<system.web>
<authorization>
<allow users="?"/>
<authorization>
</system.web>
</location>
</configuration>
More discussions
link1
Excluding pages from forms auth - ASP.NET
One easy way of doing it is to make a separate folder within your application for public pages. In that folder you place all the pages that you want to be excluded from authentication. Then you place a web.config within that folder with only the authentication settings, like this:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
I have an asp.net application with a web.config file in the root and uses Windows authentication by default.
I have an Admin folder that should have Forms authentication. for this, I have added a new web.config file in the Admin folder as below:
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="~/Admin/Login.aspx" name=".ASPXFORMSAUTH" >
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
Now when I run a page inside the Admin folder, it gives me the below error:
Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
How to Configure Forms Authentication for the pages inside the Admin folder only and leaving other pages for the Windows authentication which is the default?
thanks
I think this you will need to do something like
In your Admin folder web.config
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</configuration>
In your root web.config
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
</system.web>
Anyway this might help you Control Authorization Permissions in an ASP.NET Application
My question is rather naive and I apologize for that .My web config file for a restricted access folder is as follows
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Member" />
<allow roles="Admin" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
Now this applies to all the pages in the folder,is there a way I can modify it such that any user with the role Member will have access to say only members.aspx while Admin will have access to a whole bunch of pages .
I guess I could do it by creating different folders and storing different pages in the them and assigning the webconfig as needed but I was wondering if it was possible to have page level authorization (based on roles) in a single folder
Thanks !
You can specify access to different specific URLs in your site by using location elements. Note that you can configure all locations from your parent web.config; having multiple web.config files for this is not necessary.
<location path="members.aspx">
<system.web>
<authorization>
<allow roles="Member" />
<allow roles="Admin" />
<deny users="?" />
</authorization>
</system.web>
</location>
<location path="adminsonly.aspx">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="?" />
</authorization>
</system.web>
</location>