I am trying to control access to my website with windows integrated.
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
<allow roles="DOMAIN\The_group_that_can_access_it"/>
</authorization>
...
</system.web>
</configuration>
Except that, this code isn't working. I can access it if im a member of that group or not. What is wrong?
I looked through some code, and thought maybe I needed to switch the ? for a *, but then that seems to just deny everything.
Thanks,
You do not have an explicit deny statement, you should add the following entry to the end of the declarations:
<deny users="*" />
And you can remove the <deny users="?"/> which is denying unauthenticated users. The final <deny users="*" /> will deny them anyway. Then only your group should have access. The final outcome should be:
<authorization>
<allow roles="DOMAIN\The_group_that_can_access_it"/>
<deny users="*"/>
</authorization>
As a rule of thumb, always close out your access control lists with an explicit deny all, or deny any any.
Related
I followed this site to integrate WIF in my MVC web app: https://msdn.microsoft.com/en-us/library/hh291061.aspx
It works well, users can log in with SSO and anonymous users are forwarded to the SSO page.
I want to deny access to everyone but a certain AD group / user and I can't figure out where to place the rules.
I tried in system.web
<system.web>
<authentication mode="None" />
<authorization>
<allow users="<domain>\<username>"/>
<deny users="*" />
</authorization>
</system.web>
But that doesn't seem to work, the specified allowed user is denied (401).
I tried in FederationMetadata and that didn't work either
<location path="FederationMetadata">
<system.web>
<authorization>
<allow users="<domain>\<username>"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
I can't for the life of me figure this out. Any suggestions?
You could change the web.config back to:
<authorization>
<allow users="*" />
</authorization>
And then perform your own authz, authn globally for the site in the HttpApplication.PostAuthenticateRequest.
I started with a default WebForms project with Individual Accounts. I have a bunch of content that I've built with database connections. I want to restrict all content to authenticated users with the exception of the default.aspx
I have successfully established the Identity table structures in my SQL database and can "register" new users. This all works fine. However, when I add the authentication setup to the web.config see below, it all breaks.
<system.web>
<authentication mode="Forms">
<forms name=".FormsAuth" loginUrl="Login.aspx" protection="All" slidingExpiration="false" requireSSL="false" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I would expect this to allow me to view my Default.aspx page and redirect if I moved off of it. Instead I attempts to redirect to \account\login and fails with this message.
HTTP Error 404.15 - Not Found The request filtering module is
configured to deny a request where the query string is too long.
The ReturnURL is huge and seems to repeat itself. I've tried looking around for a start from scratch example but have not found one that works. This should be simple.
http://localhost:58573/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl%253D%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252FAccount%25252525252FLogin%25252525253FReturnUrl%25252525253D%2525252525252FAccount%2525252525252FLogin%2525252525253FReturnUrl%2525252525253D%252525252525252FAccount%252525252525252FLogin%252525252525253FReturnUrl%252525252525253D%25252525252525252FAccount%25252525252525252FLogin%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FAccount%2525252525252525252FLogin%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FAccount%252525252525252525252FLogin%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FAccount%25252525252525252525252FLogin%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FAccount%2525252525252525252525252FLogin%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FAccount%252525252525252525252525252FLogin%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FAccount%25252525252525252525252525252FLogin%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FAccount%2525252525252525252525252525252FLogin%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FAccount%252525252525252525252525252525252FLogin%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252FAccount%25252525252525252525252525252525252FLogin%25252525252525252525252525252525253FReturnUrl%25252525252525252525252525252525253D%2525252525252525252525252525252525252FAccount%2525252525252525252525252525252525252FLogin%2525252525252525252525252525252525253FReturnUrl%2525252525252525252525252525252525253D%252525252525252525252525252525252525252FDefault
I figured this out. I had to remove the general "deny all anonymous" statement from web.config:
<!--<authorization>
<deny users="?"/>
</authorization>-->
...which I was trying to use to restrict ALL but the login page.
I moved all of my content into a few subfolders then called them out with the location tags and the same deny users statement.
<location path="System">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Reports">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
At this point it seems to be working "properly" and now redirects users to login.aspx if not authenticated.
The \account\login.aspx was denyed because of the web.config.
...
<authorization>
<deny users="?"/>
</authorization>
When you redirect to the login page, because anonymous access is forbidden, you are redirected to the login page again, resulting in recursion.
You can create web.config in the account folder.The content is like this:
<system.web>
<authorization>
<allow users="*"/>
</authorization>
I'm using asp.net Identity 2, In web.config under Account folder I have the following
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
The problem is that when I try to access the register.aspx it redirects me to the login page. I need unauthorized users to be able to access the registration page
You could use the allowOverride on a location to set the global deny authorization:
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location allowOverride="true">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
This will handle your redirect issue on Register, but will leave you having to make additional exceptions for your assets, such as images, scripts, and styles.
As an alternative approach, I find it easier trying to avoid having to manage massive lists of these location tags by leaving authorization to be done by directory. Maybe it makes sense to leave the shared assets and non-secured pages off the root level like this and put your secured pages in different subfolders you secure through web.configs inside those folders.
Project
/images/...
/styles/...
/secured/account.aspx
/secured/web.config (this is where you'd have your `deny` authorization)
/Register.aspx
/web.config (use allow all users at this level)
Now you can easily manage which users access which files, and it's much cleaner.
How i create a exception in location to allow access to page GanttViewer.aspx with other rol and others pages only with Admin rol
<location path="Admin">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Specify another Location section as you have above with the path specified all the way down to the file.
For each location define the different authorization rules required.
I have an application that has a backoffice.
This backoffice was isolated with the use of roles like this:
<location path="backoffice">
<system.web>
<authorization>
<allow roles="admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
But now we have another type of role that needs access. The companyadmin role.
Can I just say?:
<location path="backoffice">
<system.web>
<authorization>
<allow roles="admin,companyadmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Yes, exactly so (assuming you properly authenticated your users, and set their roles accordingly).
Check the MSDN article: https://learn.microsoft.com/en-us/previous-versions/dotnet/netframework-1.1/8d82143t(v=vs.71)
Yes, roles, users and verbs takes comma separated values.
MSDN Reference
yes, you can add n roles like that.
If you prefer, you can also:
<allow roles="admin"/>
<allow roles="admin1"/>
<deny users="*"/>