We Keep Coding

mvc5 secure aspx form pages based on user identity or role identity

MVC5 Application
Report Viewer + Rdlc + aspx included in cshtml(ifram) for view by controller
aspx forms are in folder name ReportFolder
even not login i can access, http://project/ReportFolder/report.aspx for security did this:
<location path="ReportFolder" >
<system.web>
<authorization>
<deny users="*"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>
now i am not able to access even user is admin and authenticated

Usually allow nodes should always come before deny. Try this:
<location path="ReportFolder" >
<system.web>
<authorization>
<allow users="Admin"/>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

How to allow / deny specific AD users & groups with WIF in a MVC web app

I followed this site to integrate WIF in my MVC web app: https://msdn.microsoft.com/en-us/library/hh291061.aspx
It works well, users can log in with SSO and anonymous users are forwarded to the SSO page.
I want to deny access to everyone but a certain AD group / user and I can't figure out where to place the rules.
I tried in system.web
<system.web>
<authentication mode="None" />
<authorization>
<allow users="<domain>\<username>"/>
<deny users="*" />
</authorization>
</system.web>
But that doesn't seem to work, the specified allowed user is denied (401).
I tried in FederationMetadata and that didn't work either
<location path="FederationMetadata">
<system.web>
<authorization>
<allow users="<domain>\<username>"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
I can't for the life of me figure this out. Any suggestions?

You could change the web.config back to:
<authorization>
<allow users="*" />
</authorization>
And then perform your own authz, authn globally for the site in the HttpApplication.PostAuthenticateRequest.

ASP.Net 4.5 Forms Authentication / Authorization not working

I started with a default WebForms project with Individual Accounts. I have a bunch of content that I've built with database connections. I want to restrict all content to authenticated users with the exception of the default.aspx
I have successfully established the Identity table structures in my SQL database and can "register" new users. This all works fine. However, when I add the authentication setup to the web.config see below, it all breaks.
<system.web>
<authentication mode="Forms">
<forms name=".FormsAuth" loginUrl="Login.aspx" protection="All" slidingExpiration="false" requireSSL="false" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I would expect this to allow me to view my Default.aspx page and redirect if I moved off of it. Instead I attempts to redirect to \account\login and fails with this message.
HTTP Error 404.15 - Not Found The request filtering module is
configured to deny a request where the query string is too long.
The ReturnURL is huge and seems to repeat itself. I've tried looking around for a start from scratch example but have not found one that works. This should be simple.
http://localhost:58573/Account/Login?ReturnUrl=%2FAccount%2FLogin%3FReturnUrl%3D%252FAccount%252FLogin%253FReturnUrl%253D%25252FAccount%25252FLogin%25253FReturnUrl%25253D%2525252FAccount%2525252FLogin%2525253FReturnUrl%2525253D%252525252FAccount%252525252FLogin%252525253FReturnUrl%252525253D%25252525252FAccount%25252525252FLogin%25252525253FReturnUrl%25252525253D%2525252525252FAccount%2525252525252FLogin%2525252525253FReturnUrl%2525252525253D%252525252525252FAccount%252525252525252FLogin%252525252525253FReturnUrl%252525252525253D%25252525252525252FAccount%25252525252525252FLogin%25252525252525253FReturnUrl%25252525252525253D%2525252525252525252FAccount%2525252525252525252FLogin%2525252525252525253FReturnUrl%2525252525252525253D%252525252525252525252FAccount%252525252525252525252FLogin%252525252525252525253FReturnUrl%252525252525252525253D%25252525252525252525252FAccount%25252525252525252525252FLogin%25252525252525252525253FReturnUrl%25252525252525252525253D%2525252525252525252525252FAccount%2525252525252525252525252FLogin%2525252525252525252525253FReturnUrl%2525252525252525252525253D%252525252525252525252525252FAccount%252525252525252525252525252FLogin%252525252525252525252525253FReturnUrl%252525252525252525252525253D%25252525252525252525252525252FAccount%25252525252525252525252525252FLogin%25252525252525252525252525253FReturnUrl%25252525252525252525252525253D%2525252525252525252525252525252FAccount%2525252525252525252525252525252FLogin%2525252525252525252525252525253FReturnUrl%2525252525252525252525252525253D%252525252525252525252525252525252FAccount%252525252525252525252525252525252FLogin%252525252525252525252525252525253FReturnUrl%252525252525252525252525252525253D%25252525252525252525252525252525252FAccount%25252525252525252525252525252525252FLogin%25252525252525252525252525252525253FReturnUrl%25252525252525252525252525252525253D%2525252525252525252525252525252525252FAccount%2525252525252525252525252525252525252FLogin%2525252525252525252525252525252525253FReturnUrl%2525252525252525252525252525252525253D%252525252525252525252525252525252525252FDefault

I figured this out. I had to remove the general "deny all anonymous" statement from web.config:
<!--<authorization>
<deny users="?"/>
</authorization>-->
...which I was trying to use to restrict ALL but the login page.
I moved all of my content into a few subfolders then called them out with the location tags and the same deny users statement.
<location path="System">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Reports">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
At this point it seems to be working "properly" and now redirects users to login.aspx if not authenticated.

The \account\login.aspx was denyed because of the web.config.
...
<authorization>
<deny users="?"/>
</authorization>
When you redirect to the login page, because anonymous access is forbidden, you are redirected to the login page again, resulting in recursion.
You can create web.config in the account folder.The content is like this:
<system.web>
<authorization>
<allow users="*"/>
</authorization>

Controlling access with web.config

I am trying to control access to my website with windows integrated.
<?xml version="1.0"?>
<configuration>
<system.web>
<authentication mode="Windows"/>
<authorization>
<deny users="?"/>
<allow roles="DOMAIN\The_group_that_can_access_it"/>
</authorization>
...
</system.web>
</configuration>
Except that, this code isn't working. I can access it if im a member of that group or not. What is wrong?
I looked through some code, and thought maybe I needed to switch the ? for a *, but then that seems to just deny everything.
Thanks,

You do not have an explicit deny statement, you should add the following entry to the end of the declarations:
<deny users="*" />
And you can remove the <deny users="?"/> which is denying unauthenticated users. The final <deny users="*" /> will deny them anyway. Then only your group should have access. The final outcome should be:
<authorization>
<allow roles="DOMAIN\The_group_that_can_access_it"/>
<deny users="*"/>
</authorization>
As a rule of thumb, always close out your access control lists with an explicit deny all, or deny any any.

how Create a exception in Authorization tag in web.config

How i create a exception in location to allow access to page GanttViewer.aspx with other rol and others pages only with Admin rol
<location path="Admin">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

Specify another Location section as you have above with the path specified all the way down to the file.
For each location define the different authorization rules required.