I am trying to set up a forms authentication application where all pages are accessible to authenticated users with the exception of the login page which is open to all or anonymous users.
I set up web.config like below:
<system.web>
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="~/Login.aspx" timeout="3"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
...
</system.web>
....
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="?"/>
<!-- also tried this
<allow users="*"/>
-->
</authorization>
</system.web>
</location>
I also set the start page (in VS 2019) to login.aspx. When I run it I still get:
Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server.
I solved the problem by moving login.aspx to a folder (I called it Account). I added a web.config in this folder with content:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
I removed the "location" part from main web.config. So it looks like:
<system.web>
<authentication mode="Forms">
<forms name=".ADAuthCookie" loginUrl="~/Account/Login.aspx" timeout="3"/>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
....
</system.web>
Related
I have a site that uses forms authentication site wide, with some pages within as exceptions where they are allowed to be viewed with anonymous access. I want the default doc, index.aspx to be viewable via anonymous access. It grants me access if I specify index.aspx in the url, but if I type in the domain name only, I get redirected to connectionTest.aspx (the login page for the site). I have confirmed that index.aspx is the default doc. So there's something wrong with my web config entry for index.aspx
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="connectionTest.aspx" timeout="30" />
</authentication>
<sessionState mode="InProc" cookieless="false" timeout="30" />
<authorization>
<deny users="?" />
</authorization>
<location path="~/index.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="index.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Your issue is come because you did not have declare the domain on the form authentication. Because the authentication is base on cookie and you need to access it with out the www. in front you need to declare it as:
<authentication mode="Forms">
<forms name=".ASPXAUTH" domain="demo.com" loginUrl="connectionTest.aspx" timeout="30" />
</authentication>
when you set the domain with out the www. in front then all cookies from the domain are the same one, if you do not declare that, then each cookie is depends from the sub-domain and are different - so you logged out.
the same stands and for the cookie it self.
Similar answer : Multiple applications using same login database logging each other out
As a test, I have created an empty c# web application.
then I created 5 empty pages in the same folder(directly under webApplication folder):
WebForm1.aspx
WebForm2.aspx
WebForm3.aspx
WebForm4.aspx
login.aspx
after that I tried to limit access to some of these pages.
WebForm1, WebForm2 should be access by all (Anonymous users)
WebForm3 must be access by only authenticated users.
WebForm4 must be access by only admins.
so I modified web.config file to be like following:
<?xml version="1.0" encoding="utf-8"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
<authentication>
<forms defaultUrl="WebForm1.aspx" loginUrl="login.aspx"></forms>
</authentication>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
<location path="WebForm3.aspx">
<system.web>
<authentication></authentication>
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="WebForm4.aspx">
<system.web>
<authentication></authentication>
<authorization>
<allow roles="admins"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
now all users can access WebForm1 and WebForm2 (public pages)
but trying to browse WebForm3.aspx or WebForm4.aspx displays error, and does not redirect to login page first for admin.
Server Error in '/' Application.
Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
Source Error:
Line 18: <location path="WebForm3.aspx">
Line 19: <system.web>
Line 20: <authentication></authentication>
Line 21: <authorization>
Line 22: <allow users="*"/>
Source File: E:\testApp\testApp\web.config Line: 20
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.34280
how to control accessing all pages with kipping them in the same folder? the real application structure is similar to this one.
According to the <authentication> documentation.
This element can be declared only at the machine, site, or application level. Any attempt to declare it in a configuration file at the subdirectory or page level will result in a parser error message.
Removing these from your <location> tags should get it working again.
<location path="WebForm3.aspx">
<system.web>
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="WebForm4.aspx">
<system.web>
<authorization>
<allow roles="admins"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Note this is is a slight variation on a previous question that I had..
I am using c# .NET Web Forms 4.0
I have a folder like the following that I need to password protect so anybody(any external users can also view site) wanting to view the page needs to first enter a userid, password (that we tell them) in order to view the page.
example:
www.abc.com/srlv/
so under srlv I have web pages that need to be password protected.
Note that we need to authenticate only if the user goes to a file under /srlv/
Note that these are .html files, not .aspx files.
www.abc.com/srlv/index.html, www.abc.com/srlv/about.html
but if the user goes to say www.abc.com it will allow them to view the website without any authentication
I was thinking of using the following:
<authenticaton mode="Forms">
<forms loginUrl="/srcs/login.aspx" timeout="30" defaultUrl="/srlv/index.aspx" cookieless="UseUri">
<credentials passwordFormat="Clear">
<user name="Usw" password="pass123"/>
</credentials>
</forms>
</authentication>
but how do I say authenticate only if you go to any files within
www.abc.com/srlv/
You can use the location element in web.config to configure permissions for sections of your website
<configuration>
<location path="srlv">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
This will deny access to anonymous users.
You need to create a web.config file in the target folder with the following contents.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow users="Usw"/>
<deny users ="*,?" />
</authorization>
</system.web>
</configuration>
It simply says, to allow user Usw but deny everyone else.
Location can help you..
http://support.microsoft.com/kb/316871
Simply get access to all unauthorized users and block only specific folder.
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
<location path="default1.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder. -->
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
In my web.config I have this authentication setting:
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="signin" path="/" protection="All" timeout="525600">
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
For some reason, if I comment it out I can see my website just perfectly with all the assets (js, css, images), but if I uncomment it, none of the assets can be reached, instead it just redirects to login page.
here is a nice in-depth article for you. basically, it says you can configure this in your web.config by adding <location> blocks like so:
<!-- file level access -->
<location path="default1.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- folder access (and its contents) -->
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
from this KB article and a bit more info here.
Use Location element.
<location path="~/css">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
Looks like assets are served via ASP.NET pipeline. Check the following topic:
Prevent IIS from serving static files through ASP.NET pipeline
The
deny users="?"
is saying that no unauthenticated users can access the site at the root and it will redirect to the login page. I normally always keep the root (/) public (allow users="*") and have protected folders set up using the location. That will keep images, css and script folders under the root available for public access.
This should probably work for you if you can move your protected pages into another folder easily:
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="login.aspx" name="signin" path="/" protection="All" timeout="525600">
</forms>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
<location path="protected">
<authorization>
<deny users="?" />
</authorization>
</location>
</configuration>
in asp.net, i use this config section to deny anonymous users for all pages.
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
and i use the following to declare an exception that anonymous can access.
<location path="Welcome.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
that works fine for me.
however, how can i set only the default page as an exception?
(such as: anonymous can access only http://mysite/, but can NOT access any other pages in the site?)
i'v tried use location path="~/" or "/" and it doesn't work.
If path="Default.aspx" doesn't work then it cannot be done using configuration. There's no syntax available to specify only the application root in the path attribute.
I think you can change your folder structre to achieve this. Then you can change the web.config to deny user
<configuration>
<system.web>
<authorization>
<allow roles="administrators" />
<deny users="?" />
</authorization>
</system.web>
</configuration>