I am new in MVC.
I want to restrict my img folder role wise but:
I don't know how to create custom role. So please guide me on how I mange Custom Role Management?
web.config
<location path="img" allowOverride="false">
<system.web>
<authorization lockItem="true">
<allow roles="member"/>
<deny users="*" />
</authorization>
</system.web>
</location>
I have provided above code in web.config file.
<authentication mode="Forms">
<forms name="SiteUser" path="~" loginUrl="~/Login/Login" protection="All" timeout="30"/>
</authentication>
When I try in URL location http://localhost:51116/img
it automatically redirects me on login page but when I write http://localhost:51116/img/1-1.png
at that time I can access my file.
I want to restrict that folder and file inside that folder role wise.
Please help me.
Related
I have a site that uses forms authentication site wide, with some pages within as exceptions where they are allowed to be viewed with anonymous access. I want the default doc, index.aspx to be viewable via anonymous access. It grants me access if I specify index.aspx in the url, but if I type in the domain name only, I get redirected to connectionTest.aspx (the login page for the site). I have confirmed that index.aspx is the default doc. So there's something wrong with my web config entry for index.aspx
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="connectionTest.aspx" timeout="30" />
</authentication>
<sessionState mode="InProc" cookieless="false" timeout="30" />
<authorization>
<deny users="?" />
</authorization>
<location path="~/index.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="index.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Your issue is come because you did not have declare the domain on the form authentication. Because the authentication is base on cookie and you need to access it with out the www. in front you need to declare it as:
<authentication mode="Forms">
<forms name=".ASPXAUTH" domain="demo.com" loginUrl="connectionTest.aspx" timeout="30" />
</authentication>
when you set the domain with out the www. in front then all cookies from the domain are the same one, if you do not declare that, then each cookie is depends from the sub-domain and are different - so you logged out.
the same stands and for the cookie it self.
Similar answer : Multiple applications using same login database logging each other out
I'm currently trying to add password authentication to two of my pages Page1.aspx, and Page2.aspx which are both located in the "Admin" folder but am not sure what I'm missing to make it work. The code that is in my web.config file is shown below, what am I missing or misplacing in the code?
Clarification: I want to require a login which I have a page called 'Login.aspx' to two pages within one folder and I just want to set the location path to that folder instead of two location paths, one to each page.
<system.web>
<compilation debug="true" targetFramework="4.5"/>
<httpRuntime targetFramework="4.5"/>
<authentication mode ="Forms">
<forms timeout = "30">
<credentials passwordFormat ="MD5">
<user name ="admin" password ="21232F297A57A5A743894A0E4A801FC3"/>
</credentials>
</forms>
</authentication>
</system.web>
<!-- Require login for Admin Directory -->
<location path ="Admin">
<system.web>
<authorization>
<deny users ="?"/>
</authorization>
</system.web>
</location>
I am using Roll management and I am trying to give page and folder access according to user or user group, Also using server created AD group for user authentication.
I have default1.aspx page as default and subdir1 folder to give different access for separate user group
I am using below logic in web.config.
<location path="subdir1">
<system.web>
<authorization>
<allow users ="?" />
</authorization>
</system.web>
</location>
I am facing problem to provide same access to 2 or more directory to same user so should I have to provide allow user code twice for both folder?
I can use this logic by repeating value for all folder but I want to do all access providing in one logic.
I have got the answer to configure folder/page access, For that i have to make different access as shown below..
Configure Access to a Specific File and Folder, Set up forms-based authentication.
Request any page in application to be redirected to Logon.aspx automatically.
In the Web.config file, done the following code.
This code grants all users access to the Default1.aspx page and the Subdir1 folder.
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
<location path="default1.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder. -->
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
Users can open the Default1.aspx file or any other file saved in the Subdir1 folder in your application. They will not be redirected automatically to the Logon.aspx file for authentication.
Repeat configuration Step to identify any other pages or folders for which you want to permit access by unauthenticated users.
For more Reference check Microsoft support page - https://support.microsoft.com/en-us/kb/301240
And also you can check http://www.iis.net/configreference/system.webserver/security/authorization
After you have to do coding on login page for reference check this -> http://www.codeproject.com/Articles/13872/Form-authentication-and-authorization-in-ASP-NET
Actually, the asp.net user access management spans widely so I've decided to introduce you two links which help me a lot. Hope this could help you as well.
Understanding Role Management
Walk through role management
Note this is is a slight variation on a previous question that I had..
I am using c# .NET Web Forms 4.0
I have a folder like the following that I need to password protect so anybody(any external users can also view site) wanting to view the page needs to first enter a userid, password (that we tell them) in order to view the page.
example:
www.abc.com/srlv/
so under srlv I have web pages that need to be password protected.
Note that we need to authenticate only if the user goes to a file under /srlv/
Note that these are .html files, not .aspx files.
www.abc.com/srlv/index.html, www.abc.com/srlv/about.html
but if the user goes to say www.abc.com it will allow them to view the website without any authentication
I was thinking of using the following:
<authenticaton mode="Forms">
<forms loginUrl="/srcs/login.aspx" timeout="30" defaultUrl="/srlv/index.aspx" cookieless="UseUri">
<credentials passwordFormat="Clear">
<user name="Usw" password="pass123"/>
</credentials>
</forms>
</authentication>
but how do I say authenticate only if you go to any files within
www.abc.com/srlv/
You can use the location element in web.config to configure permissions for sections of your website
<configuration>
<location path="srlv">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
This will deny access to anonymous users.
You need to create a web.config file in the target folder with the following contents.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow users="Usw"/>
<deny users ="*,?" />
</authorization>
</system.web>
</configuration>
It simply says, to allow user Usw but deny everyone else.
Location can help you..
http://support.microsoft.com/kb/316871
Simply get access to all unauthorized users and block only specific folder.
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
<location path="default1.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder. -->
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
I cannot seem to isolate my forums to set different permissions for them than the rest of the site.
Here is the setup for my site.
<location path=".">
<system.web>
<authentication mode="None" />
</system.web>
</location>
I need to isolate my forums. At the moment, for testing purposes, I have it setup so that all users are denied access.
<location path="~/public/public-forum.aspx">
<system.web>
<authentication mode="Forms">
<forms loginUrl="public/login.aspx" />
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
What I'm finding is that I can still access the forum page. This suggests to me that this isn't setup correctly.
Does the path attribute have to be relative? Does it have to point to the URL that the page is accessed through or the rewritten path? ~/public/public-forum.aspx is a virtual path that is rewritten so neither the directly nor the file exists with those names. Why does this currently not work?
I hope that's enough detail for a solution.
edit2:
So the solution isn't only in the comments :
As far as i know you cannot specify an authenticationmode per location.
You could set the forms authentication mode throughout your site and only require logged in users in the secure parts.
edit:
mmmh strange , are you sure you only edited the ~ away?
They discuss your problem here but i can't imagine how changing the ~ would trigger it.
Could you perhaps post your entire web.config?
Also : are you using iis 6 and virtual directories?
The ~ sign is not needed , try this :
<location path="public/public-forum.aspx">
<system.web>
<authentication mode="Forms">
<forms loginUrl="public/login.aspx" />
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>