I am developing a Web Applilcation in Asp.net 4.0 , wherein i have two types of Pages "Secured" and "Unsecured".
To access Secure Pages, am using Location tag in my secured's web.config and the user must successfully Login. and after that login am going to copy that url and then logout.
My expected result:- while am going to paste that url in browser then it will again display me the login page again.
so please give me the example related to my query.
Thanks In Advance.....
You need to use the authorization tag in your location to restrict access for anonymous users e.g.
<location path="Secured.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
What I do is create a folder (perhaps named 'Secure') and add a web.config file inside the folder. It will be very small... possibly as simple as this (which only permits logged-in users):
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>
Any page added to the folder will cause a login prompt upon access without the need to do anything else on your part. This is assuming you are using ASP.Net Membership/Security features (as it sounds like from your question).
Note: the additional/small web.config file will be limited to the scope of the folder that contains it.
If you wanted to create a couple roles (we do this for our Internal Admin pages), you can restrict access to only users tied to those roles... it's pretty easy. The following web.config is in our Admin folder that contains all our admin pages...
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="FullClearance" />
<allow roles="HighClearance" /><!-- mgr clearance-->
<allow roles="StandardClearance" /> <!-- staff clearance-->
<deny users="*" /><!-- authenticated users -->
<deny users="?" /><!-- anonymous users -->
</authorization>
</system.web>
</configuration>
Related
I am using Roll management and I am trying to give page and folder access according to user or user group, Also using server created AD group for user authentication.
I have default1.aspx page as default and subdir1 folder to give different access for separate user group
I am using below logic in web.config.
<location path="subdir1">
<system.web>
<authorization>
<allow users ="?" />
</authorization>
</system.web>
</location>
I am facing problem to provide same access to 2 or more directory to same user so should I have to provide allow user code twice for both folder?
I can use this logic by repeating value for all folder but I want to do all access providing in one logic.
I have got the answer to configure folder/page access, For that i have to make different access as shown below..
Configure Access to a Specific File and Folder, Set up forms-based authentication.
Request any page in application to be redirected to Logon.aspx automatically.
In the Web.config file, done the following code.
This code grants all users access to the Default1.aspx page and the Subdir1 folder.
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
<location path="default1.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder. -->
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
Users can open the Default1.aspx file or any other file saved in the Subdir1 folder in your application. They will not be redirected automatically to the Logon.aspx file for authentication.
Repeat configuration Step to identify any other pages or folders for which you want to permit access by unauthenticated users.
For more Reference check Microsoft support page - https://support.microsoft.com/en-us/kb/301240
And also you can check http://www.iis.net/configreference/system.webserver/security/authorization
After you have to do coding on login page for reference check this -> http://www.codeproject.com/Articles/13872/Form-authentication-and-authorization-in-ASP-NET
Actually, the asp.net user access management spans widely so I've decided to introduce you two links which help me a lot. Hope this could help you as well.
Understanding Role Management
Walk through role management
I have created an mvc application I don't want authentication for one functionality in my application. I want that the user should able to open the page from the URL without log in.Right now if I enter the URL to open that functionality directly then it will take me to the sign on page. I want to bypass the authentication process in one functionality.
I have tried following code in my web.config.
<location path="ControllerName">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
And I have also added [AllowAnonymous] attribute to the some action of my controller.
The following code that i have written for authentication in my web.config.
<modules runAllManagedModulesForAllRequests="true">
<remove name="FormsAuthentication"/>
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule"/>
<remove name="AuthorisationModule"/>
<add name="AuthorisationModule" type="ProjectName.AuthorisationModule(which is for autentication), Project Name"/>
</modules>
There is an authentication for the whole application and I want discard the authentication of just one feature of my mvc application. So I have added the following code in my web.config
<location path="ControllerName">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
So using this code it's working fine.
Something that may help with your issue is the fact that you can have multiple web.config files -- if you put a web.config in a subdirectory within your project, then you can include configuration options specific only to that subdirectory. As such, you may want to try adding a subfolder to contain just the controller which you want to make publicly available, and then creating a separate web.config file allowing open access to that subdirectory. As per this answer regarding wildcards in web.config files, here is example code that should suffice as a standalone web.config to provide
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
That way you don't have to mess around with specifying the one controller or action you want to give access to, as the distinction is made by the organization of the files in the directory structure.
I've created a website which uses ASP.NET Identity for user account functionality.
I want to restrict access to all pages in a specific folder ("Account") except "Login" and "Register" in my application using standard url authorization.
Not logged-in users should be able to open only "Account/Login" and "Account/Register" and those authenticated should be able to open everything else except those pages.
The root Web.config has no authorization rules and a Web.config which I put in the Account folder has that:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="?"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="?"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
With those rules, however, there is a problem. Requesting any page in that folder, including "Login.aspx", causes a redirection to http://localhost:15284/Account/Login. As I said, even requesting the "Login" page redirects back to itself just like the user wasn't allowed so an infinite loop is created. That loop causes HTTP 404.15, because the query string exceeds its length limit ("?ReturnUrl=%2FAccount%2FLogin" is appended to the URL on every redirection).
Are my rules incorrect or this is something else?
Perhaps the problem is somehow related to ASP.NET Identity?
Or maybe this is happening because of url rewriting (enabled by default in VS 2013 WebForms template)?
Without that Web.config the website of course works but everyone has access to everything which is not really something I want.
Thanks in advance and sorry for my English! :)
Try
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
This should allow access to unauthenticated users
Use the folder "account", or create another one in which may insert the pages that you want accessible from anonymous user, with its owner web.config that contain the following configuration:
<configuration>
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</configuration>
As you can see without using "location" tag
<location path="Login.aspx">
whereas in the root web.config in which it remains this:
<authorization>
<deny users="?"/>
</authorization>
This is a workaround because as explained in this article: http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx
"Rules contained in application-level configuration files take precedence over inherited rules.
The system determines which rule takes precedence by constructing a merged list of all rules for a URL, with the most recent rules (those nearest in the hierarchy) at the head of the list"
A bit old thread, but I hope this helps, at least someone.
The redirect to /Account/Login comes from Startup.cs, which by default is somewhat the following:
public class Startup
{
public void Configuration(IAppBuilder app)
{
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login")
});
}
}
So, replace the LoginPath = new PathString("/Account/Login") with your login path.
I struggled with the same problem for a while, but it works now..
Note this is is a slight variation on a previous question that I had..
I am using c# .NET Web Forms 4.0
I have a folder like the following that I need to password protect so anybody(any external users can also view site) wanting to view the page needs to first enter a userid, password (that we tell them) in order to view the page.
example:
www.abc.com/srlv/
so under srlv I have web pages that need to be password protected.
Note that we need to authenticate only if the user goes to a file under /srlv/
Note that these are .html files, not .aspx files.
www.abc.com/srlv/index.html, www.abc.com/srlv/about.html
but if the user goes to say www.abc.com it will allow them to view the website without any authentication
I was thinking of using the following:
<authenticaton mode="Forms">
<forms loginUrl="/srcs/login.aspx" timeout="30" defaultUrl="/srlv/index.aspx" cookieless="UseUri">
<credentials passwordFormat="Clear">
<user name="Usw" password="pass123"/>
</credentials>
</forms>
</authentication>
but how do I say authenticate only if you go to any files within
www.abc.com/srlv/
You can use the location element in web.config to configure permissions for sections of your website
<configuration>
<location path="srlv">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
This will deny access to anonymous users.
You need to create a web.config file in the target folder with the following contents.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow users="Usw"/>
<deny users ="*,?" />
</authorization>
</system.web>
</configuration>
It simply says, to allow user Usw but deny everyone else.
Location can help you..
http://support.microsoft.com/kb/316871
Simply get access to all unauthorized users and block only specific folder.
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
<location path="default1.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder. -->
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
I have some asp.net pages , and I want to deny them to be accessed by direct link .
So I need to make a page to by accessed only by administrators and a page that will be accesed by logged users.
How can I do that? can someone explain or show a good example?
Thank you
You can create a folder with pages that needs to be accessed by set of users. Inside the folder you can create web.config with restriction.
eg.<configuration>
<system.web>
<authorization>
<deny users="user1,user2" />
<allow users="*" />
</authorization>
</system.web>
</configuration>
You can find more about ASP.NET Security
Update
On successful login you can add the users to a specific role.
eg. you assigned to the role users
then you can modify the web.config
<authorization>
<allow roles="users" />
<deny users="*" />
</authorization>