I cannot seem to isolate my forums to set different permissions for them than the rest of the site.
Here is the setup for my site.
<location path=".">
<system.web>
<authentication mode="None" />
</system.web>
</location>
I need to isolate my forums. At the moment, for testing purposes, I have it setup so that all users are denied access.
<location path="~/public/public-forum.aspx">
<system.web>
<authentication mode="Forms">
<forms loginUrl="public/login.aspx" />
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
What I'm finding is that I can still access the forum page. This suggests to me that this isn't setup correctly.
Does the path attribute have to be relative? Does it have to point to the URL that the page is accessed through or the rewritten path? ~/public/public-forum.aspx is a virtual path that is rewritten so neither the directly nor the file exists with those names. Why does this currently not work?
I hope that's enough detail for a solution.
edit2:
So the solution isn't only in the comments :
As far as i know you cannot specify an authenticationmode per location.
You could set the forms authentication mode throughout your site and only require logged in users in the secure parts.
edit:
mmmh strange , are you sure you only edited the ~ away?
They discuss your problem here but i can't imagine how changing the ~ would trigger it.
Could you perhaps post your entire web.config?
Also : are you using iis 6 and virtual directories?
The ~ sign is not needed , try this :
<location path="public/public-forum.aspx">
<system.web>
<authentication mode="Forms">
<forms loginUrl="public/login.aspx" />
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
Related
I have a site that uses forms authentication site wide, with some pages within as exceptions where they are allowed to be viewed with anonymous access. I want the default doc, index.aspx to be viewable via anonymous access. It grants me access if I specify index.aspx in the url, but if I type in the domain name only, I get redirected to connectionTest.aspx (the login page for the site). I have confirmed that index.aspx is the default doc. So there's something wrong with my web config entry for index.aspx
<authentication mode="Forms">
<forms name=".ASPXAUTH" loginUrl="connectionTest.aspx" timeout="30" />
</authentication>
<sessionState mode="InProc" cookieless="false" timeout="30" />
<authorization>
<deny users="?" />
</authorization>
<location path="~/index.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="index.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Your issue is come because you did not have declare the domain on the form authentication. Because the authentication is base on cookie and you need to access it with out the www. in front you need to declare it as:
<authentication mode="Forms">
<forms name=".ASPXAUTH" domain="demo.com" loginUrl="connectionTest.aspx" timeout="30" />
</authentication>
when you set the domain with out the www. in front then all cookies from the domain are the same one, if you do not declare that, then each cookie is depends from the sub-domain and are different - so you logged out.
the same stands and for the cookie it self.
Similar answer : Multiple applications using same login database logging each other out
I am new in MVC.
I want to restrict my img folder role wise but:
I don't know how to create custom role. So please guide me on how I mange Custom Role Management?
web.config
<location path="img" allowOverride="false">
<system.web>
<authorization lockItem="true">
<allow roles="member"/>
<deny users="*" />
</authorization>
</system.web>
</location>
I have provided above code in web.config file.
<authentication mode="Forms">
<forms name="SiteUser" path="~" loginUrl="~/Login/Login" protection="All" timeout="30"/>
</authentication>
When I try in URL location http://localhost:51116/img
it automatically redirects me on login page but when I write http://localhost:51116/img/1-1.png
at that time I can access my file.
I want to restrict that folder and file inside that folder role wise.
Please help me.
I have a OData web api on visual studio using the ADO.NET Framework. I am getting an authentication window on chrome, I removed the authorize parts from the controllers and web.config file, yet the window asking username and password is coming.
How to remove it ?
My web.config file has
<system.web>
<authentication mode="Windows">
<forms requireSSL="true" />
</authentication>
<authorization>
<allow roles="myService" />
<deny users="*" />
</authorization>
which I removed but still authentication window is opening. Thanks a lot for your help.
Use None as mode for authentication-Element. The default value when you do not specify anything is Windows. More information about ASP.NET Authentication can be found here
<authentication mode="None">
<!--<forms requireSSL="true" />-->
</authentication>
Note this is is a slight variation on a previous question that I had..
I am using c# .NET Web Forms 4.0
I have a folder like the following that I need to password protect so anybody(any external users can also view site) wanting to view the page needs to first enter a userid, password (that we tell them) in order to view the page.
example:
www.abc.com/srlv/
so under srlv I have web pages that need to be password protected.
Note that we need to authenticate only if the user goes to a file under /srlv/
Note that these are .html files, not .aspx files.
www.abc.com/srlv/index.html, www.abc.com/srlv/about.html
but if the user goes to say www.abc.com it will allow them to view the website without any authentication
I was thinking of using the following:
<authenticaton mode="Forms">
<forms loginUrl="/srcs/login.aspx" timeout="30" defaultUrl="/srlv/index.aspx" cookieless="UseUri">
<credentials passwordFormat="Clear">
<user name="Usw" password="pass123"/>
</credentials>
</forms>
</authentication>
but how do I say authenticate only if you go to any files within
www.abc.com/srlv/
You can use the location element in web.config to configure permissions for sections of your website
<configuration>
<location path="srlv">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
This will deny access to anonymous users.
You need to create a web.config file in the target folder with the following contents.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow users="Usw"/>
<deny users ="*,?" />
</authorization>
</system.web>
</configuration>
It simply says, to allow user Usw but deny everyone else.
Location can help you..
http://support.microsoft.com/kb/316871
Simply get access to all unauthorized users and block only specific folder.
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
<location path="default1.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder. -->
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
I am doing simple forms authentication for a small ASP.NET (3.5, C#) application and setting up my usernames and passwords in the web.config.
I would like to apply the default stylesheet and include the header graphic (included on every other page) but the graphic and stylesheet won't apply, presumably because the anonymous user doesn't have access to those two files. Is there some easy way for me to add them or some other way to make the image appear on the page?
Here is the relevent section of the web.config:
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH"
path="/"
loginUrl="login.aspx"
protection="All" timeout="30">
<credentials passwordFormat="SHA1">
<user
name="testuser"
password="hashgoeshere"/>
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
The stylesheet is at:
/stylesheet.css
and the image is at:
/img/logoimage.png
Thanks. This site makes me happy because hopefully it will make Experts Exchange and their lame paywall DIE!
You can add exceptions in your Web.Config using location-specific rules (add these after the System.Web section):
<location path="stylesheet.css">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="img/">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>