In my previous question here i was experiencing difficulties with Authenticating webservices. With the use of the WcfRestContrib library which i found here i was able to solve this issue. I build a small testapplication and the authentication works like a charm.
But while i'm implementing this in the webapplication where i want to use the webservice authentication part, i keep getting the problem that the used Forms Authentication in the webapplication keeps redirecting me to the login page.
I've got the following configuration part in the web.config of my webapplication. This is the application where i'm trying to call the service by it's url;
http://website.localhost/Services/Info.svc/account
The web.config for the website.localhost contains the following parts;
<location path="Services">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.serviceModel>
<extensions>
<behaviorExtensions>
<add name="webAuthentication" type="WcfRestContrib.ServiceModel.Configuration.WebAuthentication.ConfigurationBehaviorElement, WcfRestContrib, Version=1.0.6.107, Culture=neutral, PublicKeyToken=89183999a8dc93b5"/>
<add name="errorHandler" type="WcfRestContrib.ServiceModel.Configuration.ErrorHandler.BehaviorElement, WcfRestContrib, Version=1.0.6.107, Culture=neutral, PublicKeyToken=89183999a8dc93b5"/>
<add name="webErrorHandler" type="WcfRestContrib.ServiceModel.Configuration.WebErrorHandler.ConfigurationBehaviorElement, WcfRestContrib, Version=1.0.6.107, Culture=neutral, PublicKeyToken=89183999a8dc93b5"/>
</behaviorExtensions>
</extensions>
<behaviors>
<serviceBehaviors>
<behavior name="Rest">
<webAuthentication requireSecureTransport="false" authenticationHandlerType="WcfRestContrib.ServiceModel.Dispatcher.WebBasicAuthenticationHandler, WcfRestContrib" usernamePasswordValidatorType="CMS.Backend.Services.SecurityValidator, CMS.Backend" source="CMS.Backend"/>
<errorHandler errorHandlerType="WcfRestContrib.ServiceModel.Web.WebErrorHandler, WcfRestContrib"/>
<webErrorHandler returnRawException="true" logHandlerType="CMS.Backend.Services.LogHandler, CMS.Backend" unhandledErrorMessage="An error has occured processing your request. Please contact technical support for further assistance."/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
</system.serviceModel>
I'm excluding the Services directory from authentication by giving all anonymous users acces, this is the part causing problems i think.
My service (Info) contains the following attributes
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
[ServiceConfiguration("Rest", true)]
public class Info : IInfo
{
//Some foo hapens
}
The web.config of the service contains this;
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
Whenever i try the above supplied url to make a call to the service i'm being redirected to the login page of the website on http://website.localhost/Logon. How can i prevent this from happening? As far as i know the web.config should be correct.
--THE FINAL SOLUTION--
I modified the web.config to look like this;
<sytem.web>
//site config
</system.web>
<location inheritInChildApplications="false">
<system.web>
<authentication mode="Forms">
<forms name="AllPages" loginUrl="~/Logon/" timeout="360" enableCrossAppRedirects="false" />
</authentication>
</system.web>
</location>
I Also removed this rule from the web.config which i added in an earlier state. Apperently it conflicted with the added location tag and the web.config in the service itsself
<location path="Services" >
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
You should prevent inheritance of the settings that are specified in the associated configuration section and inherited by applications that reside in a subdirectory of the relevant application.
Try to put your site "system.web" section into "location" section:
<location inheritInChildApplications="false">
<system.web>
<!-- your site system web settings -->
</system.web>
</location>
Hope it helpful.
Related
I am adding a check for session timeout and added this code to the web.config file.
<deny users = "?">
and it works and redirects users to the login page when the session expires. When I build the project from Visual Studio the first time, its missing the images and css files. Here is the warning I am seeing in the console.
CSS was ignored due to mime type mismatch
When I remove the deny users code it works as expected. I am not sure why this would cause any issues. Does it have something to do with users not being able to access the content since its denied? What would be the best way to handle this issue?
I have tried adding Sessionstate
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="1" defaultUrl="~/" />
</authentication>
<sessionState mode="InProc" customProvider="DefaultSessionProvider" timeout="1">
<providers>
<add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionStateProvider, System.Web.Providers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" />
</providers>
</sessionState>
and
<modules runAllManagedModulesForAllRequests="true" >
<remove name="UrlRoutingModule"/>
</modules>
to the config file and it does not fix the issue. I also verified that the static content is hosted in IIS. Any help will be appreciated. thank you.
I suspect the reason it is giving you a mime type mismatch is because when you request the css file or images the server is responding with your login screen because they are not authenticated. Something like this:
Browser requests CSS File -> Not Authenticated -> Cancel Request -> Respond with login screen
To fix this you need to allow unauthenticated access to your static resources.
Deny access to unauthenticated users
<authorization>
<deny users="?"/>
</authorization>
Allow access to css/images for unauthenticated users
<location path="App_Themes/Default/DefaultStyleSheet.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
The location path attribute can either be the path to a single file or add to the folder where they are all stored. Alternatively, you can add a web.config file to the folder that contains your css/images.
Here is what I tried and it seems to work on Chrome but not IE. Will need to do more testing but here is my latest changes
<location path="~/Account/Login">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
and added to the authorization for session timeout check.
As a test, I have created an empty c# web application.
then I created 5 empty pages in the same folder(directly under webApplication folder):
WebForm1.aspx
WebForm2.aspx
WebForm3.aspx
WebForm4.aspx
login.aspx
after that I tried to limit access to some of these pages.
WebForm1, WebForm2 should be access by all (Anonymous users)
WebForm3 must be access by only authenticated users.
WebForm4 must be access by only admins.
so I modified web.config file to be like following:
<?xml version="1.0" encoding="utf-8"?>
<!--
For more information on how to configure your ASP.NET application, please visit
http://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
<authentication>
<forms defaultUrl="WebForm1.aspx" loginUrl="login.aspx"></forms>
</authentication>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
<location path="WebForm3.aspx">
<system.web>
<authentication></authentication>
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="WebForm4.aspx">
<system.web>
<authentication></authentication>
<authorization>
<allow roles="admins"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
now all users can access WebForm1 and WebForm2 (public pages)
but trying to browse WebForm3.aspx or WebForm4.aspx displays error, and does not redirect to login page first for admin.
Server Error in '/' Application.
Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
Source Error:
Line 18: <location path="WebForm3.aspx">
Line 19: <system.web>
Line 20: <authentication></authentication>
Line 21: <authorization>
Line 22: <allow users="*"/>
Source File: E:\testApp\testApp\web.config Line: 20
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.34280
how to control accessing all pages with kipping them in the same folder? the real application structure is similar to this one.
According to the <authentication> documentation.
This element can be declared only at the machine, site, or application level. Any attempt to declare it in a configuration file at the subdirectory or page level will result in a parser error message.
Removing these from your <location> tags should get it working again.
<location path="WebForm3.aspx">
<system.web>
<authorization>
<allow users="*"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="WebForm4.aspx">
<system.web>
<authorization>
<allow roles="admins"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
I have successfully set up a test area on my website which is authenticated using forms auth on iis 8. I am using this in integrated mode with asp.net which as I understand should mean that with the correct web.config file I am able to make the server use the asp.net auth on everything not just URLs. If I try and navigate to a page that I haven't entered the credentials for it returns an error 403, which is what I expect. However if I put in the path of a file stored on the site exactly, it downloads the file without the need for credentials to be provided. Here is my current top level web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="false">
</compilation>
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" loginUrl="default.aspx" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="staff/test/test">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<system.webServer>
<modules>
<remove name="FormsAuthenticationModule" />
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="RoleManager" />
<add name="RoleManager" type="System.Web.Security.RoleManagerModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
</system.webServer>
The area /staff/test/test has a word document in it. If I type www.website.com/staff/test/test/test.doc into my browser is downloads the file.
What should I change to secure that file?
Thanks for your replies. In the end it turned out to be the security permissions on the root of the website. The code I originally pasted on here worked fine I had the server\users group having read permissions where as I only needed iis_iusers having read permissions.
Thanks again
Note this is is a slight variation on a previous question that I had..
I am using c# .NET Web Forms 4.0
I have a folder like the following that I need to password protect so anybody(any external users can also view site) wanting to view the page needs to first enter a userid, password (that we tell them) in order to view the page.
example:
www.abc.com/srlv/
so under srlv I have web pages that need to be password protected.
Note that we need to authenticate only if the user goes to a file under /srlv/
Note that these are .html files, not .aspx files.
www.abc.com/srlv/index.html, www.abc.com/srlv/about.html
but if the user goes to say www.abc.com it will allow them to view the website without any authentication
I was thinking of using the following:
<authenticaton mode="Forms">
<forms loginUrl="/srcs/login.aspx" timeout="30" defaultUrl="/srlv/index.aspx" cookieless="UseUri">
<credentials passwordFormat="Clear">
<user name="Usw" password="pass123"/>
</credentials>
</forms>
</authentication>
but how do I say authenticate only if you go to any files within
www.abc.com/srlv/
You can use the location element in web.config to configure permissions for sections of your website
<configuration>
<location path="srlv">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>
This will deny access to anonymous users.
You need to create a web.config file in the target folder with the following contents.
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow users="Usw"/>
<deny users ="*,?" />
</authorization>
</system.web>
</configuration>
It simply says, to allow user Usw but deny everyone else.
Location can help you..
http://support.microsoft.com/kb/316871
Simply get access to all unauthorized users and block only specific folder.
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
<location path="default1.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder. -->
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
I have a WCF service project where I've implemented custom basic authentication by following the guidelines here, and all is working great! However, I can't find if there is a way to deny unauthenticated users access to only specific endpoints.
In my project, I have about 5 endpoints and only want users to be authenticated against a couple of them. The others, I want to allow anonymous access to.
My web.config (snippet) is as such:
<system.web>
<customErrors mode="Off"/>
<authentication mode="None"/>
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
</assemblies>
</compilation>
<httpModules>
<add name="CustomBasicAuthentication" type="WebServices.Auth.CustomBasicAuthenticationModule, WebServices"/>
</httpModules>
<authorization>
<deny users="?"/>
</authorization>
<membership defaultProvider="defaultProvider">
<providers>
<add name="defaultProvider" type="WebServices.Auth.WSMembershipProvider, WebServices"/>
</providers>
</membership>
</system.web>
The endpoints are fairly plain as such:
<service name="WebServices.Distance" behaviorConfiguration="defaultBehavior">
<endpoint address="" binding="webHttpBinding" bindingConfiguration="defaultBinding" contract="WebServices.IDistance" behaviorConfiguration="rest" />
</service>
.... more endpoints below here ....
So instead of hitting all endpoints, can I say to deny unauthenticated users for endpoint #1 (or by name, or whatever).
I hope this makes some sense. If not, feel free to snark. :)
Okay, easy solution.
Remove the section and put the following immediately below the section.
<location path="Secure">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Then just create a folder called "Secure" and put the desired services, along with their interfaces, into that folder.
Perhaps I should have done a little more investigating before posting my question here.