So I have a MVC3 application that is using FormsAuthentication. When a user logins, it creates the ticket, and directs them to their dashboard.
On the controllers, I am using the [Authorize] attribute to make sure that the actions are executed by authorized personnel only.
However, there is a part of the site that a user is allowed to upload files. When the files get uploaded, the gets renamed to a random string with the correct extension (a guid without dashes).
How do I restrict unauthenticated and unauthorized users into this directory and to view these files based on the FormsAuthentication that I am using in the MVC3 environment?
Create a Web.Config file with following entries inside the folder which has the files.
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
This will prevent direct access to file in the folder for all users. Proved a UI to access the files. There you can check which files a user can access and prevent access to all files.
If you want to give direct access to the folder for particular set of authorized users then you need to add them to a role and give permission for that role.
<configuration>
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
Related
I've to enable SSO authentication on a Sitefinity application that before was using Form Authentication with a custom provider.
I've enabled it in the web.config
<authentication mode="Windows">
<!--<forms slidingExpiration="true" name="xxx.ASPXAUTH" cookieless="UseCookies" requireSSL="false" ticketCompatibilityMode="Framework20" timeout="180" />-->
</authentication>
<authorization>
<deny users="*" />
</authorization>
And when I try to access to a page I got the domain popup to appear. I insert mine credential but I go again the domain popup
I've cross checked everything but everything seems ok... what can be the reason I can't logon? and it falls me back as I've entered a wrong password?
I'm upgrading user management pages of my old web forms project to use new Identity 2.0. This means introducing MVC pages within web forms solution but so far it does not seem to be a big issue. Most of the functionality works fine except when I'm trying to add external auth provider (Google, FCBK) to already signed in user. I'm working off Identity 2.0 sample app and my problem happens in equivalent of /manage/linklogin action within Identity 2.0 sample app.
In here, external auth provider (let's say Google) should be challenged by setting HTTP 401 into current response, resulting in a browser redirect:
Location: https://www.google.com/accounts/o8/ud?openid.ns=[edited out...]
However, what happens to me is that I only get redirected to a local login page:
Location: /Account/Login?ReturnUrl=%2fManageAccount%2fLinkLogin
Please note that the very same code is called when I try to register (i.e. user is not logged in, not authenticated) using Google account - so it is not an issue that I'd have app.UseGoogleAuthentication() set wrongly in Startup.Auth.cs.
I suspect "something" in the response pipeline catches StatusCode 401 set by Microsoft.Owin.Security.AuthenticationManager.Challenge() method before Owin.Security.Google auth middleware kicks in and set the proper redirect location, though I cannot find what that "something" is.
Anyone successfully imported Identity 2.0 into web forms project already?
More info on my issue can be found here: Identity2.0 Codeplex discussion
Please refer to this sample for ASP.NET Web Forms which shows the Identity 2.0 features https://aspnet.codeplex.com/SourceControl/latest#Samples/Identity/Webforms.Samples/
You should also make sure the order of registering the middlewares is correct. For eg. Cookies should come before Google
Yeah this was a challenge. You are correct in your observation of it's
behavior. The config info below resolved this issue for me.
The very bottom config tag that excludes the callback path caused
it to start functioning as expected for me.
<system.webServer>
<modules>
<remove name="FormsAuthentication"/>
</modules>
</system.webServer>
<system.web>
<authentication mode="None"/>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<!-- the callback path has to be open to anonymous so that owin can do it's redirect magic-->
<location path="signin-google">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
I have a login page page that should be available to unauthenticated users. On my local ASP.Net dev server it all works well. However, when deployed on IIS 7, all static content such as pictures and scripts are not downloading. Only when the user logs in the first time does it return the pictures and scripts. The server returns HTTP 302 for unauthenticated users. I am using forms authentication & ASP.Net membership provider.
Step 1:
Make sure the appropriate directories ('Content' and 'Scripts' by default for MVC) have been enabled for 'Anonymous Authentication' in web.config (inside ) e.g.:
<location path="Content">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="Scripts">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Step 2:
Check that the 'IUSR' built-in account has read access to these directories. This user is used by default for all anonymous requests.
Note: You can change which account is used for anonymous access by editing applicationHost.config in C:\Windows\System32\inetsrv\config . On 64-bit machines this file can only be edited by 64-bit applications (i.e. not Visual Studio). Notepad works well. Make sure to take backups before you edit. You are looking for the next line:
<anonymousAuthentication enabled="true" userName="IUSR" />
In my asp.net web application is it possible set up windows authentication on a folder and allow to rest of my site to be access without authentication? Can this be set up via the web.config of the application and if so, how?
Yes it should be possible. You can try the following:
First, enable Anonymous and Windows Authentication in IIS
Then add a windows <authentication> entry to the web.config
<authentication mode="Windows" />
<authorization>
<allow users="*" />
</authorization>
Finally, add a <location> config entry for the folder you would like to secure, denying anonymous users
<location path="pathToSubFolder">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
I have created application and implemented ELMAH logging. In my site there are three types of users.
Admin : can everything (rights to view elamh.axd)
User : can have own rights (can't view elamh.axd)
Guest : only view (can't view elamh.axd)
The above user will be stored in Database.
Probelm:-
Now how could i manage protection level for User and Guest to view ELMAH.axd log file?
If you're using Roles you can add this to your web.config:
<location path="~/elmah.axd">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
If you're not using roles you will have to specify each user you want to give access to:
<location path="~/elmah.axd">
<system.web>
<authorization>
<allow users="user1, user2, user3" />
<deny users="*" />
</authorization>
</system.web>
</location>
Update:
As you aren't using any of the built in authentication/authorisation and you don't have control of the elmah page you're going to have to handle the BeginRequest() event:
protected void Application_BeginRequest()
{
if(Request.Url.AbsolutePath.ToLowerInvariant().Contains("elmah.axd"))
{
// Check if user can see elmah and handle unauthorised users (return 401/redirect to login page/etc...)
}
}