Security :: How To Make MVC View Insecure Via Location Tag In Web.Config

Oct 10, 2010

I have the following authorization settings in my web.config:

[Code]....

This deny's all anonymous access to the application accept the login page. In addition to this I am using authorization within each controller action via a custom authorize attribute.

I have one additional action that I would like to expose publicly in addition to the login page. This action does not have the authorize attribute on it. I have tried to make this view (resetPassword view) public by using the location tag in the web.config file like so:

[Code]....

In the path attribute above I have tried both the view as well as the action path, but it doesnt allow public access to the action.

I have even tried to put this view in a separate folder within the shared folder and put a separate web.config file to make that folder public like so:

[Code]....

None of the above configuration allow me to make this particular action (view) public. Can anyone suggest any other solutions, or what I may be doing wrong in this case?

View 5 Replies


Similar Messages:

Security :: Connection String In Web.config - Insecure?

Jul 16, 2010

My boss does like storing the connection string and credentials in the web.config - even when its encrypted.

He also doesnt want the IIS box and SQL box to both be in the same domain, or have trusted domains.

Is there a more secure method of connecting to SQL? Is there some kind of token login?

View 3 Replies

Security :: Cannot Get Location / System.web / Authorization (web.config) To Work

Aug 4, 2010

look at the attached web.config? The last part doesn't seem to work although the path is correct. I've tried logging on the site with a use which is in no groups, but it can still access the page...

[Code]....

View 5 Replies

VS 2008 Web.config Location Tag?

Mar 1, 2010

My web.config has following settings :


Code:
<authentication mode="Forms">
<forms loginUrl="SignIn.aspx" >
</forms>
[code]....

and different settings for a folder - "user" inside root.
( same config file )

Code:
<location path="User">
<system.web>
<authorization>

[code]....

but when use the statement

Code:

Server.Transfer("~/user/somepage.aspx")
in code behind , the control goes to somepage.aspx instead of SignIn.aspx.

View 5 Replies

Web Config Location Tag Not Working

Sep 23, 2010

We have an application that is making use of the location tag in the web.config file at the machine level - meaning like :WindowsMicrosoft.NETFrameworkv2.0...CONFIGweb.config, the one that applies to the whole server - this application has lots of virtual directories under it and for each one there is a <location path="IIS Web App NameCustomerA">...This seems to work ok for that app. But then we have a second app on the same server, and I'd like to add location tags to that app's web.config file - meaning the local web.config file in the app's directory - and have each one of them specify a location tag in a similar way

View 1 Replies

Configuration :: Using Location Path In Web.Config?

Jul 8, 2010

I wanted to impose specific timeout interval and request length on some specific pages that uploads documents of size up to 50MB. Hence I did the following config changes after going through some sites.

<location path="Upload.aspx" >
<httpRuntime maxRequestLength="51200"/>
<httpRuntime executionTimeout="36000"/>
</location>

I keep getting error when I run the application. I tried various other ways like giving the complete path like <sitename>/<applicationname>/<v.folder name>/<filename>.I tried this on both IIS 6.0 and IIS 7.0.

View 8 Replies

Web.config - Wildcards In Location And Authorization?

Dec 7, 2010

In my ASP.Net application I'm using URL routing.

The url format is somewhat like: [URL] To allow users to visit the login and recovery page, I've added the following entries to my web.config:

[code]....

Is there a form of notation so that I can skip the en-GB part and replace it with a wildcard? I want the login and recovery page etc. to be available regardless of the culture.

View 3 Replies

Conflict Location And ConfigSections In Web.config

Jun 10, 2010

When I add this in my web.config

[Code]....

View 1 Replies

Protecting The (location) Element On Web Config?

Oct 26, 2011

Now since i'm securing the site i've noticed that the location element does not get much attention.The only thing i have found is that you can use <location path="" allowOverride="false"> on machine.config .I'm not sure how this goes but if you need to use this one every page then i will have multiple problems.First if i have a page with the same name on another website there is trouble and also if i need to update pages again problem.What i'm not sure of is if the location element on machine.config i just used once and then magically every site you have will throw an exception if a hacker changes you web.config.I have doubts and it's confusing and if i play with the server web.config,well i don't wanna mess with that.

So i also tried to encrypt the location element but i cannot find an example(can you encrypt it?).I can encrypt authorization and authentication but i will not go inside the location element.Just the standard authorization and authentication nodes.How can i secure the web.config location element so no hacker can change the allow,deny,etc.

[URL]

View 8 Replies

C# - How To Get The Value Of The Authorized Users From The Location Path In Web.config

Oct 2, 2010

This is part of my web.config

<location path="Secure">
<system.web>
<authorization>
<allow users="SecureUsers" />
</authorization>
</system.web>
</location>

I want to be able to search for path of Secure and find out the user role that is specified. My input is the path, such as "Secure" and the value I'm trying to retrieve is "SecureUsers".

View 1 Replies

C# - Is It Possible To Have Location Authorization Nodes In A Web.config Be External

Sep 20, 2010

Is it possible to have location authorization nodes in a web.config be external?

Such that I could take all of the nodes simlar to

[code]....

And move them outside of the web.config or something simlar? I find these nodes at an extreme amount of noise to a web.config when they're relatively static. Normally my approach would be to config source something like this but since it falls under the root node I'm not sure of it's possible with these nodes.

View 1 Replies

Web.config Location Tag - Want All The Pages Password Protected

Mar 21, 2011

I'm looking to deploy a web app and I have a simple question about the <location> tag of the web.config file. For the moment, I want all the pages to be password protected and I've created a simple login page with the login object. I've put all my .aspx file in a directory called AppMyPages and I've put this in the config file:

<location path="AppMyPages">
<system.web>
<authorization>
<allow roles="tester" />
[code]...

View 1 Replies

MachineKey Config Section Default Location?

Sep 21, 2010

Where do I find the machineKey config section for ASP.NET?

I don't have one in my application Web.config, there isn't one in the root Web.config and there isn't one in my machine.config.

Does this mean there is some other default hardcoded into ASP.NET? If so, what are the defaults? (For .NET 2 and 4)

Having read this: [URL]

i was expecting to find something like this, somewhere:

<machineKey
validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
/>

Edit: the 1.1 docs seem fairly clear wrt default values: [URL] but the 4 docs are rather ambiguous [URL]

View 1 Replies

Specify More Than One Directory In Web.Config's Location Path Element?

Jan 5, 2011

In my ASP.NET's Web Config file I have the following location elements defined:

<location path="">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="dir1">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="dir2">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>

The example above is specifying that all directories will be locked down to anonymous users except the two directories dir1 and dir2. I'm curious if there is a syntax that I can use that will allow me to define more than one directory within one location element. For example, it would be convenient if we could do something like this...

<location path="dir1,dir2,etc">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>

View 1 Replies

Multiple Paths In Location Element Of Web.config?

Dec 20, 2010

How to specify multiple paths in one location element in web.config:, a

<location path="Images">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>

We would like to add styles and images to location, e.g. location path="images, styles". Is it possible to put multiple paths in location element (and how)?

View 2 Replies

Web Forms :: Setting Theme In Web.Config Location And Intellisense?

Mar 9, 2010

I have my theme for each folder set in the web.config, but on design I have no access to the css or skins for that page unless I add them in the page directive, then upon rendering in html, the page shows 2 references to the same css file.

So for design purpose do I have to reference the file, then delete the references after I finish designing the page? why does the editor not recognize the web.config and reference the proper theme?

View 3 Replies

Web.config Location Tag Stops Working When Deployed To Server?

Mar 25, 2011

When running the ASP.NET Development Server, everything is working fine. However, when I deploy my asp.net application to the production server (IIS 7.0 integrated mode, fresh install), my location tags in my web.config file are being ignored.

Case in point: I'm using forms authentication, and when the user arrives at my login.aspx page, the external css & js files are not being loaded...even though I have specified that those files should be available to all users (auth'd or not). However, once the user is logged in, the files do in fact load.

<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
<authorization>
<deny users="?" /> <!-- Restrict anonymouse user access -->
</authorization>

And the exception to my css file...

<location path="Styles/xtools.css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

I've verified that the path to the css file is accurate.

--EDIT Forgot to mention, I have tried creating a web.config file in the targetted folder as well...still not working.

View 1 Replies

Configuration :: Programmatically Update Authorization In Specific Location In Web.config?

Nov 4, 2010

My web.config file has several authorization. May i know how can i update the roles value in to allow 'Staff' to access Page1.aspx programmatically.

[code]....

View 5 Replies

Specifying Relative File Location In Web.config For Use By Standard C# Class Library?

Jan 6, 2011

I'm struggling to find a way of specifying a file location in web.config appSettings that avoids using hard-coded paths but allows a non-'web aware' C# library to find a file. The C# library uses standard File.Open, File.Exists methods, etc. to operate on a data file, which is stored in my web application (ASP.NET MVC) tree, e.g. under:

contentdataMyDataFile.txt

Requirements:

I want to be able to specify my path like, e.g.:

<appSettings>
this--> <add key="MyFileLocation" value="~contentdataMyDataFile.txt" />
not --> <add key="MyFileLocation" value="c:inetpubwwwrootfoocontentdataMyDataFile.txt" />
</appSettings>

I don't want the C# library to be aware of the web application it's being used in, as it is used in other software, and the web application has no need to know about the configuration of the C# library.

View 3 Replies

Regular Expression On Web.config Location Path Attribute (with Parameters)?

Jun 30, 2010

Is there any way of doing something like this?

<location path="/(view|edit)post.aspx?id=[7-9][0-9]+">
<system.web>
<authorization>
<allow roles="AdminPublishers"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

Authorization is just an example. I would like to be able to do other things with those locations.

View 1 Replies

Configuration :: Setting Authorization For Images Folder Using Location Tag In Web.config Is Not Working?

Oct 28, 2010

I implemented the Location tag in the web.config file to authorize the anonymous users for Images folder. I deployed the code in IIS6.0 with Forms authentication mode enabled for the virtual directory. I disabled all other authentication modes. When I browse the login page, Images are not displaying. When I set Anonymous authentication in IIS6.0 for the Image folder, it works fine.

See below the code implemented in web.config:

[Code]....

View 2 Replies

User Controls :: Programmatically Add Update Dynamic Roles In Location Tag Of Web Config

May 7, 2015

I want to add a new rule in my web.config file programmatically,

ex: I have a textbox to add location path I have a combobox (with items admin and user) to add roles. ex: user input location path = textbox roles = combobox (items admin and user) the save button, when click the save button the results go to the web config :

<location path="Report/ManageReport.aspx">
<system.web>
<authorization>
<allow roles="ADMIN" />
<deny users="*" />
</authorization>
</system.web>
</location>

So far my code as below: but I was confused to apply its

protected void AddRoleRule(string location, string selectedrole)
{
Configuration config = WebConfigurationManager.OpenWebConfiguration(Server.MapPath("~/Web.config"));
XmlDocument xDoc = new XmlDocument();
xDoc.Load(config.FilePath);
//if the rule exists update the rule

[Code] .....

View 1 Replies

Data Controls :: How To Delete Location Tag (Node) Programmatically In Web Config File Using C#

May 7, 2015

I want to delete location path using parameter textbox .. example : I enter name of location path in the texbox when i click button delete then location path in web config will be remove..

<location path="page1">
<system.web>
<authorization>
<allow users="ADMIN" />
<deny users="*" />
</authorization>
</system.web>
</location>

View 1 Replies

Data Controls :: How To Delete Location Tag (Node) Programmatically Using Its Path In Web Config File

May 7, 2015

I want to delete location path using parameter textbox and allow user ..

example  :

location path = textbox1
allow user = textbox2

explanation : i enter name of location path in the texbox1 and allow user  in the texbox2,  when i click button delete then location path based on parameter textbox1 and textbox2 in web config will be remove..

this below my web config

<location path="3pm.aspx">
<system.web>
<authorization>
<allow users="testing1,testing2,tunggal ,usertest" />

[Code] ...

So far this is my code for deleting location path using parameter name of path , yet to parameter allow user ..

protected void DeleteLocationPath(object sender, EventArgs e)
{
string path = Server.MapPath("~/Web.Config");
XmlDocument xDoc = new XmlDocument();
xDoc.Load(path);

[Code] .....

View 1 Replies

ASPXAUTH Cookie Is Insecure And Is Displaying Session Data?

Jul 15, 2010

I thought the .ASPXAUTH was for user authentication? Can anyone confirm if this cookie is indeed a security risk and/or contains session information? Is it even suppose to be used or is it some debug thing?

View 1 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved