Trivial question:
Noticed the following error whilst trawling the logs:
Authorization rule names cannot contain the '*' character
I have the code:
[Code]....
Does that mean I don't need to make and authorisation rules - I had used:
[Code]....
Now - is that completely redundant? Also, is * wrong syntactically?
I'm using a Custom Role Provider for authorization.
There are 2 roles: "VIEWER" and "SYSTEM_ADMINISTRATOR".
I have set up my role for my account as "VIEWER".
Roles.GetRolesForUser(this.User.Identity.Name) returns "VIEWER"
User.IsInRole("SYSTEM_ADMINISTRATOR") returns false
Web.Config contains below:
<location path="Administration">
<system.web>
<authorization>
<allow roles="SYSTEM_ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
However, I can still access the ~/Administration pages.
Even if I change the web.config to:
<location>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
I can still access any of the pages, but I shouldn't be able to access any page when this is set. Correct?
I'm pretty sure my Role Manager is working fine (see above calls to User and Roles), but here's the config:
<roleManager enabled="true" defaultProvider="MyRoleProvider" >
<providers>
<clear/>
<add type="MyNamespace.MyRoleProvider" name="MyRoleProvider"/>
</providers>
</roleManager>
I'm testing this on my local dev environment using Cassini and on a test web server running IIS 6. Both systems/sites work the same way and allow anyone access to any page. Both systems/sites also return correct data when programmatically checking Roles.GetRolesForUser and User.IsInRole.
look at the attached web.config? The last part doesn't seem to work although the path is correct. I've tried logging on the site with a use which is in no groups, but it can still access the page...
[Code]....
I don't have any sub catalogs for the .aspx files and this is my web.config file:
[Code]....
It's as if the Login.aspx won't grab the Site.Master if I add this authorization.
I get directed to the Login.aspx if I try to enter any other page, but without seeing the master page.
Is this enough info to solve this or do you need to know how the other pages looks like?
In my web.config file, I have an authorization section that is supposed to deny all users EXCEPT for those included in the group specified. However, my login form doesn't allow these users to proceed to the next page - the login form just reappears as if the user has been denied. Code:
[Code]....
I have a user named 'test' that is in the Student Council group. I've tried 'allow users' and 'allow roles' with no success. I've also confirmed that the user is able to log into any workstation in my domain.
which is the best method to create own customized login page?
i m not interested to use inbuilt controls, thts why m want to make own sign up pages and login page
I am using ASP.NET MVC 3 and am trying to do something that should be really straight forward...
My application uses Forms authentication and that is working perfectly for controllers/actions. For example if I decorate either a controller or an action with the attribute below only members of the administrators group can view them:
[Authorize(Roles="Administrators")]
However I have a folder under the default Scripts folder called Admin. I only want members of the Administrators group to be able to access scripts within this directory so I created a new web.config in the directory with the following inside:
[code]....
However no matter whether a user is a member of the Administrators group or not they receive a 302 Found message and are then redirected to the login page.
If I change the web.config to allow user="*" then it works. It also works if I add an allow users="Username" for a specific user I am testing with.
When a user attempts to directly visit the url admin.aspx, and they are not an admin, they are redirected to the login page. However, the user then attempts to visit ViewWeek.aspx, it indicates that they are still logged in. Why does this ASP.NET authorization boot the user to the login screen, yet keep the user logged in? I'd rather it just direct the user to the default URL specified in the forms tag.
Here's my Forms Authentication:
<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" defaultUrl="ViewWeek.aspx" timeout="50000000" />
</authentication>
[Code]....
the page on submit will try to check the credentials on database instead of my web.config like i need. How to achieve that.
I am "DomainMyDomainUserName" If I do this:
[Code]....
I can access the website I've created on my local machine in debug mode; and with my domain account as a local administrator, if I do this:
[Code]....
I can still access the website; and with my domain account in a Domain Group named "DomainDomainLocalSecurityGroup", if I do this:
[Code]....
I can still access the website; HOWEVER, if I create a Local Group on my machine named "LocalMachineGroup" and I add "DomainMyDomainUserName" to this group and I do this:
[Code]....
I get an Access Denied error trying to access the website. What I want to do is, have a group on my local machine (for testing), on a test web server, and on a production web server named "MyWebsiteUserAccess" with the same Domain Group (filled with Domain Users allowed access to the site) in all of these local groups; so that when I test the web application on my local machine, on my test web server and on my production web server, I don't have to change the Web.config file to have it work on each AND if the Domain Group name ever has to change, it won't affect access to the website.
What am I overlooking or is this even possible to do this way? I understand that there is a way to do Role Management through ASP.NET but I don't understand that well enough yet to implement that (and will probably go that route once I've done the research on how to best implement it for purpose of access control of this intranet site).
I am writing two ASP.NET apps. One is a web service that provides xml data and the other is a web client that will use the service to display and manipulate data. I would like for the web service to do the membership authentication and authorization. Is there any way to simply point the login controls in my client application to the web service instead of to a database. I assume I would have to provide the necesarry methods in my web service interface, which would then use the membership provider database I created and pass the results back through to the client.
Is this possible? I have seen many articles on security provisioin from a web service but none has really been what I am looking for. I was hoping that, since my service and my client are both written in ASP.NET, there might be some built functionality that would benefit me.
I have been searching internet in order to secure my connection string in the web.config file and setting the Login controls connection strings in runtime
TEverything about encrypting connection strings works fine on local machine. I can do it programmatically and on aspnet_regiis.exe
My questions are How can I set the connection string to any login control in runtime? How can I encrypt my connection string on my shared hosting ?How can I use aspnet.regiis.exe to encrypt my config file on shared hosting ? How to define the commands ?If I can find a solution to my 1st question, 2nd doesnt matter anymore.
i want a simpe login systemm using webconfig file and one login.aspx page.
View 3 RepliesI have a few pages that need to use SSL and I am confused bc I read you should set the forms authentication section in the web.config to use SSL. so if this is the case, the user logs in (login page is using ssl) the forms auth cookie is created and now if i redirect to the non ssl enable home page, does this mean the auth cookie will not be transmitted, so i can't display like a welcome module or know the username of the user who logged in?
View 6 Repliesi have a problem with forms authentication. i have a website and want to restrict access to an especific folder. i want the access to this folder be made via the login form this is what i have in the web.config
<authentication mode="Forms">
<forms name="Compra" loginUrl="wfLogin.aspx" path="/" protection="All" timeout="30" />
</authentication>
<authorization>
<allow users="*"/>
</authorization>
Then this to restrict folder
<location path="Admin">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
the problem is that when the user login with valid information the website return to the login form.
Our team has recently implemented a role permission based authorization so that we can have granular control. This is similar to what Rockford Lhotka suggests herehttp://www.lhotka.net/weblog/PermissionbasedAuthorizationVsRolebasedAuthorization.aspx I have also read about the Claims based authorization which to me looks very similar to what we have. Can some one put in simple terms what the advantages of claims based authorization are.
View 1 RepliesI have a problem using windows authentication and the authorization-tag in web.config for my asp.net application. When I host the application in IIS (both in IIS 6 and IIS 7) the authorization-tag is ignored. When I run the application in asp.net development server that comes with visual studio 2010, it works perfect.
Why will it not work in IIS? And how to solve it?
[code]....
In my ASP.Net application I'm using URL routing.
The url format is somewhat like: [URL] To allow users to visit the login and recovery page, I've added the following entries to my web.config:
[code]....
Is there a form of notation so that I can skip the en-GB part and replace it with a wildcard? I want the login and recovery page etc. to be available regardless of the culture.
I have the following authorization rules in my web.config:
[code]....
Except for the path attribute these two rules are the same. Is there a way to combine these two rules into one like path = Register.aspx, ForgotCredentials.aspx.
Is it possible to use multiple authorization elements in a single web.config to allow additional users access to one file?
E.g., I would like to allow User1 access to the whole application (including Page1.aspx), and User2 access to only Page1.aspx:
[code]....
I have two folders in my asp.net website namely VENDORS and ADMIN
i want when any user access any of the page inside the ADMIN folder it redirects to Admin/login.aspx until they login ....
i want when any user access any of the page inside the VENDORS folder it redirects to Vendors/login.aspx until they login ....
How to do that using web.config authorization ....
I read on a post that you can use ASP.Net authorization in the web config to control access to a WCF web service to replace the following attribute:
[PrincipalPermission(SecurityAction.Demand, Role="Administrators")]
To test I have been using "Administrators" which is a valid role so should allow me access and "TEST" which isnt. This works fine when using the above attribute however when I comment that out and use this in my Web.Config file:
<authentication mode="Windows" />
<authorization>
<allow roles=".TEST"/>
<deny roles="*"/>
</authorization>
It still allows me access.
So I was wondering if I have just got something wrong in the web.config or whether what I read was wrong saying to use that.
Just for reference this is the post I looked at:
Using Windows Role authentication in the App.config with WCF
and the following is my web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Windows" />
<authorization>
<allow roles=".TEST"/>
<deny users="*"/>
</authorization>
</system.web>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpEndpointBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="WcfService1.ServiceBehaviour1" name="WcfService1.Service1">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="BasicHttpEndpointBinding"
name="BasicHttpEndpoint" contract="WcfService1.IService1">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="WcfService1.ServiceBehaviour1">
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>
How i create a exception in location to allow access to page GanttViewer.aspx with other rol and others pages only with Admin rol
<location path="Admin">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Is it possible to have location authorization nodes in a web.config be external?
Such that I could take all of the nodes simlar to
[code]....
And move them outside of the web.config or something simlar? I find these nodes at an extreme amount of noise to a web.config when they're relatively static. Normally my approach would be to config source something like this but since it falls under the root node I'm not sure of it's possible with these nodes.
Is it possible to specify that multiple roles are required inside the authorization element of the web.config file? I currently have this block in one web.config of my site for a specific directory:
<authorization>
<allow roles="Global, Region" />
<deny users="*" />
</authorization>
I've just identified a special case where a person with two lower-level permissions than Global and Region should also have access to this directory. Roughly, I want something like this:
<authorization>
<allow roles="GlobalManager, RegionManager, SiteManager && FooSite" />
<deny users="*" />
</authorization>
I realize I probably should have a new role for this scenario, but I'd like to avoid that.