Security :: URL Routing Doesn't Work For Files In Admin Folder
Jun 24, 2010
I am using URL routing in asp.net application (not MVC) . I have Admin folder in my aaplication which has admin related aspx pages with seperate web.config. I have seperate login form for admin users which is placed in admin folder itself. My issue is whenever I hit [URL] (which I want to go to login form for admin)- it tries to authenticate and goes to login url mentioned in web.config of root folder.
Note: Admin folder has anonymous access in root config file. Also I have set default document in config of Admin folder. I have added following line in global.asax so that routing doesnt work for files in admin folder;
routes.Add(new
Route("admin/{*resource}",
new
StopRoutingHandler()));
I am really confused what is the issue? What I am missing?
I'm using routing from System.Web.Routing without MVC in a standard ASP.Net Web Application Project application. This is mostly done to get neater urls in the portal we are developing (instead of ~/default.aspx?contentid=123 we have ~/{contentsubject}. The portal is not authorized and all info is in the url so in a caching scenario we can cache complete pages.
When I tried to enable output caching I noticed that no caching was done. It seems that the outputcache page directive is completely ignored. Is this true or am I missing something? Can this be fixed?
I made a small test app (I uploaded it to [URL] that just contains a page, Webform1.aspx, that uses a master page and a user control. All three output the current date and time.
When I request http//localhost/OutputcacheTest/Webform1.aspx the 10 second caching works as expected, i.e. the shown time only updates every 10 seconds.
The app also defines a wildcard route that catches all requests and returns the same Webform1.aspx as a handler. So when requesting http//localhost/OutputcacheTest/myroute the same page is executed but now the caching doesn't work, i.e. the current time is shown on every request.
Note: When using the built-in development web server both scenarios work, only IIS seems to have this problem.
Does anyone have a a solution or work around for how to enable output caching in this scenario?
I am creating an application hosted on GoDaddy.com. The base files are kept in a folder called /sky while the Admin files and User files are kept in /sky/Admin and /sky/User respectively. I'm having difficulty configuring the security so that when a user tries to access Admin or User files they should be redirected to the login.aspx file in the /sky folder. I keep getting an error that its trying to access sky/sky/login.aspx instead of just sky/login.aspx.
Here are the relevant sections of my web.config file.
<?xml version="1.0"?> <!-- Note: As an alternative to hand editing this file you can use the web admin tool to configure settings for your application. Use the Website->Asp.Net Configuration option in Visual Studio. A full list of settings and comments can be found in machine.config.comments usually located in WindowsMicrosoft.NetFrameworkv2.xConfig
I have an Admin folder which contains 4-5 aspx pages. I want to that only user with role="admin" can view those files. What settings i need in web.config?
I have a folder with png images that are not shared or public (the folder is outside my application folder). Now I want my users to be able to view thoose images only if they are logged in (different users, different images). All images have a name that correspond to the users id. My idea is to stream thoose images into the asp:Image control, is that possible? How do I do that? Other (better) solutions?
Following the first site, it had worked but when I´ve moved the pages and files to other folders and set the web.config file on this folder, now it won´t work at all!!!
The file is an *.swf object. I did put the asapi.dll to map the extension on the website root, I´ve put the
[Code]....
on the web.config new folder and on the web.config website´s root.
It won´t work!!! I can access the file directly!!! on the web.config of the folder that contains the file, there is a <deny users="*" /> line.
This is my third site that I use role management, but the first time this happens. I have two roles: Member and Admin. If Admin user login, Admin node on sitemap shows. It works very well on my local machine in Visual Studio Express 2008 and in Visual Studio Team 2008. But once I deploy files to live site, even admin login, the Admin node doesn't show. I have a Member management page from which I may see member's role, and I can see that user name is in the role Admin. What could be wrong?
I used ASP.Net Configuration manager to create roles, users, and access roles. Here is the code:
In my web.config I have configured a SiteMapProvider with securityTrimmingEnabled="true" and on my main master page is an asp:Menu control bound to an asp:SiteMapDataSource. In addition I have configured restricted access to all pages in a subfolder "Admin" (using another web.config in this subfolder).
... it seems that security trimming does not work: The menu item is visible for all users. (Access to the page is still restricted though, so selecting the menu item by non-Admin users does not navigate to the restricted page.)
Question: Is there any setting I've missed so far to make security trimming working with URL routing in ASP.NET 4.0 Web Forms? Did I do something wrong? Is there any work-around?
My problem is that the intellisense is not enabled within the App_Code folder, so to twick this problem I initially create a separate folder where I develop my classes then I move them to the App_Code but, but I'm convinced that this is not the right practice so how to configure visual studio 2008 to enable intellisense at the App_Code folder
I am trying to write an asp.net webpage which contains an applet. Everything works fine when I run this in a development folder, but when I move it to the IIS web server public folder it doesn't work anymore. I don't get any error message. The browser doesn't repaint the applet area Here is the source code:
//web page <script src="http://www.java.com/js/deployJava.js"></script> <script> var attributes = { code:'ImageApplet.class', archive:'ImageApplet.jar', width:864, height:1000} ; var parameters = {jnlp_href: 'image-applet.jnlp'} ; deployJava.runApplet(attributes, parameters, '1.4'); </script> //applet public void init() { buildUI(); } public void buildUI() { JButton jumbleButton = new JButton("Jumble"); jumbleButton.addActionListener(new ActionListener() { public void actionPerformed(ActionEvent e) { }; }); add("South", jumbleButton); }
In my website I have a page to upload files. It works fine when I run the website on my local machine and also in visual studio in the server. But, I cannot upload files when I access the website through the browser. I have given all the pemissions I know to the upload folder like - ASPNET, Network Service and IUSR. I am using IIS 6. It is a dedicated hosting. I can access all the pages, but only the upload does not upload files to the folder and it goes to the error page (but I don't know what is the error).
I have a problem. I can't get current logged user to my application. Everything is fine on localhost. When I deployed an application
on IIS, it stopped working. I have Windows Authentication Enabled on my IIS. For every account which uses intranet, logged user is the same now, and it's an administration account.
Why application doesn't get real logged user, but administrator account ?
How can i decide wich images can be viewed and witch cannot?
Is it possible to keep all the files in one folder but programaticaly decide wich ones can be seen?
I dont want the user to be able to navigate and browse the folder with all the images, but i want some images from the folder to be viewable for anonymous users.
I am building an ASP.NET 3.5 Web Application and I am NOT using the membership provider for security. In the application I have a role named Admin and all the files for this role are inside the Security folder in the project. Currently for all the pages inside the security folder I am checking to see if the logged in user's role is an Admin or not. This to me seems very redundant, can do something like "If the user is requesting a page inside the security folder then check his role".
I have created a login page using the login control provided by the visual web developer and set up all the accounts and roles using the web admin tool. Everything works fine if I run the page within the developer but when I host it on IIS, The login does not work. It shows the invalid password message from the login control.
I have a folder with username and password over it.I wanna make a page where i can access files under that folders in .net and be able to download them.How to code that in VB.net?
My restricted files are all stored in ~/Secured folder on the root. Authorized users have no trouble accessing aspx files in that folder. Recently I added a part of an application whose files I wanted to keep separate and created a ~/Secured/HR folder. I am getting a "resource not found" error trying to use any aspx file in HR folder even after user successfully logs in, as if the file does not exist at all. Here is my web.config security settings:
[Code]....
Do I need to configure security for that folder separately?
I have secured some files on my webserver by putting them into the App_Data folder in the root (I do not have the option to secure folders using the ASAPI filter)The user gets access to these files by requesting them through a handler, fx. by requesting ~/Handler.ashx?file=App_Data/MySubFolder/MyFile.jpgNow, I want to make all the content in a specific folder called "Members" (a single subdirectory of the App_Data folder) available only by passing a specific password. That is by requesting ~/Handler.ashx?file=App_Data/MySubFolder/MyFile.jpg&password=xxxxIn my Handler.ashx I have written some logic seeking if InStr(context.Request.QueryString("file"), "Members") = 0 before sending the file.If inStr <> 0 a password is required.Is this a good way to secure a folder in and its content? Is there a way of getting access anyway, like using some kind of "sub-directory" line in the path (the same way as you can request parent directory by using "../../Myfile.jpg)? I know there will be a problem if someone fx. legitimately tries to access the file App_Data/Members.jpg
I have a custom role provider and I'm trying to get the IsUserInRole() method to get called when a user of a certain role tries to access a restricted page. However, the method is never called.
[code]...
When the user goes to a restricted page, I'd like the custom role provider to check the user's role and deny/grant access.