I have an Asp.Net MVC site that uses forms authentication and has no 'public' access. Unauthenticated requests redirect to my Login controller. In the View I am referencing css and js files via Bundles. However, when deployed, the requests to these bundles all redirect to the login page with a RedirectUrl parameter. Make sense?
So, how can I get specific bundles to be accessible without authentication being required?
As a poor workaround I know that I can just reference the individual files placed in a public folder - but this circumvents all the minimising benefits.
Thanks.
There are a couple of things you need to do.
First, change the name of the scripts and styles you want to render to be something that doesn't conflict with a folder in your application. So if you have ~/Content/styles folder, name your style bundle something like ~/Content/styles/css.
The /css at the end of the bundle name is to prevent the request from being treated like a script.
Second, you need to add authorization for the Content or whatever you call your bundle path as referenced in your web.config
<location path="Content"> <!--or whatever you call your bundle path instead of Content-->
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
This will prevent the forms authentication redirect and serve up your content.
you should be putting these bundles on the Master view page
on the master page you should have something like this:
#RenderSection("scripts", required: false)
in your view just add your scripts like this:
#section Scripts{
//put all your scripts here
}
you can define a section for stuff you need in the header and do the same for the css.
If this doesn't work you may need to make sure that your bundle names don't conflict with the names of actual paths in your sites, or else the mvc engine will handle the requests rather than serving up your files.
worst case you have to enable anonymous access to your directories in web.config
<configuration>
<location path="content">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="scripts">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
</configuration>
Related
I have an mvc 4 application, where I have to define multiple login pages, one for each role type user.
Is there any way to do this? trying to configure multiple login pages inside the location tag in web. config gives me errors.
thanks,
luca
One way is just to create different login controllers for each role type. To make it possible for people to access two different login pages while they are not logged in, you can open up those locations in web.config:
<location path="Employee/Login">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Customer/Login">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
You say that when people get logged out they can be redirected to the home page. To do this, in the forms authentication portion of web.config, set loginUrl to your home page.
If your login logic is mostly the same, but you want to present a different view, you could reuse the same controller, but have a route value that specifies which mode you're in and switch between Views depending on which value is provided.
I'm trying to restrict access to this URL using the location element code defined in my Web.config, but it doesn't seem to redirect the user when entering the URL directly in the address bar.
<location path="~/management/account">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*" />
</authorization>
</system.web>
</location>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
Is this possible to achieve in Web.config? Or do I just use the Authorize + roles access definition attribute above the relevant function, for this particular scenario?
I've seen the location element used to restrict access to folders and specific pages, but have not come across one with URL routing?
you can't use the authorization and/or location elements in an MVC app. To get authorization support in an MVC app apply the [Authorize] attribute on the controller level (then all actions requires authorization) or on the action level
I've a asp.net mvc 3 site and i publish it in iis 7.5 (framework 4.0), and the problem is that the css and the scripts don't work util the user log in the website. So:
The website was created like virtual directory and converted into a application.
The mode is forms authentication.
I enable in the iis the forms and anonymous authentication.
The web config has:
<location path="Content" allowOverride="true">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Scripts" allowOverride="true">
<system.web>
<authorization>
<allow users="*" />
</authorization>
<globalization culture="pt-BR" uiCulture="pt-BR" />
</system.web>
</location>
<authorization>
<deny users="?"/>
</authorization>
Obs: the dlls that i add in bin directory: System.Web.Helpers.dll, System.Web.Mvc.dll, System.Web.Routing.dll, System.Web.WebPages.dll.
I tried to change the path in the localtion as "~/Content", but i got the same result.
I tried to put the tag allow in the autorization tag as:
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
But i got the same result.
What am i missing?
I figured it out. It was something I missed from my checklist when setting up a new IIS application: Select the application, double-click "Authentication", select "Anonymous Authentication", then Edit, and change it to use the Application Pool Identity. Make sure that user has permissions on the folder that contains the site like the others said.
I've had this problem too and it's not the asp.net authorization that is the problem it's the rights to the files in the filesystem.
You need to make sure the website runs under an account that has access to the files. For my internal testing I usually make the website run under my account but I guess this wouldn't be good idea security wise if you host it in public. You can set this under advanced settings -> Physical Path Credentials for the website.
Try to allow content path, where your scripts and css files are stored:
<configuration>
<location path="content" allowOverride="true">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<allow roles="admin" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
I see that you figured it out and you are happy with your answer.
I also had this problem, but it was not an app pool authentication issue. Instead, I just allowed all users access to the locations of the css/js files, so at least the login page would render appropriately until the user logged in.
e.g. by putting this web.config file in the root of /site/public (or wherever your necessary css & js files are collected)
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
I agree with Mikael that it could be file access rights; try to give permissions to Everyone account, and if it cures your problem - find out which account IIS use for Application Pool which you use and give permissions to it.
Also, if it doesn't work, try to put web.config files inside folders Scripts and Content, with authorization attributes only.
And also there is a little possibility that you overtuned your Routing in some way, and it intercepts real file requests.
IUSR is generally the default impersonation user configured for anonymous authentication. If that is the case, I would make sure that IUSR has read permissions to the folders in question.
You can configure the site to use a different user as well, but I'm not sure that I'd simply switch the site to run as the application pool user. The application pool user often has more permissions than the anonymous user would/should have.
To follow up on the accepted answer, you can add the authentication tags inside the location so that you don't have to manually set this in IIS when deploying on new machines. This only shows one path, but it's easy to copy it for other paths like ~/Scripts, ~/Fonts, or any other static content you want to reference.
<location path="Content" allowOverride="true">
<!-- Authorize all users -->
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<!-- Authenticate anonymous users -->
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
I have some sensitive files that I want the web server to be able to use, but I do not want them to be accessible from a web browser.
I am having a really hard time finding any documentation that describes which folders in ASP.Net are hosted publicity and which are private. For instance I know the Content and Scripts directory are public, but I see no configuration or options that show granting access to those paths.
What folders are web accessible? And where would it be safe to put these sensitive files?
Thanks for the help!
have some sensitive files that I want the web server to be able to
use, but I do not want them to be accessible from a web browser.
~/App_Data is for you. Here's a list of the different ASP.NET special folders.
I'm not sure about which special folders are locked down (other than App_Data & bin), but you can block any folder from being web accessible by adding an <authorization/> section to a <location/> section to your web.config:
<!-- Block access to Admin directory -->
<location path="Admin">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
Alternatively, you can add a web.config directly to the directory you want to block, containing the following:
<?xml version="1.0"?>
<!-- This web.config blocks access to any directory it is put in,
and its subdirectories -->
<configuration>
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
These approaches are functionally identical, it just depends on your preference. Personally, I think having the web.config file in the directory you're blocking access to is a little less confusing.
Got some problem with settings up the Authorization.
First i got :
<authorization>
<deny users="?" />
</authorization>
So i deny all unknown users and then allow them to view those pages:
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Public">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Now to the problem .. they can access the Public pages and Default.aspx .. but not www.mydomain.com or www.mydomain.com/ .. so www.mydmain.com/Default.aspx works fine.
So how to make those work ?
Keep in mind that there's a fundamental difference in protected resources between WebForms and MVC. In WebForms, the resources you're trying to protect are the pages themselves, and since the pages exist on disk at a well-known path you can use Web.config to secure them. However, in MVC, the resources you're trying to protect are actually controllers and actions, not individual paths and pages. If you try protecting the path rather than the controller, your application likely has a security vulnerability.
In MVC, by default all controllers + actions are accessible to all users, both authenticated and guest. To secure controllers or actions, the [Authorize] attribute has been provided. See http://www.asp.net/learn/mvc/#MVC_Security for more information.
In short, it sounds like for your application you'd want to attribute every controller except the default controller and the Public controller with the [Authorize] attribute.