Got some problem with settings up the Authorization.
First i got :
<authorization>
<deny users="?" />
</authorization>
So i deny all unknown users and then allow them to view those pages:
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Public">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Now to the problem .. they can access the Public pages and Default.aspx .. but not www.mydomain.com or www.mydomain.com/ .. so www.mydmain.com/Default.aspx works fine.
So how to make those work ?
Keep in mind that there's a fundamental difference in protected resources between WebForms and MVC. In WebForms, the resources you're trying to protect are the pages themselves, and since the pages exist on disk at a well-known path you can use Web.config to secure them. However, in MVC, the resources you're trying to protect are actually controllers and actions, not individual paths and pages. If you try protecting the path rather than the controller, your application likely has a security vulnerability.
In MVC, by default all controllers + actions are accessible to all users, both authenticated and guest. To secure controllers or actions, the [Authorize] attribute has been provided. See http://www.asp.net/learn/mvc/#MVC_Security for more information.
In short, it sounds like for your application you'd want to attribute every controller except the default controller and the Public controller with the [Authorize] attribute.
Related
I have an Asp.Net MVC site that uses forms authentication and has no 'public' access. Unauthenticated requests redirect to my Login controller. In the View I am referencing css and js files via Bundles. However, when deployed, the requests to these bundles all redirect to the login page with a RedirectUrl parameter. Make sense?
So, how can I get specific bundles to be accessible without authentication being required?
As a poor workaround I know that I can just reference the individual files placed in a public folder - but this circumvents all the minimising benefits.
Thanks.
There are a couple of things you need to do.
First, change the name of the scripts and styles you want to render to be something that doesn't conflict with a folder in your application. So if you have ~/Content/styles folder, name your style bundle something like ~/Content/styles/css.
The /css at the end of the bundle name is to prevent the request from being treated like a script.
Second, you need to add authorization for the Content or whatever you call your bundle path as referenced in your web.config
<location path="Content"> <!--or whatever you call your bundle path instead of Content-->
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
This will prevent the forms authentication redirect and serve up your content.
you should be putting these bundles on the Master view page
on the master page you should have something like this:
#RenderSection("scripts", required: false)
in your view just add your scripts like this:
#section Scripts{
//put all your scripts here
}
you can define a section for stuff you need in the header and do the same for the css.
If this doesn't work you may need to make sure that your bundle names don't conflict with the names of actual paths in your sites, or else the mvc engine will handle the requests rather than serving up your files.
worst case you have to enable anonymous access to your directories in web.config
<configuration>
<location path="content">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="scripts">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
</configuration>
I have an mvc 4 application, where I have to define multiple login pages, one for each role type user.
Is there any way to do this? trying to configure multiple login pages inside the location tag in web. config gives me errors.
thanks,
luca
One way is just to create different login controllers for each role type. To make it possible for people to access two different login pages while they are not logged in, you can open up those locations in web.config:
<location path="Employee/Login">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Customer/Login">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
You say that when people get logged out they can be redirected to the home page. To do this, in the forms authentication portion of web.config, set loginUrl to your home page.
If your login logic is mostly the same, but you want to present a different view, you could reuse the same controller, but have a route value that specifies which mode you're in and switch between Views depending on which value is provided.
We have an MVC2 site that we need to add Windows Authentication to, for the sole purpose of capturing the AD login name -- the site, itself, does not need to be restricted. All pages on it are open to all on our network.
So in our web.config, we have this:
<authentication mode="Windows" />
And several location nodes to open up the various areas of the site to all users:
<location path="default">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path=".">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="sales/index">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
However, when we try to hit sales/index, for example, it prompts for the login, and even a correct login will yield a 401:
Not Authorized
HTTP Error 401. The requested resource requires user authentication.
Some other details:
We don't have any sort of authorization action filters, because as I said, the whole site should remain open to all on our network.
We have IIS (site and app pool) configured identically, best we can tell, to another (MVC3) site where authentication works.
We also have folder permissions configured identically between the two.
The only difference we can think of, at this point, is the broken one is an MVC2 site, and the working one is an MVC3 site.
The broken MVC2 site will prompt for a user, whereas the working MVC3 site does not -- it uses passthrough authentication.
The broken MVC2 site will return the same response for a valid user, both with a valid password, or with an invalid password.
The broken MVC2 site will continue to prompt for a username/password if an invalid user is entered.
I've a asp.net mvc 3 site and i publish it in iis 7.5 (framework 4.0), and the problem is that the css and the scripts don't work util the user log in the website. So:
The website was created like virtual directory and converted into a application.
The mode is forms authentication.
I enable in the iis the forms and anonymous authentication.
The web config has:
<location path="Content" allowOverride="true">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Scripts" allowOverride="true">
<system.web>
<authorization>
<allow users="*" />
</authorization>
<globalization culture="pt-BR" uiCulture="pt-BR" />
</system.web>
</location>
<authorization>
<deny users="?"/>
</authorization>
Obs: the dlls that i add in bin directory: System.Web.Helpers.dll, System.Web.Mvc.dll, System.Web.Routing.dll, System.Web.WebPages.dll.
I tried to change the path in the localtion as "~/Content", but i got the same result.
I tried to put the tag allow in the autorization tag as:
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
But i got the same result.
What am i missing?
I figured it out. It was something I missed from my checklist when setting up a new IIS application: Select the application, double-click "Authentication", select "Anonymous Authentication", then Edit, and change it to use the Application Pool Identity. Make sure that user has permissions on the folder that contains the site like the others said.
I've had this problem too and it's not the asp.net authorization that is the problem it's the rights to the files in the filesystem.
You need to make sure the website runs under an account that has access to the files. For my internal testing I usually make the website run under my account but I guess this wouldn't be good idea security wise if you host it in public. You can set this under advanced settings -> Physical Path Credentials for the website.
Try to allow content path, where your scripts and css files are stored:
<configuration>
<location path="content" allowOverride="true">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<allow roles="admin" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
I see that you figured it out and you are happy with your answer.
I also had this problem, but it was not an app pool authentication issue. Instead, I just allowed all users access to the locations of the css/js files, so at least the login page would render appropriately until the user logged in.
e.g. by putting this web.config file in the root of /site/public (or wherever your necessary css & js files are collected)
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</configuration>
I agree with Mikael that it could be file access rights; try to give permissions to Everyone account, and if it cures your problem - find out which account IIS use for Application Pool which you use and give permissions to it.
Also, if it doesn't work, try to put web.config files inside folders Scripts and Content, with authorization attributes only.
And also there is a little possibility that you overtuned your Routing in some way, and it intercepts real file requests.
IUSR is generally the default impersonation user configured for anonymous authentication. If that is the case, I would make sure that IUSR has read permissions to the folders in question.
You can configure the site to use a different user as well, but I'm not sure that I'd simply switch the site to run as the application pool user. The application pool user often has more permissions than the anonymous user would/should have.
To follow up on the accepted answer, you can add the authentication tags inside the location so that you don't have to manually set this in IIS when deploying on new machines. This only shows one path, but it's easy to copy it for other paths like ~/Scripts, ~/Fonts, or any other static content you want to reference.
<location path="Content" allowOverride="true">
<!-- Authorize all users -->
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<!-- Authenticate anonymous users -->
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
I've got the following set up in the web.config of my ASP.NET MVC application:
<authentication mode="Windows" />
<authorization>
<allow roles="MySecurityGroup"/>
<deny users="*"/>
</authorization>
<customErrors mode="On" defaultRedirect="Error.aspx">
<error statusCode="401" redirect="Help.aspx"/>
</customErrors>
Everything works fine if you are in MySecurityGroup, but if you're not, you are not redirected to either Error.aspx or Help.aspx. (Note that Error.aspx lives in Views\Shared while Help.aspx is in Views\Home.) All you get is the default error:
Server Error in '/' Application.
Access is denied.
Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.
What am I doing wrong?
UPDATE: Now my web.config is set up like this, and it's still not working:
<system.web>
<customErrors mode="On" defaultRedirect="Help.aspx">
</customErrors>
</system.web>
<location path="">
<system.web>
<authorization>
<allow roles="MySecurityGroup"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Help">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Note that I can navigate to MyApp/Help just fine and am correctly banned from the rest of the site, but it never redirects to the Help page automatically.
You have to explicitly give access to other groups to Error.aspx and/or Help.aspx so they can actually get to the pages. The way you have it set up right now, only MySecurityGroup users can get to the pages.
You'll need something like this:
<location path="Error.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
and the same for Help.aspx. Alternatively you can do this at a folder level.
Do you want the the error and help pages handled by mvc or asp.net? Currently you are treating the pages like mvc views yet you have redirect urls that map to the asp.net pipeline. At a guess move error and help into the root directory of the site and it should work