I am trying to add "authorization" elements to web.config, like it used to work in classic asp.net:
global configuration - should limit access "globally":
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="AD\some.user" />
<deny users="*" />
</authorization>
...
"location" based configuration:
<configuration>
<location path="RelativePath" >
<system.web>
<authorization>
<allow roles="AD\some.user" />
<deny users="*" />
</authorization>
</system.web>
</location>
both versions appear to be not working at all for aspnet.core hosted in IIS
What does work is this:
"global":
<configuration>
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="AD\johannes.colmsee" />
</authorization>
</configuration>
"location" based:
<configuration>
<location path="RelativePath" >
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="AD\denis.kopic" />
</authorization>
</security>
</system.webServer>
</location>
This works fine.
Now to my question:
does aspnet core not support the "first version" at all? Or is it something I do wrong?
ASP.NET Core does not support nor use web.config. The published web.config is there only for IIS hosting, since IIS requires this. If you happened to publish to a different web server, you could discard web.config entirely.
It should be apparent from looking at the contents of the published web.config, that it is extremely bare. Pretty much the only thing that exists is the AspNetCoreHosting module config, which of course is necessary for hosting ASP.NET Core inside IIS.
Now, as for why the second version actually did work, that's because it was placed inside system.webServer, which is directly for configuration of IIS, so IIS is doing the authorization at a very high-level before anything is handed off to your ASP.NET Core app. That may work for your needs, but it's an extremely rough-shod approach, as you'll have to likely end up defining many such sections for different paths, users, and authorization levels, and then keep that in sync with anything you end up changing in the ASP.NET Core app. Because IIS is looking at this as just static paths, if you move or rename anything, you can end up accidentally opening a hole in your security, since IIS will not yet have been configured to authorize that new location.
Long and short, you should remove all this and handle authorization via your ASP.NET Core app. Windows Auth is still supported.
Related
Recently I have developed a very simple .net core API and then deployed the same on IIS and want to enable Windows Authentication for some users. To be able to implement it, my web.config looks like
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow users="Tow\USER1"/>
<deny users="*"/>
</authorization>
</system.web>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\Oculus.WebApi.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" hostingModel="InProcess" />
</system.webServer>
</location>
</configuration>
As it can be seen only User1 should be allowed access but everyone is able to access. My IIS authentication looks like this:
Can some one help please?
From this thread, ASP.NET Core does not support nor use web.config. The published web.config is there only for IIS hosting, since IIS requires this.
A wrokaround is that you could try to place inside system.webServer, which is directly for configuration of IIS.
<configuration>
<system.webServer>
<security>
<authorization>
<remove users = "*" roles="" verbs="" />
<add accessType = "Allow" users="Tow\USER1"/>
</authorization>
</security>
</system.webServer>
</configuration>
But the recommend way is that you'd better write you own custom authorization policy in asp.net core
https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api
https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-2.2
As title, I want to disable Anonymous Authentication for my ASP.NET Boilerplate web site (MVC) in IIS Server and use Form Authentication instead. Is it possible to do this because if I disable Anonymous Authentication, my website cause an error "HTTP Error 404.15 - Not Found"
Update 1: Here is my web.config
<system.web>
<globalization culture="auto" uiCulture="auto" />
<compilation debug="true" targetFramework="4.6.1">
<assemblies>
<add assembly="System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</assemblies>
</compilation>
<httpRuntime targetFramework="4.5.1" />
<customErrors mode="Off">
<error statusCode="404" redirect="~/Error/E404" />
</customErrors>
<httpHandlers>
<add path="Reserved.ReportViewerWebControl.axd" verb="*" type="Microsoft.Reporting.WebForms.HttpHandler, Microsoft.ReportViewer.WebForms, Version=11.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" validate="false" />
</httpHandlers>
<authentication mode="Forms" />
</system.web>
I still remember the first time I had to implement Forms Authentication in ASP. All I can say is there is a reason I only do linux based web-development now!
It is a real pain, but this should work if you don't intend on using a database to manage the users.
If you do intend to use a database then prepare yourself for a long road. U need to have the correct MSSQL database for the correct Visual studio tool and they also removed the management interface completely so you either have to design your own or use a tool that is available on the internet somewhere. I still remember I got so frustrated by the whole idea of it, that I literally wrote my own management tool I could deploy on developed sites. If it wasn't on a broken harddrive I would give it to you.
<authentication mode="Forms">
<forms loginUrl="login.aspx" defaultUrl="welcome.aspx">
<credentials passwordFormat="Clear">
<user name="abhishek" password="abhi#123"/>
<user name="Kantesh" password="sinha#123" />
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
If you plan on using a database to store your users google some tutorials.
The reason why you are getting a 404 is because you are not specifying loginUrl or it is incorrect and pointing to a non-existant page.
Hope this helps
When you disable anonymous access to all pages you cannot let users to see login page as well. what you need to to do is allowing some specific pages like login or register to be accessible.
This might not completely fits for you but you get the idea.
If it doesn't work, try removing the backslash "/" for the "/account/login" and set it like "account/login"
<configuration>
<system.web>
<authentication mode="Forms" />
<authorization>
<deny users="?" /> //this will restrict anonymous user access
</authorization>
</system.web>
<location path="/account/login"> //path here is path to login page
<system.web><authorization><allow users="*" /> // this will allow access to everyone to login page
</authorization></system.web></location>
</configuration>
I am trying to use windows authentication for my application, for the testing I have tried allowing to only myself and deny all rest
<authentication mode="Windows" />
<authorization>
<allow users="DomainName\nogariyap" />
<deny users="*"/>
</authorization>
But it gives me "Access Denied" error even I am logged in to my machine with the same user "DomainName\nogariyap"
When I change it to this
<allow users="*" />
it works
I don't know why it is not working for particular windows user?
Edit
It strangly worked when I added this in system.webServer
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
<authorization>
<remove users="*" roles="" verbs="" />
<add users="DomainName\nogariyap" accessType="Allow"/>
<add users="?" accessType="Deny"/>
</authorization>
</security>
But I don't know why it is not working with the settings in system.web and what are the difference in these two settings?
<system.web> is the projects configuration and <system.webserver> is the server configuration. Both should be compatible but the recommendation seems to be to use the server configuration over the other. It was introduce on IIS7. Some of the differences between both are:
In system.webserver the order:
Deny rules get evaluated first starting at the parent
Allow rules starting at the parent.
Order of appearance in rule collection
In system.web the order:
Lower level first going up to the parent
Order of appearance in rule collection
In webserver you can apply rules to any element meaning: images, documents without further configuration(adding mapping between every extension you want to a handler)
in the first attempt you had deny users="*" meaning deny everyone. in the second attempt, you had deny users="?" meaning unknown users (not signed in).
I have created a WCF service that uses windows authentication and would like to set it so it can only be accessed if the user is in a Windows group. I Currently use the following attribute in code to make this happen
[PrincipalPermission(SecurityAction.Demand, Role = "Domain\MyGroup")]
Problem with this is I have to do it on each method and compile if I want to change the group. Is there a way so I can set the group that has access in the config file and for the services as an whole?
I have tried the following in my config file but this does not appear to work
<security>
<authentication>
<windowsAuthentication authPersistSingleRequest="true" enabled="true"/>
</authentication>
<authorization>
<add accessType="Allow" roles="Domain\MyGroup" />
</authorization>
</security>
Ok I figured it out. I have the config file set like the following
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
<authorization>
<remove users="*" roles="" verbs="" />
<remove users="?" roles="" verbs="" />
<add accessType="Deny" users="?" />
<add accessType="Allow" roles="Domain\MyGroup" />
</authorization>
</security>
Also had to set
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
And on my class that implements the WCF contract
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
I guess this means Im using ASP authentication rather than WCF but I works for me
The PrincipalPermission attribute is from the .NET code access security functionality and isn't related to WCF. A more flexible way to do this if the service is hosted in IIS is shown in this MSDN post. WCF also supports different custom authentication mechanisms as described here.
In IIS 7 I try to deny access to all files with the extension .xml for all users.
I tried the following setting in my web.config file:
<location path="*.xml">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
But then getting any file results in an internal server error.
It works if I deny access to the individual files but this solution does not buy me much as I do not know all .xml files in advance.
Try this:
<configuration>
<system.web>
<httpHandlers>
<add path="*.xml" verb="*"
type="System.Web.HttpNotFoundHandler" />
</httpHandlers>
</system.web>
</configuration>
By the way you could alternatively store all of your xml files within the App_Data directory. Storing files of any type in this directory will not be served to the web.
Another way is to use a request filter:
<system.webServer>
<security>
<requestFiltering>
<fileExtensions>
<add fileExtension=".xml" allowed="false" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
I have stumbled across this when searching for a way to change the security applied to all actions within a controller in a legacy application (ASP.NET MVC). I thought I need some sort of wildcard, but simply providing the path including the controller segment is enough:
This allows anonymous access to all actions within FooController.