I want to use the location path , allow user and deny user to restrict access in my MVC app. This is the section that I added to the web.config
<location path="Views/Admin/Ticketing/Seasons.aspx">
<system.web>
<authorization>
<allow users="admin" />
<deny users="user1" />
</authorization>
</system.web>
</location>
It is not working. non-admin users, like user1 can still view the page. I am not sure if it is because I have the routing set up differently or wrong.
This is the URL of the tab I want to block
http://marilyndenisservices.localhost/Admin/TicketingSeasons
This is the physical path of this page on disk
D:\dev\MarilynDenisServices\src\Web\Views\Admin\Ticketing\Seasons.aspx
And this is how I configured it on the view model
<div id="menucontainer">
<ul id="menu">
<li><%= Html.ActionLink("Ticketing", "TicketingSeasons", "Admin") %></li>
</ul>
</div>
This is my action
public ActionResult TicketingSeasons()
{
return View("Ticketing/Seasons");
}
Can someone tell me what I am doing wrong?
Try this location path:
<location path="Admin/TicketingSeasons">
<system.web>
<authorization>
<allow users="admin" />
<deny users="user1" />
</authorization>
</system.web>
</location>
Related
We have a website that is protected with Forms Authentication in IIS. We would like to make one page in this website accessible to everyone without any authentication.
All the resources I saw mentions using tag but it's not working for us for some reason.
web.config:
<configuration>
<location path="public.htm">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="UserLogin.aspx" />
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
Both public.htm and UserLogin.aspx are in the same folder. When we browse public.htm, we get 401.2.
If disable Forms Authentication, public.htm is accessible.
UPDATE (5/21):
Disabled Forms Authentication in but still getting 401.2 error.
<configuration>
<location path="public.htm">
<system.web>
<authentication mode="None" />
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="UserLogin.aspx" />
</authentication>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>
It sounds just like your anonymous authentication has been disabled or your current login user don't have permission to view the public.htm.
If you are hosting it in VS, please ensusre Enabled anonymous authentication has been selected and you current logon user have permission to access the htm file.
If you are hosting it in IIS, please ensure anonymous authentication has been enabled and the authorization rule would looks just like
<authorization>
<deny users ="?" />
<allow users = "*" />
</authorization>
The authentication in applicationhost.config would looks like
<location path="Sitename">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
And the authorization rule for public.htm would be.
<location path="public.htm">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
Please remember to grant IUSER read permission to access public.htm.
I have a controller function which return the PartialView. In this function, i checked the login field match with my database for a particular user then I called the FormAuthentication.setAuthCookie. In this partialView, I have a call User.IsAuthenticated but it was false.
I already call FormAuthentication.setAuthCookie before returning the partialView.
Why does the User.IsAuthenticated is still false. I am doing an ajax call so during the login process the will still on the same form even after the login as well.
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="1000"/>
</authentication>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
I have a non logged web application that contain 50 pages, I need to have one logged page "testpage" How can do this:
<authentication mode="Forms">
<forms loginUrl="~/Login/LoginExpiration.aspx" defaultUrl="~/Home/Default.aspx" slidingExpiration="true" timeout="120" />
</authentication>
<authorization>
<allow users="?" />
</authorization>
<location path="testpage">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
In your config file location means not the page name but a folder.
Create a folder called testpage, place your page there and it will work
My web.config has this:
<system.web>
<customErrors mode="RemoteOnly" />
<authentication mode="Forms">
<forms loginUrl="~/Account/" />
</authentication>
Is there a nice way to get this loginUrl in the MVC code as a string?
If you search the web for for "asp.net get loginurl from web.config", you'll find:
System.Web.Security.FormsAuthentication.LoginUrl
I receive the following request error from my WCF Rest web service when using forms Authentication and Authorization. It works fine without the Authentication and Authorization:-
"The server encountered an error processing the request. Please see the service help page for constructing valid requests to the service."
Its built in .net 4 so no .svc file, here is the service code:--
namespace WcfRestService1
{
[ServiceContract]
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
[ServiceBehavior(InstanceContextMode = InstanceContextMode.PerCall)]
public class Service1
{
[OperationContract]
[WebGet(ResponseFormat = WebMessageFormat.Json)]
public string GetHelloMessage()
{
return ("hello from web service");
}
}
}
Here is the web config code:--
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<add name="UrlRoutingModule" type="System.Web.Routing.UrlRoutingModule, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</modules>
</system.webServer>
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true"/>
<standardEndpoints>
<standardEndpoint name="" helpEnabled="true" crossDomainScriptAccessEnabled="true" defaultOutgoingResponseFormat="Json" automaticFormatSelectionEnabled="true"/>
</webHttpEndpoint>
</standardEndpoints>
</system.serviceModel>
<system.web>
<authentication mode="Forms">
<forms defaultUrl="Service1" timeout="20"
ticketCompatibilityMode="Framework40"
loginUrl="login.aspx" name=".Mobile-Rest-Api" cookieless="UseCookies"/>
</authentication>
<authorization>
<deny users="?" />
<allow users="*"/>
</authorization>
<!--<authentication mode="None"/>-->
</system.web>
<location path="login">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
Any help on this would be great, thanks in advance.
The problem is that you are using a authentication method that does not support a services call.
Forms authentication is used when a user is accessing a site, if the user is not authenticated he is directed to a login form, in which he fills out user name and password.
When a service is making a call, the service gets a redirect response, which it is not able to handle, therefore the error.
You need to select a different authentication method.