Ask a Question related to ASP.NET Security, Design and Development.
-
ET #1
Authentication to specific files/pages
Hi,
The situation is that I have a virtual site (created from IIS) where all
domain users can access via the intranet. However, there are a few pages
that we would like to restrict user access. I tried to use NTFS settings to
allow a certain people to access the .aspx pages, however, it seems that
after removing "everyone" and adding users to the list on the NTFS settings
(right click on file --> property --> security), no one can access the page.
I read on the forum that the web.config file seem to be able to do something
to do with access permissions. I was wondering whether creating a web.config
from scratch would solve our current permissions problem? If so, do I put
the file in the virutal site top folder? Also, is it possible to use windows
domain users instead of user/pass saved in a database? If so, how do you
connect the web.config file to the domain?
Thanks!
ET
P.S. Some of my questions might not make a lot of sense, because I'm not too
sure how does the web.config file work. Sorry about that.
ET Guest
-
Lock out specific pages?
Hi, is it possible to lock pages from being updated with Contribute 3? Lets say you have a folder containing 6 files (index.htm, company.htm,... -
Authorization of specific pages
I have my authorization in web.config set to <deny users="?" />, this is what I want because we use forms authenthentication that sets a auth... -
forms authentication doesn't work for static pages/files like GIF/HTML/PDF ?
do I understand it correctly that forms authentication doesn't work for static pages/files like GIF/HTML/PDF ? so I cannot convince IIS to... -
How do I link to specific pages in another PDF file?
But clicking on the links merely opens the target file at page 1, i.e. it won't open at the chosen page within the selected file. If Mr.... -
Forms Authentication to specific folders
I have a web application that is using Forms Authentication (with users/passwords stored in a database) and for the most part it is working. I... -
David Coe, MCP #2 RE: Authentication to specific files/pages
ET
You have some very valid questions, and I will try to make sense of what you are asking
Yes, you can use the windows domain accounts instead of a database to authenticate your users. You will need to enable IIS for Windows authentication, and then in the web.config file, use <authentication mode="Windows" /> and <authorization><allow users="*" /><!-- Allow all users --><!-- <allow users="[comma separated list of users]
roles="[comma separated list of roles]"/><deny users="[comma separated list of users]
roles="[comma separated list of roles]"/
--></authorization> ... you can either list all of the users you want to allow/deny access to, or you can list specific roles that you want to allow access to (ie, administrator)
You have a few options when it comes to configuring access for each directory. You can either put a web.config file in each directory, or in your top-level web.config file you can add a <location> element and specify the directories that you want to allow/deny access to. For instance
<!--close the system.web element></system.web><location path="folder_or_file_name"><system.web><authorizat ion><allow users="*" /><!-- Allow all users --><!-- <allow users="[comma separated list of users]
roles="[comma separated list of roles]"/><deny users="[comma separated list of users]
roles="[comma separated list of roles]"/
--></authorization></system.web></location>
David Coe, MCP Guest
-
ET #3 Re: Authentication to specific files/pages
Hi David,
Thanks for your prompt reply. Your explanation really helped. I have another
question regarding the allow/deny permissions. Does "deny" always override
"allow"? Also, is there a way to write the code so that only a few users are
allowed to access, and the rest are denied? Because of deny always overrides
allow, there doesn't seem to be any point writing the list of allowed users
when "deny everyone/the rest" overrides it. Thanks again!
ET
"David Coe, MCP" <dhc0e@aol.com> wrote in message
news:4C4E84CB-EA8F-4090-847E-DC918B46F2F5@microsoft.com...you are asking.> ET -
>
> You have some very valid questions, and I will try to make sense of whatauthenticate your users. You will need to enable IIS for Windows>
> Yes, you can use the windows domain accounts instead of a database to
authentication, and then in the web.config file, use <authentication
mode="Windows" /> and <authorization><allow users="*" /><!-- Allow all
users --><!-- <allow users="[comma separated list of users]"roles]"/><deny users="[comma separated list of users]"> roles="[comma separated list ofyou want to allow/deny access to, or you can list specific roles that you> roles="[comma separated list of roles]"/>
> --></authorization> ... you can either list all of the users
want to allow access to (ie, administrator).directory. You can either put a web.config file in each directory, or in>
> You have a few options when it comes to configuring access for each
your top-level web.config file you can add a <location> element and specify
the directories that you want to allow/deny access to. For instance:path="folder_or_file_name"><system.web><authorizat ion><allow users="*">
> <!--close the system.web element></system.web><location
/><!-- Allow all users --><!-- <allow users="[comma separated list of
users]"separated list of roles]"/><deny users="[comma separated list of> roles="[comma
users]"separated list of roles]"/>> roles="[commasystem.web></location>> --></authorization></
ET Guest
-
ET #4 Re: Authentication to specific files/pages
Hi again,
Do you absolutely must create some kind of login page for the web.config
file to work? I placed the file in the directory however I kept on getting
the same error message (Server Error in '/'Application). What am I missing?
Thanks again!
ET
my web.config file:
========
<configuration>
<location path="test_req.aspx">
<security>
<system.web>
<customErrors mode="Off"/>
<authorization>
<allow users="DOMAIN\someuser"/>
<deny users="*"/> <!-- Deny all (other) users ?? -->
</authorization>
</system.web>
</security>
</location>
</configuration>
========
"David Coe, MCP" <dhc0e@aol.com> wrote in message
news:4C4E84CB-EA8F-4090-847E-DC918B46F2F5@microsoft.com...you are asking.> ET -
>
> You have some very valid questions, and I will try to make sense of whatauthenticate your users. You will need to enable IIS for Windows>
> Yes, you can use the windows domain accounts instead of a database to
authentication, and then in the web.config file, use <authentication
mode="Windows" /> and <authorization><allow users="*" /><!-- Allow all
users --><!-- <allow users="[comma separated list of users]"roles]"/><deny users="[comma separated list of users]"> roles="[comma separated list ofyou want to allow/deny access to, or you can list specific roles that you> roles="[comma separated list of roles]"/>
> --></authorization> ... you can either list all of the users
want to allow access to (ie, administrator).directory. You can either put a web.config file in each directory, or in>
> You have a few options when it comes to configuring access for each
your top-level web.config file you can add a <location> element and specify
the directories that you want to allow/deny access to. For instance:path="folder_or_file_name"><system.web><authorizat ion><allow users="*">
> <!--close the system.web element></system.web><location
/><!-- Allow all users --><!-- <allow users="[comma separated list of
users]"separated list of roles]"/><deny users="[comma separated list of> roles="[comma
users]"separated list of roles]"/>> roles="[commasystem.web></location>> --></authorization></
ET Guest
-
.NET Follower #5 Re: Authentication to specific files/pages
hi,
<allow users="DOMAIN\someuser"/>> <deny users="*"/> <!-- Deny all (other) users ?? -->
u can do as this
<allow users="*">
<deny user=DOMAIN\someusers>
can u give details of error
if u dont specify login page....
where will u redirect the user....
--
Thanks and Regards,
Amit Agarwal
Software Programmer(.NET)
"ET" <pleaseaskme@test.com> wrote in message
news:%23odDvmf8DHA.1592@TK2MSFTNGP10.phx.gbl...missing?> Hi again,
>
> Do you absolutely must create some kind of login page for the web.config
> file to work? I placed the file in the directory however I kept on getting
> the same error message (Server Error in '/'Application). What am Iusers> Thanks again!
>
>
> ET
>
> my web.config file:
> ========
>
> <configuration>
> <location path="test_req.aspx">
> <security>
> <system.web>
> <customErrors mode="Off"/>
> <authorization>
> <allow users="DOMAIN\someuser"/>
> <deny users="*"/> <!-- Deny all (other) users ?? -->
> </authorization>
> </system.web>
> </security>
> </location>
> </configuration>
>
> ========
>
> "David Coe, MCP" <dhc0e@aol.com> wrote in message
> news:4C4E84CB-EA8F-4090-847E-DC918B46F2F5@microsoft.com...> you are asking.> > ET -
> >
> > You have some very valid questions, and I will try to make sense of what> authenticate your users. You will need to enable IIS for Windows> >
> > Yes, you can use the windows domain accounts instead of a database to
> authentication, and then in the web.config file, use <authentication
> mode="Windows" /> and <authorization><allow users="*" /><!-- Allow all
> users --><!-- <allow users="[comma separated list of users]"> roles]"/><deny users="[comma separated list of users]"> > roles="[comma separated list of> > roles="[comma separated list of roles]"/>
> > --></authorization> ... you can either list all of thespecify> you want to allow/deny access to, or you can list specific roles that you
> want to allow access to (ie, administrator).> directory. You can either put a web.config file in each directory, or in> >
> > You have a few options when it comes to configuring access for each
> your top-level web.config file you can add a <location> element androles="[comma> the directories that you want to allow/deny access to. For instance:> path="folder_or_file_name"><system.web><authorizat ion><allow users="*"> >
> > <!--close the system.web element></system.web><location
> /><!-- Allow all users --><!-- <allow users="[comma separated list of
> users]"> >roles="[comma> separated list of roles]"/><deny users="[comma separated list of
> users]"> >--></authorization></> separated list of roles]"/>
>> system.web></location>
>
>
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system ([url]http://www.grisoft.com[/url]).
Version: 6.0.593 / Virus Database: 376 - Release Date: 2/20/2004
.NET Follower Guest
-
ET #6 Re: Authentication to specific files/pages
Hi again,
If I use your piece of code:Doesn't this mean if I had 100 users in the company , I would have to deny> <allow users="*">
> <deny user=DOMAIN\someusers>
> can u give details of error
94 users if only 6 of them were allowed to view the page?
I was thinking of something like windows authentication where a window pops
up asking for user/pass when you access the page.
Below is the error message I got after using the web.config file I attempted
to write.
Thanks!
ET
Server Error in '/' Application.
----------------------------------------------------------------------------
----
The "SendUsing" configuration value is invalid.
Description: An unhandled exception occurred during the execution of the
current web request. Please review the stack trace for more information
about the error and where it originated in the code.
Exception Details: System.Runtime.InteropServices.COMException: The
"SendUsing" configuration value is invalid.
Source Error:
The source code that generated this unhandled exception can only be
shown when compiled in debug mode. To enable this, please follow one of the
below steps, then request the URL:
1. Add a "Debug=true" directive at the top of the file that generated
the error. Example:
<%@ Page Language="C#" Debug="true" %>
or:
2) Add the following section to the configuration file of your
application:
<configuration>
<system.web>
<compilation debug="true"/>
</system.web>
</configuration>
Note that this second technique will cause all files within a given
application to be compiled in debug mode. The first technique will cause
only that particular file to be compiled in debug mode.
Important: Running applications in debug mode does incur a
memory/performance overhead. You should make sure that an application has
debugging disabled before deploying into production scenario.
Stack Trace:
[COMException (0x80040220): The "SendUsing" configuration value is
invalid.] [TargetInvocationException: Exception has been thrown by the
target of an invocation.] System.RuntimeType.InvokeDispMethod(String name,
BindingFlags invokeAttr, Object target, Object[] args, Boolean[]
byrefModifiers, Int32 culture, String[] namedParameters) +0
System.RuntimeType.InvokeMember(String name, BindingFlags invokeAttr, Binder
binder, Object target, Object[] args, ParameterModifier[] modifiers,
CultureInfo culture, String[] namedParameters) +473
System.Web.Mail.LateBoundAccessHelper.CallMethod(O bject obj, String
methodName, Object[] args) +58 [HttpException (0x80004005): Could not access
'CDO.Message' object.]
System.Web.Mail.LateBoundAccessHelper.CallMethod(O bject obj, String
methodName, Object[] args) +113
System.Web.Mail.CdoSysHelper.Send(MailMessage message) +1846
System.Web.Mail.SmtpMail.Send(MailMessage message) +153
_ASP.test_req_aspx.Send_Email(Object Sender, EventArgs e) +552
System.Web.UI.HtmlControls.HtmlInputButton.OnServe rClick(EventArgs e) +108
System.Web.UI.HtmlControls.HtmlInputButton.System. Web.UI.IPostBackEventHandl
er.RaisePostBackEvent(String eventArgument) +57
System.Web.UI.Page.RaisePostBackEvent(IPostBackEve ntHandler sourceControl,
String eventArgument) +18
System.Web.UI.Page.RaisePostBackEvent(NameValueCol lection postData) +33
System.Web.UI.Page.ProcessRequestMain() +1277
----------------------------------------------------------------------------
----
Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET
Version:1.1.4322.573
".NET Follower" <amitagarwal-NET@SoftHome.net> wrote in message
news:#oSHTEH#DHA.3068@tk2msftngp13.phx.gbl...getting> hi,
> <allow users="DOMAIN\someuser"/>>> > <deny users="*"/> <!-- Deny all (other) users ?? -->
>
> u can do as this
> <allow users="*">
> <deny user=DOMAIN\someusers>
> can u give details of error
>
> if u dont specify login page....
> where will u redirect the user....
> --
> Thanks and Regards,
>
> Amit Agarwal
> Software Programmer(.NET)
> "ET" <pleaseaskme@test.com> wrote in message
> news:%23odDvmf8DHA.1592@TK2MSFTNGP10.phx.gbl...> > Hi again,
> >
> > Do you absolutely must create some kind of login page for the web.config
> > file to work? I placed the file in the directory however I kept onwhat> missing?> > the same error message (Server Error in '/'Application). What am I> > Thanks again!
> >
> >
> > ET
> >
> > my web.config file:
> > ========
> >
> > <configuration>
> > <location path="test_req.aspx">
> > <security>
> > <system.web>
> > <customErrors mode="Off"/>
> > <authorization>
> > <allow users="DOMAIN\someuser"/>
> > <deny users="*"/> <!-- Deny all (other) users ?? -->
> > </authorization>
> > </system.web>
> > </security>
> > </location>
> > </configuration>
> >
> > ========
> >
> > "David Coe, MCP" <dhc0e@aol.com> wrote in message
> > news:4C4E84CB-EA8F-4090-847E-DC918B46F2F5@microsoft.com...> > > ET -
> > >
> > > You have some very valid questions, and I will try to make sense ofyou> users> > you are asking.> > authenticate your users. You will need to enable IIS for Windows> > >
> > > Yes, you can use the windows domain accounts instead of a database to
> > authentication, and then in the web.config file, use <authentication
> > mode="Windows" /> and <authorization><allow users="*" /><!-- Allow all
> > users --><!-- <allow users="[comma separated list of users]"> > roles]"/><deny users="[comma separated list of users]"> > > roles="[comma separated list of> > > roles="[comma separated list of roles]"/>
> > > --></authorization> ... you can either list all of the> > you want to allow/deny access to, or you can list specific roles thatin> > want to allow access to (ie, administrator).> > directory. You can either put a web.config file in each directory, or> > >
> > > You have a few options when it comes to configuring access for eachof> specify> > your top-level web.config file you can add a <location> element and> > the directories that you want to allow/deny access to. For instance:> > path="folder_or_file_name"><system.web><authorizat ion><allow users="*"> > >
> > > <!--close the system.web element></system.web><location
> > /><!-- Allow all users --><!-- <allow users="[comma separated list> roles="[comma> > users]"> > >> roles="[comma> > separated list of roles]"/><deny users="[comma separated list of
> > users]"> > >> --></authorization></> > separated list of roles]"/>
> >>> > system.web></location>
> >
> >
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system ([url]http://www.grisoft.com[/url]).
> Version: 6.0.593 / Virus Database: 376 - Release Date: 2/20/2004
>
>
ET Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
