I'm trying to authenticate an asp.net application, and I have my web.config setup to allow access to the login page first, and then deny access to all unauthorized users after that. Knowing that asp evaluates top-down, I thought that by putting my allow statement at the top, it would hit that one first when trying to authenticate, but it's not. I can get the application to work as desired when I allow access to all pages, and then deny the pages I don't want exposed. This works... but it's very cumbersome as it scales and many, many more pages are added.
<!--allow login access-->
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<!--deny access to everything else-->
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
Any help? I know everything should be moving to MVC, but I have to have this project done soon and can't learn quick enough.
CodePudding user response:
Well, each web.config file to set security quite much HAS to be in each folder.
You for example show two web config files - but WHERE are they is the critical issue.
So, if you have a basic welcome page or whatever, that is fine (in the root).
As a general rule, your root folder will not (and should not be secured).
Then you probably have a Account folder (this is where your logon page(s) are.
Again, that Account folder can't be secured or restricted, since how will users log into your site?
So, it will be VERY rare that you need/want/have to secure ONE single page.
A good example however, is if you created a default site, then you have this:
So, notice how we have the Accounts folder. This has your logon page, your forgot password (maybe) etc.
Well, then the above folder has a web config in that above "accounts" folder.
However, there is ONE page in that folder called "manage.aspx". That page lets users change their password. We don't want non-logged in users to hit that page UNLESS they are logged in. So the web config for Accounts folder is this:
<?xml version="1.0"?>
<configuration>
<location path="Manage.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
So, ONLY for the "manage" page do we deny "anonymous" users.
However, for the default page, and the main root, we of course allow users to hit/see the page. (besides, who wants to mess with the HUGE MAIN web.config page that has a boatload of settings.
However, for the rest of your site, then each secured section and web pages should be placed in folders.
For example, I have some "admin" users or site manager users. So, I created a folder called SiteAdmin.
Like this:
As you can see, it has things like "messages" for daily or site message settings. So only site admin users can use those pages.
Hence, my web config is this:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="SiteAdmin" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
So, ONLY those who are part of the Sitedmin group (role) can use those pages.
And if you look above, your can see a folder called Portal. This is for customers and say their projects. Looking at the security for Portal folder, this page:
In above we have a page called MyProjects. So ONLY customers logged in can go view their projects. So, we ONLY allow logged in users. And the web.config is this:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Portal" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
So, you have to be a logged in user, but ALSO a member of "Portal".
So, really, the security is not complex, and we VERY rare ever have to apply security to a given or single aspx page, since we group the pages and site by folders.
So, I don't recommend you have anything in the "root" folder much - except say a landing page. As a result, you don't need or want to, or have to setup security for the main root folder.
But, for anything useful, and any pages that you want to be (and have) security, then they go into sub folders. It not clear if you going to use "roles" or just use the fact of being a logged in user. But, even in that case, move all pages that you want for logged in users to a sub folder. You could have "everything" into one folder, but I doubt that the main page, and very many pages are going to be in the root of the site anyway, are they?
So, the first site level? I would not secure it, but then again, you might only have some main page, and after that, any other "pages of value" will be placed in sub folders, and you can simple as noted secure any and all pages in each of those folders with a simple web.config like this:
<deny users="?" />
So, above means no "anonymous" or no logged in users allowed.
So, there is going to be as a general rule very bare bones pages in your root. In fact, placing a whole bunch of pages in the root is much like placing every document you have in "My documents". You create sub folders to organize MyDocuments, and you should do the same for the web site.
I don't believe you can have more then one web.config in the same folder, but I can't see the need or reason anyway.
So, if you want your pages to be secured, it quite much a "given" and assumption that such pages will be moved out of and not be in the root of the web site. And once that is done, then one single simple web config file can be used with deny users="?" (you still will have a web.config file for EACH of the folders - but really not much of a big deal - cut and paste an existing one the the deny users="?" for each of those folders, and you are quite much done.
However, I would expect that even for logged in users, then you want further security, and as above shows, you want to have some "roles" for each user, and thus once again, you group by folders -- such as my site admin folder for setting up things like welcome message etc.
So, remove the pages you have in root if you don't really want much of any content to be viewed. If you secure the sub folders, and a non-logged in user attempts to hit one of those pages then the logon page in the Accounts folder will automatic trigger and be displayed.
So, your logon page should be in the Accounts folder - along with a few other pages such as forgot password, or change password.
So, in a nutshell, to manage security, you use sub folders, and for further management, you want to introduce "roles", and thus even logged on users can have different levels security.
Assuming you used the basic web site template to create your site, then all of your logon account pages would have been automatic created for you. And you should also get/have a menu bar (bootstrapp - nice!!), and thus have something like this:
so, just start using the basic template, and menu bar as per above. You can see that it even shows my logon on the right side.
And I show/hide the menu bar items based on the users "role". So, in theory you could hide ALL OF the menu bar items - delete them, and only have one, or even none in the menu bar show UNLESS they are logged in, and thus they will have to navigate to some secured page. In fact, when the user "logs" on? I re-direct the user to My Projects page.
So, after a user logs in you can send them wherever you want, or what amounts to a basic page for logged in users to see.