<location> not working?

<location> not working?

Post by Dabble » Tue, 04 Mar 2003 03:06:33



I'm trying to restrict access to a subfolder using <location> tag in
web.config but the login page does not appear and I get access to the
subfolder.

Any assistance would be greatly appreciated.

Here's the relevant web.config:

<system.web>
<!-- enable Forms authentication -->
<authentication mode="Forms">
   <forms name=".ITINKOAUT" loginUrl="login.aspx" protection="All" Path="/" >
      <credentials passwordFormat="Clear">
         <user name="user1" password="password1"/>
      </credentials>
   </forms>
</authentication>
<authorization>
   <allow users="*" />
</authorization>
</system.web>
<!-- deny access to folder area51 -->
<location path="area51">
   <system.web>
      <authorization>
           <allow users="user1" />
           <deny users="?" />
        </authorization>
    </system.web>
</location>

 
 
 

<location> not working?

Post by Ramiro Calderon Romer » Tue, 04 Mar 2003 03:36:50


Hi Dabbler,

According to MSDN [1]:

a.. Given a set of merged rules for a URL, the system starts at the head of
the list and checks rules until the first match is found. Note that the
default configuration for ASP.NET contains an <allow users="*"> element,
which authorizes all users. If no rules match, the request is allowed unless
otherwise denied. If a match is found and the match is a <deny> element, it
returns 401. Applications or sites can easily configure a <deny users="*">
element at the top level of their site or application to prevent this
behavior.
If an <allow> matches, the module does nothing and lets the request be
processed further.

So I guess you should remove the <allow users="*" /> tag, because this is
the first match in the authorization heuristics that ASPNET performs.

Hope this helps,

--
[1]ms-help://MS.VSCC/MS.MSDNVS/cpguide/html/cpconaspnetauthorization.htm

Ramiro Calderon
MCAD MCSD


Quote:> I'm trying to restrict access to a subfolder using <location> tag in
> web.config but the login page does not appear and I get access to the
> subfolder.

> Any assistance would be greatly appreciated.

> Here's the relevant web.config:

> <system.web>
> <!-- enable Forms authentication -->
> <authentication mode="Forms">
>    <forms name=".ITINKOAUT" loginUrl="login.aspx" protection="All"
Path="/" >
>       <credentials passwordFormat="Clear">
>          <user name="user1" password="password1"/>
>       </credentials>
>    </forms>
> </authentication>
> <authorization>
>    <allow users="*" />
> </authorization>
> </system.web>
> <!-- deny access to folder area51 -->
> <location path="area51">
>    <system.web>
>       <authorization>
>    <allow users="user1" />
>    <deny users="?" />
> </authorization>
>     </system.web>
> </location>

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003

 
 
 

<location> not working?

Post by Dabble » Tue, 04 Mar 2003 13:00:24


Seems the problem is that the .NET security only applies to ASPX files.
I was testing by loading an html file supposing that all files in that
subfolder would be secured. Silly me.

  Hi Dabbler,

  According to MSDN [1]:

  a.. Given a set of merged rules for a URL, the system starts at the head of
  the list and checks rules until the first match is found. Note that the
  default configuration for ASP.NET contains an <allow users="*"> element,
  which authorizes all users. If no rules match, the request is allowed unless
  otherwise denied. If a match is found and the match is a <deny> element, it
  returns 401. Applications or sites can easily configure a <deny users="*">
  element at the top level of their site or application to prevent this
  behavior.
  If an <allow> matches, the module does nothing and lets the request be
  processed further.

  So I guess you should remove the <allow users="*" /> tag, because this is
  the first match in the authorization heuristics that ASPNET performs.

  Hope this helps,

  --
  [1]ms-help://MS.VSCC/MS.MSDNVS/cpguide/html/cpconaspnetauthorization.htm

  Ramiro Calderon
  MCAD MCSD



  > I'm trying to restrict access to a subfolder using <location> tag in
  > web.config but the login page does not appear and I get access to the
  > subfolder.
  >
  > Any assistance would be greatly appreciated.
  >
  > Here's the relevant web.config:
  >
  > <system.web>
  > <!-- enable Forms authentication -->
  > <authentication mode="Forms">
  >    <forms name=".ITINKOAUT" loginUrl="login.aspx" protection="All"
  Path="/" >
  >       <credentials passwordFormat="Clear">
  >          <user name="user1" password="password1"/>
  >       </credentials>
  >    </forms>
  > </authentication>
  > <authorization>
  >    <allow users="*" />

 
 
 

1. Immediare need for Hyperion resource <<<<<<<<<< sudheer_a@techwavenet.com >>>>>>>>>>>>


Hello Friends,

currently we have an immediate position for Hyperion Infrastructure resouce
fro the positio nin DAYTON OH, for 8+ months, if you have any one for the
position, send me the resume along with the contact details and the
rate.... please respond

*Hyperion_Infrastructure/Hyperion IR Infrastructure Resource*

Location: Dayton, OH

Start:  11/28

Duration:  8+ months

Rate: Open

*Upgrading HPSU ver 8.5 to IR ver 11.1.1.3.*

install and migrate

*Sudheer*| Techwave Consulting Inc**

*O: *484.252.2741 |484.222.2027| F: 484.872.8716


YIM & GTalk: sudheer.staffing

Business Intelligence Experts**

This email including its attachments, has confidential and privileged
information for the use of intended recipients only . Any review,
retransmission, dissemination or other use of, or taking of any action in
reliance upon this information by persons or entities other than the
intended recipient is prohibited. If you received this email in error,
please delete all copies of the original message from your system and
contact the sender immediately. All documents and/or messages that include
'an electronic sound, symbol, or process, attached to or logically
associated with a record and executed or adopted by a person with the
intent to sign the record', originating from, sent or received
electronically, via this email address will be considered as bearing the
sender's electronic signature under UETA: Uniform Electronic Transactions
Act. (1999)

2. Recommendation Needed.

3. SAP APO Direct client Immediate need <<<<<<<< sudheer_a@techwavenet.com >>>>>>>>>>>>

4. SBS 4.5 Crashes

5. Direct client SAP SD Vistex immediate position <<<<<<<< sudheer_a@techwavenet.com >>>>>>>>

6. Sun Sparc 2000E vs Hp t500 Question

7. <<<< Error Reading Files >>>>

8. SERVICES.EXE taking 100% CPU

9. DataSet<=>XML<=>XSL<=>HTML<=>EXCEL

10. Web control for <ul><li></li></ul>

11. <Web Controls><Web Controls2></Web Controls2></Web Controls>

12. <<< Cannot index table >>>

13. <<< Allow me to SORT >>>