Results 1 to 8 of 8

Thread: ASP.NET access control only working for .aspx

  1. #1

    Thread Starter
    Frenzied Member met0555's Avatar
    Join Date
    Jul 2006
    Posts
    1,385

    ASP.NET access control only working for .aspx

    Hi,

    I have created an access rule for my website, it looks like it works fine when trying to access .aspx files, but not for any other extensions. I was wondering if there is trick to apply the access rule for all files types.

    Code:
    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
    <system.web>
    <authorization>
    <deny users="?" />
    <allow roles="Supervisor" />
    <allow roles="Manager" />
    </authorization>
    <authentication mode="Forms" />
    </system.web>
    </configuration>
    I tried to add the following code to my main config file but still will only work for .aspx only

    Code:
    <modules>
          <add  name="FormsAuthenticationModule"  type="System.Web.Security.FormsAuthenticationModule" />
          <remove  name="UrlAuthorization" />
          <add  name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule"  />
          <remove  name="DefaultAuthentication" />
          <add  name="DefaultAuthentication"  type="System.Web.Security.DefaultAuthenticationModule" />
        </modules>
    Thank You

  2. #2
    King of sapila
    Join Date
    Oct 2006
    Location
    Greece
    Posts
    6,763

    Re: ASP.NET access control only working for .aspx

    Hi.Aspx extension is not actually a file access,well it is but the site will look it as a page served.You can use the location element in web.config to restrict pages and folders.If you want to restrict files then i guess you will either have to merge them with a page like this: http://www.code-magazine.com/article...0703031&page=3
    or deny a folder with files or go to the server and remove the mime type from IIS(haven't tried that) or using permissions on the server directly on files but that is a little problematic.
    ἄνδρα μοι ἔννεπε, μοῦσα, πολύτροπον, ὃς μάλα πολλὰ
    πλάγχθη, ἐπεὶ Τροίης ἱερὸν πτολίεθρον ἔπερσεν·

  3. #3

    Thread Starter
    Frenzied Member met0555's Avatar
    Join Date
    Jul 2006
    Posts
    1,385

    Re: ASP.NET access control only working for .aspx

    Hi,

    I tried to use the location element, but still i'm able to access the any files in the folder

    Code:
    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
      <location path="~/"  >
        <system.web>
            <authorization>
                <deny users="?" />
                <allow roles="manager" />
                <allow roles="Supervisor" />
             
            </authorization>
          <authentication mode="Forms" />
        </system.web>
        </location>
    </configuration>
    I'm working on a shared hosting, so I don't have any access to the server. Any other tip on how I can only allow access logged in users to access the files...


    Thanks

  4. #4
    King of sapila
    Join Date
    Oct 2006
    Location
    Greece
    Posts
    6,763

    Re: ASP.NET access control only working for .aspx

    Not i don't think "~/" will cut it.Even if it did it's a very bad idea.What you can do is create a folder, for example "myfiles" and create a web page inside the folder.Then you can treat the folder as a web page and deny file access. Like that:

    Code:
    <location path="myfiles">
    		<system.web>
    			<authorization>
    				   <allow roles="manager" />
    				<deny users="*"/>
    			</authorization>
    		</system.web>
    	</location>
    Problem is that if it doesn't work at once,you may need physical access to the folder so you can manage the permissions
    That's a trick i got for Gep13 so credit to him (and me that i remembered it )
    ἄνδρα μοι ἔννεπε, μοῦσα, πολύτροπον, ὃς μάλα πολλὰ
    πλάγχθη, ἐπεὶ Τροίης ἱερὸν πτολίεθρον ἔπερσεν·

  5. #5

    Thread Starter
    Frenzied Member met0555's Avatar
    Join Date
    Jul 2006
    Posts
    1,385

    Re: ASP.NET access control only working for .aspx

    Hi,

    I tried to follow your instruction >
    I updated this line of code
    <location path="myfiles">
    But I'm not what you meant by this
    .Then you can treat the folder as a web page
    .
    So far it's working just like previously, it only denies access to .aspx files but not for any other files.

    thx

  6. #6
    King of sapila
    Join Date
    Oct 2006
    Location
    Greece
    Posts
    6,763

    Re: ASP.NET access control only working for .aspx

    By "myfiles" i mean your folder name.Listen i may go this half, because i used this to upload files and the to only allow registered users to delete the files.So you may also have to go to the server permissions and deny access.I think you will have to get physical contact with the server,sorry.
    See you next week, going for swim in a Greek island!
    ἄνδρα μοι ἔννεπε, μοῦσα, πολύτροπον, ὃς μάλα πολλὰ
    πλάγχθη, ἐπεὶ Τροίης ἱερὸν πτολίεθρον ἔπερσεν·

  7. #7

    Thread Starter
    Frenzied Member met0555's Avatar
    Join Date
    Jul 2006
    Posts
    1,385

    Re: ASP.NET access control only working for .aspx

    Hi,

    thx for the help, quick question, if the server admin agrees to cooperate , do you know exactly what change he shud make so it can work?

    thx

  8. #8
    King of sapila
    Join Date
    Oct 2006
    Location
    Greece
    Posts
    6,763

    Re: ASP.NET access control only working for .aspx

    Hi.Out of the top of my head,no.I also have to be on a server to make sure.But i suspect it's the IIS_IUSRS security object.
    Hope you get it working, i am leaving so will see this probably on Monday.
    C.U.
    ἄνδρα μοι ἔννεπε, μοῦσα, πολύτροπον, ὃς μάλα πολλὰ
    πλάγχθη, ἐπεὶ Τροίης ἱερὸν πτολίεθρον ἔπερσεν·

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width