|
-
Oct 2nd, 2012, 08:42 PM
#1
Thread Starter
Frenzied Member
ASP.NET access control only working for .aspx
Hi,
I have created an access rule for my website, it looks like it works fine when trying to access .aspx files, but not for any other extensions. I was wondering if there is trick to apply the access rule for all files types.
Code:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
<allow roles="Supervisor" />
<allow roles="Manager" />
</authorization>
<authentication mode="Forms" />
</system.web>
</configuration>
I tried to add the following code to my main config file but still will only work for .aspx only
Code:
<modules>
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
<remove name="DefaultAuthentication" />
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
</modules>
Thank You
-
Oct 3rd, 2012, 12:04 AM
#2
Re: ASP.NET access control only working for .aspx
Hi.Aspx extension is not actually a file access,well it is but the site will look it as a page served.You can use the location element in web.config to restrict pages and folders.If you want to restrict files then i guess you will either have to merge them with a page like this: http://www.code-magazine.com/article...0703031&page=3
or deny a folder with files or go to the server and remove the mime type from IIS(haven't tried that) or using permissions on the server directly on files but that is a little problematic.
ἄνδρα μοι ἔννεπε, μοῦσα, πολύτροπον, ὃς μάλα πολλὰ
πλάγχθη, ἐπεὶ Τροίης ἱερὸν πτολίεθρον ἔπερσεν·
-
Oct 3rd, 2012, 12:32 AM
#3
Thread Starter
Frenzied Member
Re: ASP.NET access control only working for .aspx
Hi,
I tried to use the location element, but still i'm able to access the any files in the folder
Code:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="~/" >
<system.web>
<authorization>
<deny users="?" />
<allow roles="manager" />
<allow roles="Supervisor" />
</authorization>
<authentication mode="Forms" />
</system.web>
</location>
</configuration>
I'm working on a shared hosting, so I don't have any access to the server. Any other tip on how I can only allow access logged in users to access the files...
Thanks
-
Oct 3rd, 2012, 06:13 PM
#4
Re: ASP.NET access control only working for .aspx
Not i don't think "~/" will cut it.Even if it did it's a very bad idea.What you can do is create a folder, for example "myfiles" and create a web page inside the folder.Then you can treat the folder as a web page and deny file access. Like that:
Code:
<location path="myfiles">
<system.web>
<authorization>
<allow roles="manager" />
<deny users="*"/>
</authorization>
</system.web>
</location>
Problem is that if it doesn't work at once,you may need physical access to the folder so you can manage the permissions
That's a trick i got for Gep13 so credit to him (and me that i remembered it )
ἄνδρα μοι ἔννεπε, μοῦσα, πολύτροπον, ὃς μάλα πολλὰ
πλάγχθη, ἐπεὶ Τροίης ἱερὸν πτολίεθρον ἔπερσεν·
-
Oct 3rd, 2012, 06:36 PM
#5
Thread Starter
Frenzied Member
Re: ASP.NET access control only working for .aspx
Hi,
I tried to follow your instruction >
I updated this line of code
<location path="myfiles">
But I'm not what you meant by this
.Then you can treat the folder as a web page
.
So far it's working just like previously, it only denies access to .aspx files but not for any other files.
thx
-
Oct 3rd, 2012, 09:58 PM
#6
Re: ASP.NET access control only working for .aspx
By "myfiles" i mean your folder name.Listen i may go this half, because i used this to upload files and the to only allow registered users to delete the files.So you may also have to go to the server permissions and deny access.I think you will have to get physical contact with the server,sorry.
See you next week, going for swim in a Greek island!
ἄνδρα μοι ἔννεπε, μοῦσα, πολύτροπον, ὃς μάλα πολλὰ
πλάγχθη, ἐπεὶ Τροίης ἱερὸν πτολίεθρον ἔπερσεν·
-
Oct 3rd, 2012, 10:20 PM
#7
Thread Starter
Frenzied Member
Re: ASP.NET access control only working for .aspx
Hi,
thx for the help, quick question, if the server admin agrees to cooperate , do you know exactly what change he shud make so it can work?
thx
-
Oct 3rd, 2012, 10:59 PM
#8
Re: ASP.NET access control only working for .aspx
Hi.Out of the top of my head,no.I also have to be on a server to make sure.But i suspect it's the IIS_IUSRS security object.
Hope you get it working, i am leaving so will see this probably on Monday.
C.U.
ἄνδρα μοι ἔννεπε, μοῦσα, πολύτροπον, ὃς μάλα πολλὰ
πλάγχθη, ἐπεὶ Τροίης ἱερὸν πτολίεθρον ἔπερσεν·
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|