tags:

views:

868

answers:

2
Q: 

Problem with Authorization with IIS and MVC

Hello , Got some problem with settings up the Authorization. First i got : 

<authorization>
  <deny users="?" />
</authorization>

So i deny all unknown users and then allow them to view those pages:

<location path="Default.aspx">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>

<location path="Public">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>

Now to the problem .. they can access the Public pages and Default.aspx .. but not www.mydomain.com or www.mydomain.com/ .. so www.mydmain.com/Default.aspx works fine. So how to make those work ?

A: 

You have to remove the root deny and add a deny on all pages/directories where you wish to deny access to unauthorized users.

The pattern in ASP.NET is to place secure pages within a subfolder, and add a web.config in that folder that restricts access. If thats confusing, create a simple asp.net website application and do the following:

1) Create a directory in your website called Admin
2) Add a page to this directory called Secure
3) Run the Website admin tool and hit the security tab
4) Create an access rule on the Admin directory that denies unknown users.

Now check the project folder for the Admin directory. You'll see a web.config in that folder denying unknown users.

This way anybody can access webpages in your root (login, register, home page, etc), and you can keep secure pages within a secured subdirectory (Profile, AdminPage, etc). Usually, you would group pages accessed by users with similar roles in the same folder, such as Admin pages in an Admin folder with a web.config that only allows access to users who are members of the Admin group.

Will  2009-02-20 19:30:57
+3  A: 

Keep in mind that there's a fundamental difference in protected resources between WebForms and MVC. In WebForms, the resources you're trying to protect are the pages themselves, and since the pages exist on disk at a well-known path you can use Web.config to secure them. However, in MVC, the resources you're trying to protect are actually controllers and actions, not individual paths and pages. If you try protecting the path rather than the controller, your application likely has a security vulnerability.

In MVC, by default all controllers + actions are accessible to all users, both authenticated and guest. To secure controllers or actions, the [Authorize] attribute has been provided. See http://www.asp.net/learn/mvc/#MVC_Security for more information.

In short, it sounds like for your application you'd want to attribute every controller except the default controller and the Public controller with the [Authorize] attribute.

Levi  2009-02-20 20:18:02
Thanks alot .. that seems like a smart solution :)
Patrik Potocki  2009-02-20 23:22:08

related questions

IE6 security login (debugging via VirtualPC)
Asp.net Reinstalling a DLL into the GAC
Failed to load resources from resource file.
What does an IISReset do?
How do I secure a folder used to let users upload files?
VBScript/IIS - How do I automatically set ASP.NET version for a particular website
IIS 6/COM+ hangs
Web server farms with IIS ? Basic Infos
.NET 3.5 Service Pack 1 causes 404 pages on ASP.NET Web App
What Url rewriter do you use for ASP.Net?
Publishing to IIS - Best Practices
ASP.NET Proxy Application
PHP on IIS
How do I stop IIS7 dropping my cookies?
HTTPS in IIS 5.1
Best tool for performance testing ASP.NET
Alternative Hostname for an IIS web site for internal access only
SQL Server 2008 FileStream on a Web Server
Solutions for working with multiple branches in ASP.Net
Dual vs. Quadcore on a Webserver
PHP Error - Uploading a file
Visual Studio 2008 debugger already attached work-around
Linux shell equivalent on IIS
Bandwith throttling in IIS 6 by IP Address
Checklist for IIS 6/ASP.NET Windows Authentication?