views:

868

answers:

2

Hello , Got some problem with settings up the Authorization. First i got :

<authorization>
  <deny users="?" />
</authorization>

So i deny all unknown users and then allow them to view those pages:

<location path="Default.aspx">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>

<location path="Public">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>

Now to the problem .. they can access the Public pages and Default.aspx .. but not www.mydomain.com or www.mydomain.com/ .. so www.mydmain.com/Default.aspx works fine. So how to make those work ?

A: 

You have to remove the root deny and add a deny on all pages/directories where you wish to deny access to unauthorized users.

The pattern in ASP.NET is to place secure pages within a subfolder, and add a web.config in that folder that restricts access. If thats confusing, create a simple asp.net website application and do the following:

1) Create a directory in your website called Admin
2) Add a page to this directory called Secure
3) Run the Website admin tool and hit the security tab
4) Create an access rule on the Admin directory that denies unknown users.

Now check the project folder for the Admin directory. You'll see a web.config in that folder denying unknown users.

This way anybody can access webpages in your root (login, register, home page, etc), and you can keep secure pages within a secured subdirectory (Profile, AdminPage, etc). Usually, you would group pages accessed by users with similar roles in the same folder, such as Admin pages in an Admin folder with a web.config that only allows access to users who are members of the Admin group.

Will
+3  A: 

Keep in mind that there's a fundamental difference in protected resources between WebForms and MVC. In WebForms, the resources you're trying to protect are the pages themselves, and since the pages exist on disk at a well-known path you can use Web.config to secure them. However, in MVC, the resources you're trying to protect are actually controllers and actions, not individual paths and pages. If you try protecting the path rather than the controller, your application likely has a security vulnerability.

In MVC, by default all controllers + actions are accessible to all users, both authenticated and guest. To secure controllers or actions, the [Authorize] attribute has been provided. See http://www.asp.net/learn/mvc/#MVC_Security for more information.

In short, it sounds like for your application you'd want to attribute every controller except the default controller and the Public controller with the [Authorize] attribute.

Levi
Thanks alot .. that seems like a smart solution :)
Patrik Potocki