|
newbie -- forms authentication
Hello, I'm experimenting with VS2003 and ASP.NET and I have an issue with
forms authentication: I have created a VS solution and added to it a new web application project; then I added some dummy pages to the project. Now I'd like to protect an administrative section of this dummy website, so I created a new folder named "admin" in my webapp project (in VS2003, right-clicking the project and selecting Add/New Folder). I have then placed in this folder (adding new items to the VS project): 1) a login web form (login.aspx). 2) a dummy HTML page hyperlinked by some root (unrestricted-access) pages. 3) a Web.config file to override the default (root) settings, with the following code: <system.web> <authentication mode="Forms"> <forms name=".ASPXAUTH" path="/" loginUrl="login.aspx" protection="All" timeout="30"> <credentials passwordFormat="Clear"> <user name="Mickey" password="Mouse"/> </credentials> </forms> </authentication> <authorization> <deny users="?" /> </authorization> </system.web> Now when I click the hyperlink to the protected (i.e. under path admin/) HTML page, the login form is NOT invoked and I can access the page as if it had no protection. What I'm doing wrong? Thanks guys... |
RE: newbie -- forms authentication
We actually tried your code and it works fine. Maybe if it helps, here's the
content of our test web.config file. Kind regards, Nikander & Margriet Bruggeman <?xml version="1.0" encoding="utf-8" ?> <configuration> <system.web> <!-- DYNAMIC DEBUG COMPILATION Set compilation debug="true" to enable ASPX debugging. Otherwise, setting this value to false will improve runtime performance of this application. Set compilation debug="true" to insert debugging symbols (.pdb information) into the compiled page. Because this creates a larger file that executes more slowly, you should set this value to true only when debugging and to false at all other times. For more information, refer to the documentation about debugging ASP.NET files. --> <compilation defaultLanguage="c#" debug="true" /> <!-- CUSTOM ERROR MESSAGES Set customErrors mode="On" or "RemoteOnly" to enable custom error messages, "Off" to disable. Add <error> tags for each of the errors you want to handle. "On" Always display custom (friendly) messages. "Off" Always display detailed ASP.NET error information. "RemoteOnly" Display custom (friendly) messages only to users not running on the local Web server. This setting is recommended for security purposes, so that you do not display application detail information to remote clients. --> <customErrors mode="RemoteOnly" /> <!-- AUTHENTICATION This section sets the authentication policies of the application. Possible modes are "Windows", "Forms", "Passport" and "None" "None" No authentication is performed. "Windows" IIS performs authentication (Basic, Digest, or Integrated Windows) according to its settings for the application. Anonymous access must be disabled in IIS. "Forms" You provide a custom form (Web page) for users to enter their credentials, and then you authenticate them in your application. A user credential token is stored in a cookie. "Passport" Authentication is performed via a centralized authentication service provided by Microsoft that offers a single logon and core profile services for member sites. --> <!--authentication mode="Windows" /--> <authentication mode="Forms"> <forms name=".ASPXAUTH" path="/" loginUrl="login.aspx" protection="All" timeout="30"> <credentials passwordFormat="Clear"> <user name="Mickey" password="Mouse"/> </credentials> </forms> </authentication> <!-- AUTHORIZATION This section sets the authorization policies of the application. You can allow or deny access to application resources by user or role. Wildcards: "*" mean everyone, "?" means anonymous (unauthenticated) users. --> <authorization> <deny users="?" /> <!-- allow users="*" /--> <!-- Allow all users --> <!-- <allow users="[comma separated list of users]" roles="[comma separated list of roles]"/> <deny users="[comma separated list of users]" roles="[comma separated list of roles]"/> --> </authorization> <!-- APPLICATION-LEVEL TRACE LOGGING Application-level tracing enables trace log output for every page within an application. Set trace enabled="true" to enable application trace logging. If pageOutput="true", the trace information will be displayed at the bottom of each page. Otherwise, you can view the application trace log by browsing the "trace.axd" page from your web application root. --> <trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" /> <!-- SESSION STATE SETTINGS By default ASP.NET uses cookies to identify which requests belong to a particular session. If cookies are not available, a session can be tracked by adding a session identifier to the URL. To disable cookies, set sessionState cookieless="true". --> <sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20" /> <!-- GLOBALIZATION This section sets the globalization settings of the application. --> <globalization requestEncoding="utf-8" responseEncoding="utf-8" /> </system.web> </configuration> "Dan" wrote: > Hello, I'm experimenting with VS2003 and ASP.NET and I have an issue with > forms authentication: I have created a VS solution and added to it a new web > application project; then I added some dummy pages to the project. Now I'd > like to protect an administrative section of this dummy website, so I > created a new folder named "admin" in my webapp project (in VS2003, > right-clicking the project and selecting Add/New Folder). I have then placed > in this folder (adding new items to the VS project): > > 1) a login web form (login.aspx). > 2) a dummy HTML page hyperlinked by some root (unrestricted-access) pages. > 3) a Web.config file to override the default (root) settings, with the > following code: > > <system.web> > <authentication mode="Forms"> > <forms name=".ASPXAUTH" path="/" loginUrl="login.aspx" protection="All" > timeout="30"> > <credentials passwordFormat="Clear"> > <user name="Mickey" password="Mouse"/> > </credentials> > </forms> > </authentication> > <authorization> > <deny users="?" /> > </authorization> > </system.web> > > Now when I click the hyperlink to the protected (i.e. under path admin/) > HTML page, the login form is NOT invoked and I can access the page as if it > had no protection. What I'm doing wrong? > > Thanks guys... > > > |
Re: newbie -- forms authentication
Is the root folder an IIS application ? In this case the web.config file is
not taken into account... Patrice -- "Dan" <dfusi@hotmail.com> a écrit dans le message de news:O1sJAEOFFHA.3840@tk2msftngp13.phx.gbl... > Hello, I'm experimenting with VS2003 and ASP.NET and I have an issue with > forms authentication: I have created a VS solution and added to it a new web > application project; then I added some dummy pages to the project. Now I'd > like to protect an administrative section of this dummy website, so I > created a new folder named "admin" in my webapp project (in VS2003, > right-clicking the project and selecting Add/New Folder). I have then placed > in this folder (adding new items to the VS project): > > 1) a login web form (login.aspx). > 2) a dummy HTML page hyperlinked by some root (unrestricted-access) pages. > 3) a Web.config file to override the default (root) settings, with the > following code: > > <system.web> > <authentication mode="Forms"> > <forms name=".ASPXAUTH" path="/" loginUrl="login.aspx" protection="All" > timeout="30"> > <credentials passwordFormat="Clear"> > <user name="Mickey" password="Mouse"/> > </credentials> > </forms> > </authentication> > <authorization> > <deny users="?" /> > </authorization> > </system.web> > > Now when I click the hyperlink to the protected (i.e. under path admin/) > HTML page, the login form is NOT invoked and I can access the page as if it > had no protection. What I'm doing wrong? > > Thanks guys... > > |
Re: newbie -- forms authentication
I meant that the root needs to be an IIS application to take this config
file into account... -- "Patrice" <nobody@nowhere.com> a écrit dans le message de news:%23bLyWaOFFHA.1396@tk2msftngp13.phx.gbl... > Is the root folder an IIS application ? In this case the web.config file is > not taken into account... > > Patrice > > -- > > "Dan" <dfusi@hotmail.com> a écrit dans le message de > news:O1sJAEOFFHA.3840@tk2msftngp13.phx.gbl... > > Hello, I'm experimenting with VS2003 and ASP.NET and I have an issue with > > forms authentication: I have created a VS solution and added to it a new > web > > application project; then I added some dummy pages to the project. Now I'd > > like to protect an administrative section of this dummy website, so I > > created a new folder named "admin" in my webapp project (in VS2003, > > right-clicking the project and selecting Add/New Folder). I have then > placed > > in this folder (adding new items to the VS project): > > > > 1) a login web form (login.aspx). > > 2) a dummy HTML page hyperlinked by some root (unrestricted-access) pages. > > 3) a Web.config file to override the default (root) settings, with the > > following code: > > > > <system.web> > > <authentication mode="Forms"> > > <forms name=".ASPXAUTH" path="/" loginUrl="login.aspx" protection="All" > > timeout="30"> > > <credentials passwordFormat="Clear"> > > <user name="Mickey" password="Mouse"/> > > </credentials> > > </forms> > > </authentication> > > <authorization> > > <deny users="?" /> > > </authorization> > > </system.web> > > > > Now when I click the hyperlink to the protected (i.e. under path admin/) > > HTML page, the login form is NOT invoked and I can access the page as if > it > > had no protection. What I'm doing wrong? > > > > Thanks guys... > > > > > > |
Re: newbie -- forms authentication
Dan,
Read this article it should help. http://www.theserverside.net/article...Authentication Andy "Dan" <dfusi@hotmail.com> wrote in message news:O1sJAEOFFHA.3840@tk2msftngp13.phx.gbl... > Hello, I'm experimenting with VS2003 and ASP.NET and I have an issue with > forms authentication: I have created a VS solution and added to it a new web > application project; then I added some dummy pages to the project. Now I'd > like to protect an administrative section of this dummy website, so I > created a new folder named "admin" in my webapp project (in VS2003, > right-clicking the project and selecting Add/New Folder). I have then placed > in this folder (adding new items to the VS project): > > 1) a login web form (login.aspx). > 2) a dummy HTML page hyperlinked by some root (unrestricted-access) pages. > 3) a Web.config file to override the default (root) settings, with the > following code: > > <system.web> > <authentication mode="Forms"> > <forms name=".ASPXAUTH" path="/" loginUrl="login.aspx" protection="All" > timeout="30"> > <credentials passwordFormat="Clear"> > <user name="Mickey" password="Mouse"/> > </credentials> > </forms> > </authentication> > <authorization> > <deny users="?" /> > </authorization> > </system.web> > > Now when I click the hyperlink to the protected (i.e. under path admin/) > HTML page, the login form is NOT invoked and I can access the page as if it > had no protection. What I'm doing wrong? > > Thanks guys... > > |
Re: newbie -- forms authentication
Thank you all guys, I tried some fixes but it still does not work... The
subdirectory "admin" is just a directory of the unique (root) web application, but this should not harm as suggested by the article pointed by Andy. I tried to follow this article by making the following changes: 1) remove the web.config file in admin subdir 2) add forms authentication to the root web.config file, and a <location> tag to specify that the admin subdir should be protected, as follows: ---> in <configuration> / <system.web> tree of the root config file: <authentication mode="Forms"> <forms name=".ASPXAUTH" path="/" loginUrl="FrmLogin.aspx" protection="All" timeout="30"> <credentials passwordFormat="Clear"> <user name="Mickey" password="Mouse"/> </credentials> </forms> </authentication> <authorization> <allow users="*" /> </authorization> <location path="admin"> <authorization> <deny users="?"/> </authorization> </location> Anyway, I still get the same results, i.e. all works fine but no protection is active for any file under admin folder. I can add here the whole process of creating the sample application here so that someone can try reproducing the issue, maybe there is something wrong with my approach as I have changed the VS2003 default location because I need ALL my web apps files in my local drive folder. Here it is how I created the web application (see http://www.codeproject.com/useritems...projects.asp): 1. I create my project folder in my local drive, e.g. C:\MyProject. 2. I create a folder named "www" inside C:\MyProject (=C:\MyProject\www), where all the apps files will be stored. 3. In IIS I create a new virtual directory making it point to C:\MyProject\www. 4. In VS2003 I create a new Blank Solution and save it in C:\MyProject, so that if its name is Dummy its physical folder will be C:\MyProject\Dummy. 5. In VS2003 I add a New Project to the blank solution making it point it to http://localhost/myproject. If you then change the root web.config file as specified above and create an admin folder, place some page into it and hyperlink it from the root folder you should access it with no protection, which is of course wrong. Any idea? |
RE: newbie -- forms authentication
Dan, you can only protect .aspx pages this way, as .html, etc. bypasses the
whole process. Is your dummy page .aspx? Bill "Dan" wrote: > Hello, I'm experimenting with VS2003 and ASP.NET and I have an issue with > forms authentication: I have created a VS solution and added to it a new web > application project; then I added some dummy pages to the project. Now I'd > like to protect an administrative section of this dummy website, so I > created a new folder named "admin" in my webapp project (in VS2003, > right-clicking the project and selecting Add/New Folder). I have then placed > in this folder (adding new items to the VS project): > > 1) a login web form (login.aspx). > 2) a dummy HTML page hyperlinked by some root (unrestricted-access) pages. > 3) a Web.config file to override the default (root) settings, with the > following code: > > <system.web> > <authentication mode="Forms"> > <forms name=".ASPXAUTH" path="/" loginUrl="login.aspx" protection="All" > timeout="30"> > <credentials passwordFormat="Clear"> > <user name="Mickey" password="Mouse"/> > </credentials> > </forms> > </authentication> > <authorization> > <deny users="?" /> > </authorization> > </system.web> > > Now when I click the hyperlink to the protected (i.e. under path admin/) > HTML page, the login form is NOT invoked and I can access the page as if it > had no protection. What I'm doing wrong? > > Thanks guys... > > > |
Re: newbie -- forms authentication
Dan,
Make sure that your location tag is between the </system.web> and </configuration> tags. I have been working on the same scenario as you for the past 3 days. Hopefully we can get you up and running today. I see that you were missing the <system.web> tag from your location tag. Also make sure that you have your login page in the root directory. I think you had the rest of it right. No web.config in the admin folder just the files you want to protect. Take a look at mine, www.sutorius.com/psyche, click one of the hyperlinks and type in user1 for the username and password. My web.config in the root directory <configuration> <system.web> </system.web> <location path="admin" allowOverride="true"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location> </configuration> Andy "Dan" <dfusi@hotmail.com> wrote in message news:u%23KwInQFFHA.3840@tk2msftngp13.phx.gbl... > Thank you all guys, I tried some fixes but it still does not work... The > subdirectory "admin" is just a directory of the unique (root) web > application, but this should not harm as suggested by the article pointed by > Andy. I tried to follow this article by making the following changes: > > 1) remove the web.config file in admin subdir > 2) add forms authentication to the root web.config file, and a <location> > tag to specify that the admin subdir should be protected, as follows: > > ---> in <configuration> / <system.web> tree of the root config file: > > <authentication mode="Forms"> > <forms name=".ASPXAUTH" path="/" loginUrl="FrmLogin.aspx" protection="All" > timeout="30"> > <credentials passwordFormat="Clear"> > <user name="Mickey" password="Mouse"/> > </credentials> > </forms> > </authentication> > > <authorization> > <allow users="*" /> > </authorization> > > <location path="admin"> > <authorization> > <deny users="?"/> > </authorization> > </location> > > Anyway, I still get the same results, i.e. all works fine but no protection > is active for any file under admin folder. I can add here the whole process > of creating the sample application here so that someone can try reproducing > the issue, maybe there is something wrong with my approach as I have changed > the VS2003 default location because I need ALL my web apps files in my local > drive folder. Here it is how I created the web application (see > http://www.codeproject.com/useritems...projects.asp): > > 1. I create my project folder in my local drive, e.g. C:\MyProject. > > 2. I create a folder named "www" inside C:\MyProject (=C:\MyProject\www), > where all the apps files will be stored. > > 3. In IIS I create a new virtual directory making it point to > C:\MyProject\www. > > 4. In VS2003 I create a new Blank Solution and save it in C:\MyProject, so > that if its name is Dummy its physical folder will be C:\MyProject\Dummy. > > 5. In VS2003 I add a New Project to the blank solution making it point it to > http://localhost/myproject. > > If you then change the root web.config file as specified above and create an > admin folder, place some page into it and hyperlink it from the root folder > you should access it with no protection, which is of course wrong. Any idea? > > |
Re: newbie -- forms authentication
Thank you both guys, I have finally managed to get it work! The problem was
in the position of the <location> section in the XML file; frankly I find this <system.web> tag a bit confusing in the general doc structure, but now I know how to deal with it. Also, I did not know that the protection mechanism was limited to aspx pages, anyway I was trying with an aspx one. Thanks again to you all and have a nice day! |
Re: newbie -- forms authentication
Dan schrieb:
> Thank you both guys, I have finally managed to get it work! The problem was > in the position of the <location> section in the XML file; frankly I find > this <system.web> tag a bit confusing in the general doc structure, but now > I know how to deal with it. Also, I did not know that the protection > mechanism was limited to aspx pages, anyway I was trying with an aspx one. > Thanks again to you all and have a nice day! > > Hello. According to the Dan's problem, I've nearly the same. But it's not the wrong position in the web.config file. I really don't know the solution. Maybe you can help me... I have a WebApplication with no subdirectories to secure. On my local computer it works fine. I followed the steps of the msdn (I do not find the url yet, but it works(local)). First I created a Webapplication with a few aspx sites. Then I added the authentication and authorizaten tags to my web.config file and I created a login.aspx. After compiling the project the browser tries to connect to the default.aspx an redirects to the login.aspx (as expected). That's the local computer (running WinXP Pro, Visual Studio 2002, ..NET-Framework(1.1 ?), IIS). For another project I have to develop a new solution on a (test-)server. I did the same steps as descriped above. And it doesn't work! I ask the employees here and a few dotnet-boards, but I can't get any solution right now. The server is running with Win2k3 Server, Visual Studio 2003, ..NET-Framework (1.1), IIS, WSS(!). Maybe there's a possible problem (the WSS). We have another server without WSS, where the authentication works fine. Do you know what I have to do, that it works an the server with WSS too? Or any other solution? Thanks! |
| All times are GMT. The time now is 07:25 AM. |
Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.