Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Configuring Windows Auth & Forms Auth in Asp.Net

Reply
Thread Tools

Configuring Windows Auth & Forms Auth in Asp.Net

 
 
Chris Mohan
Guest
Posts: n/a
 
      04-28-2004
Configuring Windows Auth & Forms Auth in Asp.Ne
Hi, I've configured a web app to use windows authentication and also set up two separate subdirectories to use forms authentication. It appears to work fine but I have never seen a sample that demonstrates both in the same web.config and I don't like assuming i've done this correctly and securely.

Please take a look at the following from my web.config and let me know what you think(its not the full config-- just stripped down to its essentials w/ no attributes) Its pretty basic, i just use a location element for each sub-dir and then set the auth mode inside of it. Thanks!

<?xml version="1.0" encoding="UTF-8" ?><configuration><system.web><authentication mode="Windows" /><authorization><allow users="*" /></authorization></system.web><location path="SecureArea1"><system.web><authentication mode="Forms"><forms loginUrl="login.aspx" /></authentication><authorization><deny users="?" /></authorization></system.web></location><location path="SecureArea2"><system.web><authentication mode="Forms"><forms loginUrl="login.aspx" / ></authentication><authorization><deny users="?" /></authorization></system.web></location></configuration>
 
Reply With Quote
 
 
 
 
avnrao
Guest
Posts: n/a
 
      04-29-2004
this looks ok to me as far as you take care of securing your forms
authentication. I mean securing forms authentication cookie and role list.
any request to subfolders, the location element in web.config clearly
overrides windows authentication.

Av.

"Chris Mohan" <chrismo1__=AT__yahoo.com> wrote in message
news:(E-Mail Removed)...
> Configuring Windows Auth & Forms Auth in Asp.Net
> Hi, I've configured a web app to use windows authentication and also set
> up two separate subdirectories to use forms authentication. It appears to
> work fine but I have never seen a sample that demonstrates both in the
> same web.config and I don't like assuming i've done this correctly and
> securely.
>
> Please take a look at the following from my web.config and let me know
> what you think(its not the full config-- just stripped down to its
> essentials w/ no attributes) Its pretty basic, i just use a location
> element for each sub-dir and then set the auth mode inside of it. Thanks!!
>
> <?xml version="1.0" encoding="UTF-8"
> ?><configuration><system.web><authentication mode="Windows"
> /><authorization><allow users="*" /></authorization></system.web><location
> path="SecureArea1"><system.web><authentication mode="Forms"><forms
> loginUrl="login.aspx" /></authentication><authorization><deny users="?"
> /></authorization></system.web></location><location
> path="SecureArea2"><system.web><authentication mode="Forms"><forms
> loginUrl="login.aspx" / ></authentication><authorization><deny users="?"
> /></authorization></system.web></location></configuration>



 
Reply With Quote
 
 
 
 
Chris Mohan
Guest
Posts: n/a
 
      04-29-2004
Hi, I've configured a web app to use windows authentication. Two of the app's subdirectories
are configured as applications in IIS and the mainsite's web.config defines those subdirs to use forms authentication. It appears to work fine but I have never seen a sample that
demonstrates both in the same web.config (all the samples show a
snippet outside the context of the entire web.config) I don't like
assuming i've done this correctly and securely.

Please take a look at the following from my web.config and let me
know what you think. The approach is pretty basic i just use a
location element for each sub-dir and then set the auth mode inside
of it.

The Directory Structure looks like this:

|---\MainSite(Configured as An App in IIS)
| +---Secure1(Configured as An App in IIS)
| +---Secure2(Configured as An App in IIS)
| +---MainSiteChild1
| +---MainSiteChild2
|web.Config(in mainSite's Root)

A stripped down version of the web.config settings:
line1: <?xml version="1.0" encoding="UTF-8" ?>
line2: <configuration>
line3: <system.web>
line4: <authentication mode="Windows" />
line5: <authorization>
line6: <allow users="*" />
line7: </authorization>
line8: </system.web>

line10: <location path="SecureArea1">
line11: <system.web>
line12: <authentication mode="Forms">
line13: <forms loginUrl="login.aspx" />
line14: </authentication>
line15: <authorization>
line16: <deny users="?" />
line17: </authorization>
line18: </system.web>
line19: </location>

line21: <location path="SecureArea2">
line22: <system.web>
line23: <authentication mode="Forms">
line24: <forms loginUrl="login.aspx" />
line25: </authentication>
line26: <authorization>
line27: <deny users="?" />
line28: </authorization>
line29: </system.web>
line30: </location>

What I think that this mix of settings acheives is the same
thing as if the Secure1 & Secure2 subdirectories had their own web.config files.

Here's a good article about this exact topic but it uses
the "maverick" web.configs in sub dirs approach:
http://www.theserverside.net/articles/showarticle.tss?
id=FormAuthentication


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
windows auth and forms auth Smokey Grindle ASP .Net 1 06-08-2006 03:14 PM
How to log out of asp.net app using Windows Auth NOT Forms Auth Ed Staffin ASP .Net Security 1 04-17-2006 09:22 AM
Forms Auth Info passed to Windows Auth? golem_95@yahoo.com ASP .Net Security 1 05-03-2005 11:47 AM
Windows Auth, but Forms Auth for one page? =?Utf-8?B?ZGhucml2ZXJzaWRl?= ASP .Net 1 01-08-2005 05:50 PM
Configuring Windows Auth & Forms Auth in Asp.Net =?Utf-8?B?Q2hyaXMgTW9oYW4=?= ASP .Net 0 04-28-2004 06:11 PM



Advertisments