Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > can I set web.config to require authentication only for some files?

Reply
Thread Tools

can I set web.config to require authentication only for some files?

 
 
Bennett Haselton
Guest
Posts: n/a
 
      09-10-2004
If I add this to my web.config file:

<authentication mode="Forms">
<forms name=".ASPXUSERDEMO" loginUrl="login.aspx" protection="All"
timeout="60" />
</authentication>

I can configure the application so that users who try to access a page
in the application, get redirected to login.aspx where they have to
sign in. (And the "signing in" is handled in the codebehind page of
login.aspx.)

What if I want to configure authentication so that it's only required
for certain files? Or only for certain directories? Is there a way
to specify in the <forms> tag or in the <authentication> tag that you
want authentication to apply only to certain files or directories? I
couldn't find any documented way.

If you create a subdirectory and put a web.config file in there with
its own <authentication mode="Forms"> tag, in an attempt to make
authentication apply only to files in that directory, then you get the
ASP.Net error:

It is an error to use a section registered as
allowDefinition='MachineToApplication' beyond application level.

As a last resort I could create a new project directory as a
sub-directory under the top-level project directory, but that sounds
inelegant; it'd be better to be able to manage all files in a single
project.

-Bennett
 
Reply With Quote
 
 
 
 
Lateralus [MCAD]
Guest
Posts: n/a
 
      09-10-2004
Bennett,
To change the authentication in specific directories all you have to do
is put a web.config file in that directory:

I noticed that in your example you didn't have the code below. This code
basically says that you have to be logged in to have access to the site.
Maybe you don't want this, but based upon your question I'm assuming you do.
<authorization>
<deny users="?"/>
</authorization>

Example: The example below basically says that you anybody can have access
to the files in this directory even if they are not logged in.

<authorization>
<allow users="*"/>
</authorization>

To specify at the file level within a site or directory:


<location path="MyFile.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

HTH

--
Lateralus [MCAD]


"Bennett Haselton" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> If I add this to my web.config file:
>
> <authentication mode="Forms">
> <forms name=".ASPXUSERDEMO" loginUrl="login.aspx" protection="All"
> timeout="60" />
> </authentication>
>
> I can configure the application so that users who try to access a page
> in the application, get redirected to login.aspx where they have to
> sign in. (And the "signing in" is handled in the codebehind page of
> login.aspx.)
>
> What if I want to configure authentication so that it's only required
> for certain files? Or only for certain directories? Is there a way
> to specify in the <forms> tag or in the <authentication> tag that you
> want authentication to apply only to certain files or directories? I
> couldn't find any documented way.
>
> If you create a subdirectory and put a web.config file in there with
> its own <authentication mode="Forms"> tag, in an attempt to make
> authentication apply only to files in that directory, then you get the
> ASP.Net error:
>
> It is an error to use a section registered as
> allowDefinition='MachineToApplication' beyond application level.
>
> As a last resort I could create a new project directory as a
> sub-directory under the top-level project directory, but that sounds
> inelegant; it'd be better to be able to manage all files in a single
> project.
>
> -Bennett



 
Reply With Quote
 
 
 
 
Steve C. Orr [MVP, MCSD]
Guest
Posts: n/a
 
      09-10-2004
You can specify some pages to require login, and others to not require login
via your web.config file by using the <location> tag.

Here is an example with sample code that you can download and play with.
http://www.dotnetbips.com/displayarticle.aspx?id=117

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net


"Bennett Haselton" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> If I add this to my web.config file:
>
> <authentication mode="Forms">
> <forms name=".ASPXUSERDEMO" loginUrl="login.aspx" protection="All"
> timeout="60" />
> </authentication>
>
> I can configure the application so that users who try to access a page
> in the application, get redirected to login.aspx where they have to
> sign in. (And the "signing in" is handled in the codebehind page of
> login.aspx.)
>
> What if I want to configure authentication so that it's only required
> for certain files? Or only for certain directories? Is there a way
> to specify in the <forms> tag or in the <authentication> tag that you
> want authentication to apply only to certain files or directories? I
> couldn't find any documented way.
>
> If you create a subdirectory and put a web.config file in there with
> its own <authentication mode="Forms"> tag, in an attempt to make
> authentication apply only to files in that directory, then you get the
> ASP.Net error:
>
> It is an error to use a section registered as
> allowDefinition='MachineToApplication' beyond application level.
>
> As a last resort I could create a new project directory as a
> sub-directory under the top-level project directory, but that sounds
> inelegant; it'd be better to be able to manage all files in a single
> project.
>
> -Bennett



 
Reply With Quote
 
Bennett Haselton
Guest
Posts: n/a
 
      09-10-2004
Thanks, that worked! At least once I figured out where the <location>
tag was supposed to go so that the web.config file would be parsed
correctly (it had to go just before the closing </configuration> tag
but I couldn't tell that from the tutorial).

In my original message I had said it broke when I tried putting a
web.config file in the subdirectory, but that was because I also had
the <authentication mode="Forms"> tag in that web.config file, and it
was giving a run-time error because that attribute can only be set in
the application-level web.config file. Once I changed the web.config
file in the subdirectory so that it only set the <authorization>
setting, it worked.

(I assume this means that within the same application, you can't have
one authentication method for one set of pages and a different
authentication method for another set of pages, but that's not
something I need anyway.)

One last question though: is there a way to specify multiple files and
directories in the "path" attribute of the <location> tag:

<location path="subdir">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

I tried entering multiple files separated by commas or semicolons, but
that always gave a run-time error.

It's not a huge pain to add a new <location> tag every time I create a
new page that needs to have required authentication, but I was
curious.

-Bennett

"Steve C. Orr [MVP, MCSD]" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> You can specify some pages to require login, and others to not require login
> via your web.config file by using the <location> tag.
>
> Here is an example with sample code that you can download and play with.
> http://www.dotnetbips.com/displayarticle.aspx?id=117
>
> --
> I hope this helps,
> Steve C. Orr, MCSD, MVP
> http://Steve.Orr.net
>
>
> "Bennett Haselton" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > If I add this to my web.config file:
> >
> > <authentication mode="Forms">
> > <forms name=".ASPXUSERDEMO" loginUrl="login.aspx" protection="All"
> > timeout="60" />
> > </authentication>
> >
> > I can configure the application so that users who try to access a page
> > in the application, get redirected to login.aspx where they have to
> > sign in. (And the "signing in" is handled in the codebehind page of
> > login.aspx.)
> >
> > What if I want to configure authentication so that it's only required
> > for certain files? Or only for certain directories? Is there a way
> > to specify in the <forms> tag or in the <authentication> tag that you
> > want authentication to apply only to certain files or directories? I
> > couldn't find any documented way.
> >
> > If you create a subdirectory and put a web.config file in there with
> > its own <authentication mode="Forms"> tag, in an attempt to make
> > authentication apply only to files in that directory, then you get the
> > ASP.Net error:
> >
> > It is an error to use a section registered as
> > allowDefinition='MachineToApplication' beyond application level.
> >
> > As a last resort I could create a new project directory as a
> > sub-directory under the top-level project directory, but that sounds
> > inelegant; it'd be better to be able to manage all files in a single
> > project.
> >
> > -Bennett

 
Reply With Quote
 
Frank Mamone
Guest
Posts: n/a
 
      09-10-2004
If you have that many single pages to protect then you should consider
reviewing your application architecture.

However, you can indeed specify a directory to protect as a relative path in
the location element like <location path= " /mydirectory">.

You cannot, as far as I know use a list of files. Of course, you can put all
those files in the same directory and protect that.

Here is a link to the docs.

http://msdn.microsoft.com/library/de...onsettings.asp

Watch the wrap!

- Frank


"Bennett Haselton" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> Thanks, that worked! At least once I figured out where the <location>
> tag was supposed to go so that the web.config file would be parsed
> correctly (it had to go just before the closing </configuration> tag
> but I couldn't tell that from the tutorial).
>
> In my original message I had said it broke when I tried putting a
> web.config file in the subdirectory, but that was because I also had
> the <authentication mode="Forms"> tag in that web.config file, and it
> was giving a run-time error because that attribute can only be set in
> the application-level web.config file. Once I changed the web.config
> file in the subdirectory so that it only set the <authorization>
> setting, it worked.
>
> (I assume this means that within the same application, you can't have
> one authentication method for one set of pages and a different
> authentication method for another set of pages, but that's not
> something I need anyway.)
>
> One last question though: is there a way to specify multiple files and
> directories in the "path" attribute of the <location> tag:
>
> <location path="subdir">
> <system.web>
> <authorization>
> <deny users="?" />
> </authorization>
> </system.web>
> </location>
>
> I tried entering multiple files separated by commas or semicolons, but
> that always gave a run-time error.
>
> It's not a huge pain to add a new <location> tag every time I create a
> new page that needs to have required authentication, but I was
> curious.
>
> -Bennett
>
> "Steve C. Orr [MVP, MCSD]" <(E-Mail Removed)> wrote in message

news:<(E-Mail Removed)>...
> > You can specify some pages to require login, and others to not require

login
> > via your web.config file by using the <location> tag.
> >
> > Here is an example with sample code that you can download and play with.
> > http://www.dotnetbips.com/displayarticle.aspx?id=117
> >
> > --
> > I hope this helps,
> > Steve C. Orr, MCSD, MVP
> > http://Steve.Orr.net
> >
> >
> > "Bennett Haselton" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed) om...
> > > If I add this to my web.config file:
> > >
> > > <authentication mode="Forms">
> > > <forms name=".ASPXUSERDEMO" loginUrl="login.aspx" protection="All"
> > > timeout="60" />
> > > </authentication>
> > >
> > > I can configure the application so that users who try to access a page
> > > in the application, get redirected to login.aspx where they have to
> > > sign in. (And the "signing in" is handled in the codebehind page of
> > > login.aspx.)
> > >
> > > What if I want to configure authentication so that it's only required
> > > for certain files? Or only for certain directories? Is there a way
> > > to specify in the <forms> tag or in the <authentication> tag that you
> > > want authentication to apply only to certain files or directories? I
> > > couldn't find any documented way.
> > >
> > > If you create a subdirectory and put a web.config file in there with
> > > its own <authentication mode="Forms"> tag, in an attempt to make
> > > authentication apply only to files in that directory, then you get the
> > > ASP.Net error:
> > >
> > > It is an error to use a section registered as
> > > allowDefinition='MachineToApplication' beyond application level.
> > >
> > > As a last resort I could create a new project directory as a
> > > sub-directory under the top-level project directory, but that sounds
> > > inelegant; it'd be better to be able to manage all files in a single
> > > project.
> > >
> > > -Bennett



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
What is the point of having 16 bit colour if a computer monitor can only display 8 bit colour? How do you edit 16 bit colour when you can only see 8 bit? Scotius Digital Photography 6 07-13-2010 03:33 AM
Nat port Forwarding , allows only only some ip rayuthar@gmail.com Cisco 0 04-17-2008 02:21 PM
Forms Authentication Fails some times and not some times??? =?Utf-8?B?bWF2cmlja18xMDE=?= ASP .Net 0 03-28-2006 10:48 PM
How can I restrict that the some ID can only login once in the some time ad ASP .Net 2 08-12-2005 09:14 PM
Forms Authentication question: How to have some pages open and some requiring forms authentication Eric ASP .Net 2 02-13-2004 02:14 PM



Advertisments