Configuring Windows Auth & Forms Auth in Asp.Net

Discussion in 'ASP .Net Security' started by Chris Mohan, Apr 28, 2004.

  1. Chris Mohan

    Chris Mohan Guest

    Configuring Windows Auth & Forms Auth in Asp.Ne
    Hi, I've configured a web app to use windows authentication and also set up two separate subdirectories to use forms authentication. It appears to work fine but I have never seen a sample that demonstrates both in the same web.config and I don't like assuming i've done this correctly and securely.

    Please take a look at the following from my web.config and let me know what you think(its not the full config-- just stripped down to its essentials w/ no attributes) Its pretty basic, i just use a location element for each sub-dir and then set the auth mode inside of it. Thanks!

    <?xml version="1.0" encoding="UTF-8" ?><configuration><system.web><authentication mode="Windows" /><authorization><allow users="*" /></authorization></system.web><location path="SecureArea1"><system.web><authentication mode="Forms"><forms loginUrl="login.aspx" /></authentication><authorization><deny users="?" /></authorization></system.web></location><location path="SecureArea2"><system.web><authentication mode="Forms"><forms loginUrl="login.aspx" / ></authentication><authorization><deny users="?" /></authorization></system.web></location></configuration>
    Chris Mohan, Apr 28, 2004
    #1
    1. Advertising

  2. Chris Mohan

    avnrao Guest

    this looks ok to me as far as you take care of securing your forms
    authentication. I mean securing forms authentication cookie and role list.
    any request to subfolders, the location element in web.config clearly
    overrides windows authentication.

    Av.

    "Chris Mohan" <chrismo1__=AT__yahoo.com> wrote in message
    news:...
    > Configuring Windows Auth & Forms Auth in Asp.Net
    > Hi, I've configured a web app to use windows authentication and also set
    > up two separate subdirectories to use forms authentication. It appears to
    > work fine but I have never seen a sample that demonstrates both in the
    > same web.config and I don't like assuming i've done this correctly and
    > securely.
    >
    > Please take a look at the following from my web.config and let me know
    > what you think(its not the full config-- just stripped down to its
    > essentials w/ no attributes) Its pretty basic, i just use a location
    > element for each sub-dir and then set the auth mode inside of it. Thanks!!
    >
    > <?xml version="1.0" encoding="UTF-8"
    > ?><configuration><system.web><authentication mode="Windows"
    > /><authorization><allow users="*" /></authorization></system.web><location
    > path="SecureArea1"><system.web><authentication mode="Forms"><forms
    > loginUrl="login.aspx" /></authentication><authorization><deny users="?"
    > /></authorization></system.web></location><location
    > path="SecureArea2"><system.web><authentication mode="Forms"><forms
    > loginUrl="login.aspx" / ></authentication><authorization><deny users="?"
    > /></authorization></system.web></location></configuration>
    avnrao, Apr 29, 2004
    #2
    1. Advertising

  3. Chris Mohan

    Chris Mohan Guest

    Forms Auth in subdirs but WIndows Auth in Main Site

    Hi, I've configured a web app to use windows authentication. Two of the app's subdirectories
    are configured as applications in IIS and the mainsite's web.config defines those subdirs to use forms authentication. It appears to work fine but I have never seen a sample that
    demonstrates both in the same web.config (all the samples show a
    snippet outside the context of the entire web.config) I don't like
    assuming i've done this correctly and securely.

    Please take a look at the following from my web.config and let me
    know what you think. The approach is pretty basic i just use a
    location element for each sub-dir and then set the auth mode inside
    of it.

    The Directory Structure looks like this:

    |---\MainSite(Configured as An App in IIS)
    | +---Secure1(Configured as An App in IIS)
    | +---Secure2(Configured as An App in IIS)
    | +---MainSiteChild1
    | +---MainSiteChild2
    |web.Config(in mainSite's Root)

    A stripped down version of the web.config settings:
    line1: <?xml version="1.0" encoding="UTF-8" ?>
    line2: <configuration>
    line3: <system.web>
    line4: <authentication mode="Windows" />
    line5: <authorization>
    line6: <allow users="*" />
    line7: </authorization>
    line8: </system.web>

    line10: <location path="SecureArea1">
    line11: <system.web>
    line12: <authentication mode="Forms">
    line13: <forms loginUrl="login.aspx" />
    line14: </authentication>
    line15: <authorization>
    line16: <deny users="?" />
    line17: </authorization>
    line18: </system.web>
    line19: </location>

    line21: <location path="SecureArea2">
    line22: <system.web>
    line23: <authentication mode="Forms">
    line24: <forms loginUrl="login.aspx" />
    line25: </authentication>
    line26: <authorization>
    line27: <deny users="?" />
    line28: </authorization>
    line29: </system.web>
    line30: </location>

    What I think that this mix of settings acheives is the same
    thing as if the Secure1 & Secure2 subdirectories had their own web.config files.

    Here's a good article about this exact topic but it uses
    the "maverick" web.configs in sub dirs approach:
    http://www.theserverside.net/articles/showarticle.tss?
    id=FormAuthentication
    Chris Mohan, Apr 29, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Q2hyaXMgTW9oYW4=?=

    Configuring Windows Auth & Forms Auth in Asp.Net

    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=, Apr 28, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    675
    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=
    Apr 28, 2004
  2. =?Utf-8?B?ZGhucml2ZXJzaWRl?=

    Windows Auth, but Forms Auth for one page?

    =?Utf-8?B?ZGhucml2ZXJzaWRl?=, Jan 8, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    527
    Elton Wang
    Jan 8, 2005
  3. Vince
    Replies:
    6
    Views:
    149
    Patrick Olurotimi Ige
    Dec 29, 2004
  4. Forms Auth Info passed to Windows Auth?

    , Apr 28, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    200
    Hernan de Lahitte
    May 3, 2005
  5. Ed Staffin
    Replies:
    1
    Views:
    308
    Ken Schaefer
    Apr 17, 2006
Loading...

Share This Page