Forms auth / Location element

Discussion in 'ASP .Net Security' started by Mark Teague, Mar 21, 2005.

  1. Mark Teague

    Mark Teague Guest

    Greetings!

    I am attempting to secure the root of an IIS virtual directory and an Admin subdirectory separately from one another. At first, I attempted to create an additional Web.Config in the /Admin folder to direct unauthenticated access attempts to URLs within this directory to a different login page. The ASP.Net runtime complained that the <authentication/> element should only be used at the root level (or perhaps it was the <forms/> element).

    After returning to the drawing board, I attempted to create two <location/> elements within the root level Web.Config file. The contents of the root Web.Config file are inserted below. There are two <location/> elements. One for the root of the virtual directory and another for the /Admin subdirectory.

    Unauthenticated attempts to access root level URLs are properly redirected to /Login.aspx. However, once authenticated to this folder the client may request any URL within the /Admin folder without being subject to the additional authentication/authorization that I would like to enforce upon administrative use.

    Is it the case that "Forms" based authentication can only be employed once during a client's session? (i.e. Once they are authenticated, they are authenticated ... period!) And also, that only one form can be established for a particular IIS virtual directory or application? If this is not the case, then any guidance as to what I have configured wrong will be greatly appreciated.


    Thanks in advance,
    Mark

    Contents of Web.Config follow:
    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>

    <location>
    <system.web>
    <compilation defaultLanguage="vb" debug="true" />

    <customErrors mode="Off" />

    <authentication mode="Forms">
    <forms name=".rootAccessCookie" loginUrl="Login.aspx" protection="All" timeout="30" path="/" />
    </authentication>

    <authorization>
    <deny users="?" /> <!-- Deny all unauthenticated/unauthorized users -->

    </authorization>

    <trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />

    <sessionState
    mode="InProc"
    stateConnectionString="tcpip=127.0.0.1:42424"
    sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
    cookieless="false"
    timeout="20"
    />

    <globalization requestEncoding="utf-8" responseEncoding="utf-8" />

    </system.web>
    </location>

    <location path="Admin/">
    <system.web>

    <compilation defaultLanguage="vb" debug="true" />

    <customErrors mode="Off" />

    <authentication mode="Forms">
    <forms name=".adminAccessCookie" loginUrl="Admin/Login.aspx" protection="All" timeout="30" path="Admin/" />
    </authentication>

    <authorization>
    <deny users="?" /> <!-- Deny all unauthenticated/unauthorized users -->

    </authorization>

    <trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />

    <sessionState
    mode="InProc"
    stateConnectionString="tcpip=127.0.0.1:42424"
    sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
    cookieless="false"
    timeout="20"
    />

    <globalization requestEncoding="utf-8" responseEncoding="utf-8" />

    </system.web>
    </location>

    </configuration>
    Mark Teague, Mar 21, 2005
    #1
    1. Advertising

  2. Hello Mark,

    you so far only used deny="?" -

    there are also <allow user=".." /> and <allow role=".." />

    to give different users different access rights to your application, you
    have to couple the users with roles, a common place to do this is in the
    AuthenticateRequest event in gobal.asax or a HttpModule...

    your web.config could look like this then:

    <location path="Admin/">
    <system.web>
    <authorization>
    <allow roles="Admin" />
    <deny users="*" />
    </authorization>
    </system.web>
    </location>

    for an example how to do it - you can download this sample:
    http://www.leastprivilege.com/content/binary/FormsAuthBestPractice.zip


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Greetings!
    >
    > I am attempting to secure the root of an IIS virtual directory and an
    > Admin subdirectory separately from one another. At first, I attempted
    > to create an additional Web.Config in the /Admin folder to direct
    > unauthenticated access attempts to URLs within this directory to a
    > different login page. The ASP.Net runtime complained that the
    > <authentication/> element should only be used at the root level (or
    > perhaps it was the <forms/> element).
    >
    > After returning to the drawing board, I attempted to create two
    > <location/> elements within the root level Web.Config file. The
    > contents of the root Web.Config file are inserted below. There are
    > two <location/> elements. One for the root of the virtual directory
    > and another for the /Admin subdirectory.
    >
    > Unauthenticated attempts to access root level URLs are properly
    > redirected to /Login.aspx. However, once authenticated to this folder
    > the client may request any URL within the /Admin folder without being
    > subject to the additional authentication/authorization that I would
    > like to enforce upon administrative use.
    >
    > Is it the case that "Forms" based authentication can only be employed
    > once during a client's session? (i.e. Once they are authenticated,
    > they are authenticated ... period!) And also, that only one form can
    > be established for a particular IIS virtual directory or application?
    > If this is not the case, then any guidance as to what I have
    > configured wrong will be greatly appreciated.
    >
    > Thanks in advance,
    > Mark
    > Contents of Web.Config follow:
    > <?xml version="1.0" encoding="utf-8" ?>
    > <configuration>
    > <location>
    > <system.web>
    > <compilation defaultLanguage="vb" debug="true" />
    > <customErrors mode="Off" />
    >
    > <authentication mode="Forms">
    > <forms name=".rootAccessCookie" loginUrl="Login.aspx"
    > protection="All" timeout="30" path="/" />
    > </authentication>
    > <authorization>
    > <deny users="?" /> <!-- Deny all unauthenticated/unauthorized
    > users -->
    > </authorization>
    >
    > <trace enabled="false" requestLimit="10" pageOutput="false"
    > traceMode="SortByTime" localOnly="true" />
    >
    > <sessionState
    > mode="InProc"
    > stateConnectionString="tcpip=127.0.0.1:42424"
    > sqlConnectionString="data
    > source=127.0.0.1;Trusted Connection=yes"
    > cookieless="false"
    > timeout="20"
    > />
    > <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
    >
    > </system.web>
    > </location>
    > <location path="Admin/">
    > <system.web>
    > <compilation defaultLanguage="vb" debug="true" />
    >
    > <customErrors mode="Off" />
    >
    > <authentication mode="Forms">
    > <forms name=".adminAccessCookie" loginUrl="Admin/Login.aspx"
    > protection="All" timeout="30" path="Admin/" />
    > </authentication>
    > <authorization>
    > <deny users="?" /> <!-- Deny all unauthenticated/unauthorized
    > users -->
    > </authorization>
    >
    > <trace enabled="false" requestLimit="10" pageOutput="false"
    > traceMode="SortByTime" localOnly="true" />
    >
    > <sessionState
    > mode="InProc"
    > stateConnectionString="tcpip=127.0.0.1:42424"
    > sqlConnectionString="data
    > source=127.0.0.1;Trusted Connection=yes"
    > cookieless="false"
    > timeout="20"
    > />
    > <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
    >
    > </system.web>
    > </location>
    > </configuration>
    >
    Dominick Baier [DevelopMentor], Mar 22, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?Q2hyaXMgTW9oYW4=?=

    Configuring Windows Auth & Forms Auth in Asp.Net

    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=, Apr 28, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    673
    =?Utf-8?B?Q2hyaXMgTW9oYW4=?=
    Apr 28, 2004
  2. =?Utf-8?B?ZGhucml2ZXJzaWRl?=

    Windows Auth, but Forms Auth for one page?

    =?Utf-8?B?ZGhucml2ZXJzaWRl?=, Jan 8, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    521
    Elton Wang
    Jan 8, 2005
  3. Chris Mohan

    Configuring Windows Auth & Forms Auth in Asp.Net

    Chris Mohan, Apr 28, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    385
    Chris Mohan
    Apr 29, 2004
  4. Forms Auth Info passed to Windows Auth?

    , Apr 28, 2005, in forum: ASP .Net Security
    Replies:
    1
    Views:
    195
    Hernan de Lahitte
    May 3, 2005
  5. Ed Staffin
    Replies:
    1
    Views:
    303
    Ken Schaefer
    Apr 17, 2006
Loading...

Share This Page