Problem with web.config access-restricted subdirectory

Discussion in 'ASP .Net Security' started by David Pyper, Jan 21, 2004.

  1. David Pyper

    David Pyper Guest

    Hi,

    I have a problem with web.config unsuccessfully controlling access to
    a subdirectory. I'm using VS03 and IIS5.0 on NT2K. I have been able
    to reproduce this behaviour on two machines (the 2nd being a WXP
    machine) and both times I'm having the same result.

    I created a simplified example to illustrate the problem. Here's the
    directory structure:

    /
    /Parent
    /Parent/Child


    In the /Parent directory, I have 3 files: web.config, Login.aspx and
    Default.aspx. In Child I just have Default.aspx. In both directories
    there's a bin/ directory that contains Parent.dll and Child.dll (I'm
    using code-behind files). Only Login.aspx has a code-behind (in vb)
    which I'll show below.

    Here's the code from /Parent/web.config:

    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
    <system.web>
    <compilation defaultLanguage="vb" debug="true" />
    <customErrors mode="RemoteOnly" />
    <authentication mode="Forms">
    <forms loginUrl="/Parent/Login.aspx" />
    </authentication>
    <authorization>
    <deny users="?" />
    <allow users="*" />
    </authorization>
    <trace enabled="false" requestLimit="10" pageOutput="false"
    traceMode="SortByTime" localOnly="true" />
    <sessionState
    mode="InProc"
    stateConnectionString="tcpip=127.0.0.1:42424"
    sqlConnectionString="data
    source=127.0.0.1;Trusted_Connection=yes"
    cookieless="false"
    timeout="20"
    />
    <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
    </system.web>
    <location allowOverride="false" path="Child">
    <system.web>
    <authorization>
    <deny users="?" />
    </authorization>
    </system.web>
    </location>
    </configuration>


    And now here's the contents of /Parent/Default.aspx:

    <%@ Page Language="vb" AutoEventWireup="false"
    Codebehind="Default.aspx.vb" Inherits="Parent._Default" trace="True"%>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML>
    <HEAD>
    <title>Default Page</title>
    <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
    <meta name="CODE_LANGUAGE" content="Visual Basic .NET 7.1">
    <meta name="vs_defaultClientScript" content="JavaScript">
    <meta name="vs_targetSchema"
    content="http://schemas.microsoft.com/intellisense/ie5">
    </HEAD>
    <body>
    <form id="Form1" method="post" runat="server">
    This is the default page.
    </form>
    </body>
    </HTML>


    And now the content of /Parent/Login.aspx:


    <%@ Page Language="vb" AutoEventWireup="false"
    Codebehind="Login.aspx.vb" Inherits="Parent.Login" trace="True"%>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML>
    <HEAD>
    <title>Login Page</title>
    <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
    <meta name="CODE_LANGUAGE" content="Visual Basic .NET 7.1">
    <meta name="vs_defaultClientScript" content="JavaScript">
    <meta name="vs_targetSchema"
    content="http://schemas.microsoft.com/intellisense/ie5">
    </HEAD>
    <body>
    <form id="Form1" method="post" runat="server">
    <asp:TextBox id="txtUser" runat="server">Username</asp:TextBox>
    <asp:TextBox id="txtPassword" runat="server">Password</asp:TextBox>
    <asp:Button id="btnSubmit" runat="server"
    Text="Submit"></asp:Button>
    </form>
    </body>
    </HTML>


    And now the code for /Parent/Login.aspx.vb:


    Imports System.Web.Security

    Public Class Login
    Inherits System.Web.UI.Page

    #Region " Web Form Designer Generated Code "

    'This call is required by the Web Form Designer.
    <System.Diagnostics.DebuggerStepThrough()> Private Sub
    InitializeComponent()

    End Sub
    Protected WithEvents txtUser As System.Web.UI.WebControls.TextBox
    Protected WithEvents txtPassword As
    System.Web.UI.WebControls.TextBox
    Protected WithEvents btnSubmit As System.Web.UI.WebControls.Button

    'NOTE: The following placeholder declaration is required by the
    Web Form Designer.
    'Do not delete or move it.
    Private designerPlaceholderDeclaration As System.Object

    Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles MyBase.Init
    'CODEGEN: This method call is required by the Web Form
    Designer
    'Do not modify it using the code editor.
    InitializeComponent()
    End Sub

    #End Region

    Private Sub btnSubmit_Click(ByVal sender As System.Object, _
    ByVal e As System.EventArgs) Handles btnSubmit.Click

    FormsAuthentication.RedirectFromLoginPage(txtUser.Text, False)

    End Sub

    End Class



    And now finally /Parent/Child/Default.aspx:

    <%@ Page Language="vb" AutoEventWireup="false"
    Codebehind="WebForm1.aspx.vb" Inherits="Child._Default" trace="True"%>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML>
    <HEAD>
    <title>WebForm1</title>
    <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
    <meta name="CODE_LANGUAGE" content="Visual Basic .NET 7.1">
    <meta name="vs_defaultClientScript" content="JavaScript">
    <meta name="vs_targetSchema"
    content="http://schemas.microsoft.com/intellisense/ie5">
    </HEAD>
    <body>
    <form id="Form1" method="post" runat="server">
    This is the default child page.
    </form>
    </body>
    </HTML>


    So to re-iterate, only Login.aspx has any code-behind functionality.
    Now that all that's all clear, here's what happens. When I access
    /Parent/Default.aspx, I am redirected to
    http://localhost/Parent/Login.aspx?ReturnUrl=/Parent/Default.aspx,
    which is what I expected would happen. I click btnSubmit and a cookie
    is set (.ASPXAUTH) and I'm redirected to /Parent/Default.aspx, also as
    expected. Now the problem: when I access /Parent/Child/Default.aspx,
    I'm redirected back to
    http://localhost/Parent/Login.aspx?ReturnUrl=/Parent/Child/Default.aspx
    and prompted for the login again. That's unexpected. I expect that
    once I login to /Parent/Login.aspx I should be able to access
    /Parent/Child/Default.aspx. But even when I re-login to
    /Parent/Login.aspx, the redirect still brings me back to
    http://localhost/Parent/Login.aspx?ReturnUrl=/Parent/Child/Default.aspx.

    Can someone please shed some light here? What am I not getting?

    Thanks!

    David Pyper, Jan 21, 2004
    #1
    1. Advertising

  2. I think you should delete the <location> entry. This should be triggering
    the login page when you acces the /Parent/Child/Default.aspx page. There is
    a good article about this here:

    http://www.theserverside.net/articles/article.aspx?l=FormAuthentication


    Regards,
    Hernan.

    --
    Hernan de Lahitte - MSDE
    Lagash Systems S.A. - Buenos Aires, Argentina
    http://www.lagash.com



    "David Pyper" <> wrote in message
    news:...
    > Hi,
    >
    > I have a problem with web.config unsuccessfully controlling access to
    > a subdirectory. I'm using VS03 and IIS5.0 on NT2K. I have been able
    > to reproduce this behaviour on two machines (the 2nd being a WXP
    > machine) and both times I'm having the same result.
    >
    > I created a simplified example to illustrate the problem. Here's the
    > directory structure:
    >
    > /
    > /Parent
    > /Parent/Child
    >
    >
    > In the /Parent directory, I have 3 files: web.config, Login.aspx and
    > Default.aspx. In Child I just have Default.aspx. In both directories
    > there's a bin/ directory that contains Parent.dll and Child.dll (I'm
    > using code-behind files). Only Login.aspx has a code-behind (in vb)
    > which I'll show below.
    >
    > Here's the code from /Parent/web.config:
    >
    > <?xml version="1.0" encoding="utf-8" ?>
    > <configuration>
    > <system.web>
    > <compilation defaultLanguage="vb" debug="true" />
    > <customErrors mode="RemoteOnly" />
    > <authentication mode="Forms">
    > <forms loginUrl="/Parent/Login.aspx" />
    > </authentication>
    > <authorization>
    > <deny users="?" />
    > <allow users="*" />
    > </authorization>
    > <trace enabled="false" requestLimit="10" pageOutput="false"
    > traceMode="SortByTime" localOnly="true" />
    > <sessionState
    > mode="InProc"
    > stateConnectionString="tcpip=127.0.0.1:42424"
    > sqlConnectionString="data
    > source=127.0.0.1;Trusted_Connection=yes"
    > cookieless="false"
    > timeout="20"
    > />
    > <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
    > </system.web>
    > <location allowOverride="false" path="Child">
    > <system.web>
    > <authorization>
    > <deny users="?" />
    > </authorization>
    > </system.web>
    > </location>
    > </configuration>
    >
    >
    > And now here's the contents of /Parent/Default.aspx:
    >
    > <%@ Page Language="vb" AutoEventWireup="false"
    > Codebehind="Default.aspx.vb" Inherits="Parent._Default" trace="True"%>
    > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    > <HTML>
    > <HEAD>
    > <title>Default Page</title>
    > <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
    > <meta name="CODE_LANGUAGE" content="Visual Basic .NET 7.1">
    > <meta name="vs_defaultClientScript" content="JavaScript">
    > <meta name="vs_targetSchema"
    > content="http://schemas.microsoft.com/intellisense/ie5">
    > </HEAD>
    > <body>
    > <form id="Form1" method="post" runat="server">
    > This is the default page.
    > </form>
    > </body>
    > </HTML>
    >
    >
    > And now the content of /Parent/Login.aspx:
    >
    >
    > <%@ Page Language="vb" AutoEventWireup="false"
    > Codebehind="Login.aspx.vb" Inherits="Parent.Login" trace="True"%>
    > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    > <HTML>
    > <HEAD>
    > <title>Login Page</title>
    > <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
    > <meta name="CODE_LANGUAGE" content="Visual Basic .NET 7.1">
    > <meta name="vs_defaultClientScript" content="JavaScript">
    > <meta name="vs_targetSchema"
    > content="http://schemas.microsoft.com/intellisense/ie5">
    > </HEAD>
    > <body>
    > <form id="Form1" method="post" runat="server">
    > <asp:TextBox id="txtUser" runat="server">Username</asp:TextBox>
    > <asp:TextBox id="txtPassword" runat="server">Password</asp:TextBox>
    > <asp:Button id="btnSubmit" runat="server"
    > Text="Submit"></asp:Button>
    > </form>
    > </body>
    > </HTML>
    >
    >
    > And now the code for /Parent/Login.aspx.vb:
    >
    >
    > Imports System.Web.Security
    >
    > Public Class Login
    > Inherits System.Web.UI.Page
    >
    > #Region " Web Form Designer Generated Code "
    >
    > 'This call is required by the Web Form Designer.
    > <System.Diagnostics.DebuggerStepThrough()> Private Sub
    > InitializeComponent()
    >
    > End Sub
    > Protected WithEvents txtUser As System.Web.UI.WebControls.TextBox
    > Protected WithEvents txtPassword As
    > System.Web.UI.WebControls.TextBox
    > Protected WithEvents btnSubmit As System.Web.UI.WebControls.Button
    >
    > 'NOTE: The following placeholder declaration is required by the
    > Web Form Designer.
    > 'Do not delete or move it.
    > Private designerPlaceholderDeclaration As System.Object
    >
    > Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
    > System.EventArgs) Handles MyBase.Init
    > 'CODEGEN: This method call is required by the Web Form
    > Designer
    > 'Do not modify it using the code editor.
    > InitializeComponent()
    > End Sub
    >
    > #End Region
    >
    > Private Sub btnSubmit_Click(ByVal sender As System.Object, _
    > ByVal e As System.EventArgs) Handles btnSubmit.Click
    >
    > FormsAuthentication.RedirectFromLoginPage(txtUser.Text, False)
    >
    > End Sub
    >
    > End Class
    >
    >
    >
    > And now finally /Parent/Child/Default.aspx:
    >
    > <%@ Page Language="vb" AutoEventWireup="false"
    > Codebehind="WebForm1.aspx.vb" Inherits="Child._Default" trace="True"%>
    > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    > <HTML>
    > <HEAD>
    > <title>WebForm1</title>
    > <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
    > <meta name="CODE_LANGUAGE" content="Visual Basic .NET 7.1">
    > <meta name="vs_defaultClientScript" content="JavaScript">
    > <meta name="vs_targetSchema"
    > content="http://schemas.microsoft.com/intellisense/ie5">
    > </HEAD>
    > <body>
    > <form id="Form1" method="post" runat="server">
    > This is the default child page.
    > </form>
    > </body>
    > </HTML>
    >
    >
    > So to re-iterate, only Login.aspx has any code-behind functionality.
    > Now that all that's all clear, here's what happens. When I access
    > /Parent/Default.aspx, I am redirected to
    > http://localhost/Parent/Login.aspx?ReturnUrl=/Parent/Default.aspx,
    > which is what I expected would happen. I click btnSubmit and a cookie
    > is set (.ASPXAUTH) and I'm redirected to /Parent/Default.aspx, also as
    > expected. Now the problem: when I access /Parent/Child/Default.aspx,
    > I'm redirected back to
    >

    http://localhost/Parent/Login.aspx?ReturnUrl=/Parent/Child/Default.aspx
    > and prompted for the login again. That's unexpected. I expect that
    > once I login to /Parent/Login.aspx I should be able to access
    > /Parent/Child/Default.aspx. But even when I re-login to
    > /Parent/Login.aspx, the redirect still brings me back to
    >

    http://localhost/Parent/Login.aspx?ReturnUrl=/Parent/Child/Default.aspx.
    >
    > Can someone please shed some light here? What am I not getting?
    >
    > Thanks!
    >
    >
    Hernan de Lahitte, Jan 22, 2004
    #2
    1. Advertising

  3. David Pyper

    David Pyper Guest

    Hernan,

    Thanks for your advice. I read the article and tried to implement its
    recommendations, but without any success. I also tried your
    recommendation of removing the <location> tags but that didn't produce
    any results either.

    I am starting to believe that the <location> tag does not do what its
    documentation says it can do. No matter what I try to do, I can't
    seem to get back to my Child/Default page.

    I would really appreciate hearing from anyone who can shed more light
    on implementing the <location> tag in a parent IIS application
    directory and have it successfully control a child IIS application
    directory. The documentation yields a lot of promise but the reality
    seems to be somewhat less.

    Thanks,

    David
    David Pyper, Jan 23, 2004
    #3
  4. David Pyper

    David Pyper Guest

    Hi,

    This message is intended for anyone that happens to read this thread
    in an attempt to implement web.config's <location> restriction. The
    problems I had were due to the fact that while web.config can impose
    its restrictions on a subdirectory, it cannot do so on a subdirectory
    that has its own assembly. In order to successfully impose access
    restrictions to subdirectories, the served content has to share the
    same assembly (typically located in /bin).

    To illustrate this, you create an IIS application either through
    Visual Studio or through Internet Services Manager. The web.config
    should be modified to include a section that looks like the following:

    <authentication mode="Forms">
    <forms loginUrl="/Parent/Login.aspx" />
    </authentication>

    <authorization>
    <deny users="?" />
    <allow users="*" />
    </authorization>

    Then (and this is where I went wrong) you create a subdirectory in
    /Parent (either through Explorer, Visual Studio, -- right-click on
    project in Solution Explorer, select Add then New Folder, and name it
    what you want -- or however else you create subdirs) and then add your
    served content (like .aspx files). Here's my /Parent/Default.aspx:

    <%@ Page Language="vb" AutoEventWireup="false"
    Codebehind="Default.aspx.vb" Inherits="Parent._Default" trace="True"%>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML>
    <HEAD>
    <title>Default</title>
    <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
    <meta name="CODE_LANGUAGE" content="Visual Basic .NET 7.1">
    <meta name="vs_defaultClientScript" content="JavaScript">
    <meta name="vs_targetSchema"
    content="http://schemas.microsoft.com/intellisense/ie5">
    </HEAD>
    <body>
    <form id="Form1" method="post" runat="server">
    This is the default page.
    </form>
    </body>
    </HTML>

    And now /Parent/Login.aspx

    <%@ Page Language="vb" AutoEventWireup="false"
    Codebehind="Login.aspx.vb" Inherits="Parent.Login" trace="True"%>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML>
    <HEAD>
    <title>Login</title>
    <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
    <meta name="CODE_LANGUAGE" content="Visual Basic .NET 7.1">
    <meta name="vs_defaultClientScript" content="JavaScript">
    <meta name="vs_targetSchema"
    content="http://schemas.microsoft.com/intellisense/ie5">
    </HEAD>
    <body>
    <form id="Form1" method="post" runat="server">
    <asp:Button id="btnLogin" runat="server" Text="Login"></asp:Button>
    </form>
    </body>
    </HTML>

    And now the code-behind of /Parent/Login.aspx:

    Imports System.Web.Security

    Public Class Login
    Inherits System.Web.UI.Page

    #Region " Web Form Designer Generated Code "

    'This call is required by the Web Form Designer.
    <System.Diagnostics.DebuggerStepThrough()> Private Sub
    InitializeComponent()

    End Sub
    Protected WithEvents btnLogin As System.Web.UI.WebControls.Button

    'NOTE: The following placeholder declaration is required by the
    Web Form Designer.
    'Do not delete or move it.
    Private designerPlaceholderDeclaration As System.Object

    Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles MyBase.Init
    'CODEGEN: This method call is required by the Web Form
    Designer
    'Do not modify it using the code editor.
    InitializeComponent()
    End Sub

    #End Region

    Private Sub btnLogin_Click(ByVal sender As System.Object, _
    ByVal e As System.EventArgs) Handles btnLogin.Click

    FormsAuthentication.RedirectFromLoginPage(Session.SessionID.ToString,
    False)

    End Sub

    End Class

    And finally the access-restricted /Parent/Child/Default.aspx file:

    <%@ Page Language="vb" AutoEventWireup="false"
    Codebehind="Default.aspx.vb" Inherits="Parent._Default1"
    trace="True"%>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML>
    <HEAD>
    <title>Default</title>
    <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
    <meta name="CODE_LANGUAGE" content="Visual Basic .NET 7.1">
    <meta name="vs_defaultClientScript" content="JavaScript">
    <meta name="vs_targetSchema"
    content="http://schemas.microsoft.com/intellisense/ie5">
    </HEAD>
    <body>
    <form id="Form1" method="post" runat="server">
    This is the default child page.
    </form>
    </body>
    </HTML>

    Any attempt to access /Parent/Child/Default.aspx without being
    authenticated redirects you to /Parent/Login.aspx. Click the Login
    button, and you're now authenticated and redirected to
    /Parent/Child/Default.aspx. Works like clockwork.

    I hope that helps. I wish the documentation on web.config made that
    clearer, it could have saved me a lot of grief. For some reason this
    distinction, if made, is not clear and the point is not made despite
    that I suspect it's a common problem for many.

    Good luck!

    David
    David Pyper, Jan 27, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. CSharpner
    Replies:
    0
    Views:
    1,010
    CSharpner
    Apr 9, 2007
  2. Keith R
    Replies:
    2
    Views:
    431
    =?Utf-8?B?QklUUyBlcnJvciBjb2RlIC0yMTQ3MDI0ODkxIG9y
    Apr 24, 2007
  3. =?Utf-8?B?Znc=?=
    Replies:
    4
    Views:
    669
    Juan T. Llibre
    Oct 3, 2007
  4. VSK

    web.config in subdirectory related query

    VSK, Sep 25, 2003, in forum: ASP .Net Security
    Replies:
    1
    Views:
    101
    Johan Normén NSQAURED2
    Sep 26, 2003
  5. Grant Harmeyer

    Web.Config and subdirectory *location* security

    Grant Harmeyer, Jul 20, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    213
    Grant Harmeyer
    Jul 21, 2004
Loading...

Share This Page