Preventing user access to intenal folders

S

shahab

Junior Contributor
Joined
Aug 14, 2003
Messages
206
Location
Iran(Middle East)
Preventing user access to internal folders

Dear friends,
How can I limit accessing users to internal folders of my .net site?
I mean that nobody should not be able to see the ../a.aspx :rolleyes: :)
(Form based please)
Thanks
 
Last edited:
i'm sure there are many more complicated and unecessary-overhead ways to totally rewrite all of .NET's built-in security

but not that i am aware of..... it takes about 20-30 mins to code Role-based, FormsAuthentication security into a site (copy and paste code from that CodeProject article)
 
I know that 20 min is not a long time.But I had programmed mm own security policy,so it isnot posible to renewe everythings.
I had read that article brfore,now my Q about article:
I choose to put a separate Web.config file in each secure sub-directory, which is simply the <authorization/> section like so:

<configuration>
<system.web>
<authorization>
<!-- Order and case are important below -->
<allow roles="Administrator"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
Click to expand...
is it possible to change this web.config like this:
<allow roles="All the logined users"/>
without implementing the whole aspects of form based?
I mean that the only thing that I need is preventing user access to internal folders. ;) :cool:
 
yes, it is very possible...

<deny users="?"/>

will keep out any users that do not have a valid Autherization ticket.....

you sound like you are already half way there, the ONLY thing in that whole process in the article you need to worry about is writing the ticket (simple encrypted cookie, but its all automatic if you just call the built in methods)
 
the ONLY thing in that whole process in the article you need to worry about is writing the ticket (simple encrypted cookie, but its all automatic if you just call the built in methods)
Click to expand...
Oh my god ,Do u know that this answer means that I have to implement the role-based Built in?
Have u ever think about it?I belive that or 1 or 0 and I choosed 0(Non built in)So I must design evrything in the page_load of all webforms;)
 
Well... if you use the Integrated Windows Security... It shall make it a lot more simple no? However NS doesn't work with this (who use NS again ?).

But If you want to have fun then... set your auth to Form and let's rock!
 
shahab said:
Oh my god ,Do u know that this answer means that I have to implement the role-based Built in?
Have u ever think about it?I belive that or 1 or 0 and I choosed 0(Non built in)So I must design evrything in the page_load of all webforms;)
Click to expand...
what??

so you are saying in every single page you code you do some complicated security check? yuck, what bad bad bad bad design :(

ah well.... sorry i tried to help..... good luck with it.... personally i think you are screwed with whatever concatination of security you have going on and should look to use some built in .NET stuff.... but that's just my 2 cents
 
Authentication with IIS

shahab said:
what do u mean?
Click to expand...
Go in your IIS settings

Configuration Panel/Administrator Tools/ IIS Manager

And in it you have your website.
  • Right-Click, Properties
  • Directory Security
  • Click on "Anonymous access and Authentication Control" (the button beside :D)
  • Here is where Integrated Windows Authentication is.
But the person will have to log on the machine with a username and password that is ON THE SERVER.

If you are interested or need more information. Just tell me.

By the way...
You'll have to change your Web.Config
Code: 
   <authentication mode="[b]Windows[/b]" /> 
	<authorization>
		<deny users="?"/>
		<allow users="*" />
	</authorization>

If you want to make your OWN security system. It must be :
Code: 
   <authentication mode="[b]Form[/b]" /> 
	<authorization>
		<deny users="?"/>
		<allow users="*" />
	</authorization>

Form is like to say to IIS : "Hey don't authenticate anyone ! I'll do it and I'll determine who have access to what !"
More customizable but a lot more work.

More info !? Let me know !
 
Back
Top