stackoom
  简体   繁体   中英

Restrict access to file/folder in web.config

 原文  2017-06-14 06:05:49       asp.net/ asp.net-mvc/ iis/ web-config

Question

I've tried all manner of variations in trying to restrict access to a folder, from the simplest of denying access to all users and just granting access to myself to trying a combination of roles/users etc. In particular, the folder has a mix of aspx and html files.

Can anyone assist? Here's pretty much what I have based on other similar questions: 

<configuration>
    <system.web>
       <!-- mode=[Windows|Forms|Passport|None] -->
       <authentication mode="Windows" />
    </system.web>
  <system.webServer>
    <handlers>
        <add name="HTMLHandler" type="System.Web.StaticFileHandler" path="*.html" verb="GET" />
    </handlers>
  </system.webServer>
    <location path="AdminOnly">
        <system.web>
            <authorization>
            <deny users="*" />
            <allow users="domain\user1, domain\user2, domain\user3" />
            <allow roles="domain\role1, domain\role2" />
            </authorization>
        </system.web>
    </location>
</configuration>

EDIT The solution has presented at last.

It was a combination of understanding the authorization segment (thanks to Tetsuya for the helpful tip in relation to ordering authorization rules), including the handler segment and also configuring the application pool for managed code.

2 answers

solution1
 3  2017-06-14 06:39:15

Seems you have wrong order in composing authorization element, the allow part must be declared first to allow certain users in certain roles before denying everything else.

So, this construction below is wrong due to denying all users resolved before allowing defined users: 

<location path="AdminOnly">
    <system.web>
        <authorization>
        <deny users="*" />
        <allow users="domain\user1, domain\user2, domain\user3" />
        <allow roles="domain\role1, domain\role2" />
        </authorization>
    </system.web>
</location>

The correct order should be like this: 

<location path="AdminOnly">
    <system.web>
        <authorization>
        <allow roles="role1, role2" />
        <allow users="user1, user2, user3" />
        <deny users="*" />
        </authorization>
    </system.web>
</location>

In the reference section, Guru Sarkar explains what goes wrong:

Common Mistakes

I have seen people complaining that they have setup their roles correctly and also made entry to their web.config but still their authorization doesn't work. Even they have allowed access to their role that user cannot access particular page/folder. The common reason for that is placing <deny../> before <allow ../> . Since the authorization is done from top to bottom , rules are checked until a match is found.

Reference:

Setting authorization rules for a particular page or folder in web.config

solution2
 1  2017-06-14 06:31:28

Can you try to create new web.config in your specific folder and add this into your folder's web.config to restrict all users 

<?xml version="1.0"?>
<configuration>
    <system.web>
      <authorization>
        <deny users="*"/>
      </authorization>
    </system.web>
</configuration>

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Restrict roles for specific folder with web.config how can I restrict access to all files in a folder without web.config Deny access to 'admin' folder in web.config Web.Config Authorization for folder access Redirect file to folder in web.config Use web.config ipsecurity to restrict access to a single method Restrict browsing an XML file using web.config Control Website Folder Access using Web.config and session variable? How to access Web.config which is located in another sub folder Restrict download for general files in Web.Config
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM