ASP.NET web.config authorization 403 errors

Question

Admin to new ASP.NET web solution.

The web.config file has me puzzled, and I couldn't find anything like this on the web. 2 Questions:

Does this looking right?

<authentication mode="Forms">
        <forms loginUrl="Authentication/SignIn.aspx" timeout="121" slidingExpiration="true" cookieless="UseCookies" />
        </authentication>
        <authorization>
            <deny users="?" />
            <allow users="*" />
        </authorization>

Specifically, does the deny followed by the allow make any sense? Why would you have a deny followed by allow everyone?

Second question: Further down in the web.config we allow unauthenticated users access to the following page.

<location path="Error.aspx">
    <system.web>
        <authorization>
            <allow users="?" />
        </authorization>
    </system.web>
</location>

I need to allow access to a particular query parameter, to prevent 403 errors for unauthenticated users.

Example: www.abc.com/?value=Test

<location path="?value=Test">
    <system.web>
        <authorization>
            <allow users="?" />
        </authorization>
    </system.web>
</location>

That doesn't work, which I didn't expect it to. Problem is I have normal clients that www.abc.com redirects to the login page and is healthy and working. But I have SSO clients that use a query parameter to route them to their specific login page.

Answer 1

Specifically, does the deny followed by the allow make any sense? Why would you have a deny followed by allow everyone?

Yes, it makes perfect sense here. Note that two different wildcards are used there.

The ? means anonymous, not yet authenticated requests .

The * means any requests, authenticated or not .

Rules are inspected in order.

The two, in this particular order, make the engine redirect only not authenticated requests but pass any other (= here: authenticated) requests.

I need to allow access to a particular query parameter, to prevent 403 errors for unauthenticated users.

If you need this query parameter on any request uri then you are out of luck. This is not easy here since you already have the two rules defined above. These two will work always and there's no easy (declarative) way of turning out this

<deny users="?" />

conditionally, based upon a query string parameter.

But I have SSO clients that use a query parameter to route them to their specific login page.

Makes sense, however you should possibly will have to redesign your approach.

If I understand correctly, you want the two rules work always but if a specific query string parameter is put on an uri, you want to turn off the two rules.

What I would do here is I would have my custom authorization module that would replace authorization rules put in web.config .

This authorization module would raise 401 status code from the authorize request event in the pipeline for any unauthenticated request that is sent to anything other than the login page and the error page. The two exceptions (login and error) are consistent with your definition of how authorization would work. But if the query string argument is found - you skip this.

Because 401 is raised in the pipeline before a handler is executed, the ASP.NET runtime would not render any pages but will proceed with the pipeline until it reaches the end request event. This is where you check if 401 was raised and if this is so, you replace 401 with 200 and redirect to the login page.

Depending on whether or not this above sounds difficult, you could either have this working quickly or you will need some time to write such authorization module. Drop a note if you need further advice.