Directory based authentication

  • Thread starter Thread starter Saravana
  • Start date Start date
S

Saravana

You can go for form authentication or windows authentication, then use
location tag or create web.config (in that folder) to specify particular
permission for specific folder using role based authorization. For example
to set permission to particular folder using location tag,
<location path="<foldername>">
<system.web>
<autorization>
<allow users="Admin">
<deny users="*">
</autorization>
</system.web>
</location>
 
Have set integrated authentication or basic authentication in IIS. So first
set its authentication mode in IIS,then enable impersonation in web.config.
Then try, it should work.
 
Yup. I did that. I am sorry. I used the calendar to choose a relieving date
[ I am planning to resign from my job next month].
And I accidently clicked OK :">

SeeSharp
 
Hi SeeSharp,

I am an application that does EXACTLY the same as you - an admin folder with
admin pages that is restricted to a select few. Have you managed to get
your application to work as you wanted? If so, I would be very interested
to know how you did it. Authentication is something I have not yet
mastered.

Cheers,

Paul Hobbs
 
Hi Paul

I disabled anonymous logon to my admin directory. In the access control
list, I add each member whom I want to deny [including anonymous] and deny
all rights to them. The everyone user has all "required" permissions.

SeeSharp
 
What sets the current "user"? For example how do I know if the person is
"Admin"? Where is that set?
 
You assign roles to each user. This has to be done on each request. You set
Context.User to a new GenericPrincipal, and assign roles at the same time.
Then you can check using User.IsInRole.

The downside is, obviousely, that you must create a new user on each
request. A better way would be to save all this information in the Session
object. But unfortunately that data isn't accessible from within any of the
Application_Request* events in global.asax. So you basically need to include
a file for checking in every page.

/john
 
Hello all,

I have a set of admin pages which are put in a subfolder called admin inside
my application folder.
I want to limit access to these admin pages.
How can I do this?

In Linux, I can password protect the directory, so that whenever a page
within the admin subfolder is accessed for the first time, an authentication
window pops up asking for username-password. How can I implement the same
in IIS ?

This way I can avoid having to programmatically implement login feature.

Can anyone please throw light on this ?

Thanks
SeeSharp.
 
Thanks Saravana,

But I still get problems. Its shows an access denied problem.
I have a parent directory called app. I configured it as a virtual
directory.
I use the IIS configuration tool from control panel, right click app -> all
tasks -> permission wizard -> select new security settings -> public
website.
Now I can access the pages in app folder as http://localhost/app/index1.aspx
In the web.config of the app folder I have the following data:
**********************************************************
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>

<compilation defaultLanguage="c#" debug="true" />
<customErrors mode="RemoteOnly" />
<authentication mode="Windows" />
<trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="true" />
<sessionState mode="InProc" stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;user id=sa;password="
cookieless="false" timeout="20" />
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
</system.web>
<location path="admin">
<system.web>
<authorization>
<allow users="abcd" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
****************************

I have a subfolder admin in my app folder.
Actually I made it as another application and copied the application's
folder as a subfolder called admin in my app folder.
The admin folder therefore has a web.config too.
But I deleted it so that there is no ambiguity.
I have not made the admin subfolder as a virtual directory.

Now with the above security settings, I should get the the files in the
admin folder as http://localhost/app/admin/index1.aspx
It should ask for authentication and when I enter the username password of
user abcd, it should let me in.
But This does not happen.
I get an error.
I tried making the admin subfolder as a virtual directory.
I even tried to retain its web.config and place this within it:
<authorization>
<allow users="abcd" />
<deny users="*" />
</authorization>
In that case it works, but it allows all users in.
Not abcd alone.

Can you please throw light on this ?
Thanks a lot
SeeSharp.
 
Back
Top