newbie -- forms authentication

[Dan]

Hello, I'm experimenting with VS2003 and ASP.NET and I have an issue with
forms authentication: I have created a VS solution and added to it a new web
application project; then I added some dummy pages to the project. Now I'd
like to protect an administrative section of this dummy website, so I
created a new folder named "admin" in my webapp project (in VS2003,
right-clicking the project and selecting Add/New Folder). I have then placed
in this folder (adding new items to the VS project):

1) a login web form (login.aspx).
2) a dummy HTML page hyperlinked by some root (unrestricted-access) pages.
3) a Web.config file to override the default (root) settings, with the
following code:

<system.web>
<authentication mode="Forms">
<forms name=".ASPXAUTH" path="/" loginUrl="login.aspx" protection="All"
timeout="30">
<credentials passwordFormat="Clear">
<user name="Mickey" password="Mouse"/>
</credentials>
</forms>
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>

Now when I click the hyperlink to the protected (i.e. under path admin/)
HTML page, the login form is NOT invoked and I can access the page as if it
had no protection. What I'm doing wrong?

Thanks guys...

 

[Guest]

We actually tried your code and it works fine. Maybe if it helps, here's the
content of our test web.config file.

Kind regards,
Nikander & Margriet Bruggeman

<?xml version="1.0" encoding="utf-8" ?>
<configuration>

<system.web>

<!-- DYNAMIC DEBUG COMPILATION
Set compilation debug="true" to enable ASPX debugging. Otherwise,
setting this

value to
false will improve runtime performance of this application.
Set compilation debug="true" to insert debugging symbols (.pdb
information)
into the compiled page. Because this creates a larger file that
executes
more slowly, you should set this value to true only when debugging
and to
false at all other times. For more information, refer to the
documentation about
debugging ASP.NET files.
-->
<compilation
defaultLanguage="c#"
debug="true"
/>

<!-- CUSTOM ERROR MESSAGES
Set customErrors mode="On" or "RemoteOnly" to enable custom error
messages, "Off"

to disable.
Add <error> tags for each of the errors you want to handle.

"On" Always display custom (friendly) messages.
"Off" Always display detailed ASP.NET error information.
"RemoteOnly" Display custom (friendly) messages only to users not
running
on the local Web server. This setting is recommended for security
purposes, so
that you do not display application detail information to remote
clients.
-->
<customErrors
mode="RemoteOnly"
/>

<!-- AUTHENTICATION
This section sets the authentication policies of the application.
Possible modes

are "Windows",
"Forms", "Passport" and "None"

"None" No authentication is performed.
"Windows" IIS performs authentication (Basic, Digest, or
Integrated Windows)

according to
its settings for the application. Anonymous access must be
disabled in IIS.
"Forms" You provide a custom form (Web page) for users to enter
their credentials,

and then
you authenticate them in your application. A user credential
token is stored in a

cookie.
"Passport" Authentication is performed via a centralized
authentication service

provided
by Microsoft that offers a single logon and core profile services
for member

sites.
-->
<!--authentication mode="Windows" /-->

<authentication mode="Forms">
<forms name=".ASPXAUTH" path="/" loginUrl="login.aspx" protection="All"
timeout="30">
<credentials passwordFormat="Clear">
<user name="Mickey" password="Mouse"/>
</credentials>
</forms>
</authentication>


<!-- AUTHORIZATION
This section sets the authorization policies of the application.
You can allow or

deny access
to application resources by user or role. Wildcards: "*" mean
everyone, "?" means

anonymous
(unauthenticated) users.
-->

<authorization>
<deny users="?" />
<!-- allow users="*" /--> <!-- Allow all users -->
<!-- <allow users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
-->
</authorization>

<!-- APPLICATION-LEVEL TRACE LOGGING
Application-level tracing enables trace log output for every page
within an

application.
Set trace enabled="true" to enable application trace logging. If

pageOutput="true", the
trace information will be displayed at the bottom of each page.
Otherwise, you

can view the
application trace log by browsing the "trace.axd" page from your
web application
root.
-->
<trace
enabled="false"
requestLimit="10"
pageOutput="false"
traceMode="SortByTime"
localOnly="true"
/>

<!-- SESSION STATE SETTINGS
By default ASP.NET uses cookies to identify which requests belong
to a particular

session.
If cookies are not available, a session can be tracked by adding a
session

identifier to the URL.
To disable cookies, set sessionState cookieless="true".
-->
<sessionState
mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424"
sqlConnectionString="data source=127.0.0.1;Trusted_Connection=yes"
cookieless="false"
timeout="20"
/>

<!-- GLOBALIZATION
This section sets the globalization settings of the application.
-->
<globalization
requestEncoding="utf-8"
responseEncoding="utf-8"
/>

</system.web>

</configuration>

 

[Patrice]

Is the root folder an IIS application ? In this case the web.config file is
not taken into account...

Patrice

 

[Patrice]

I meant that the root needs to be an IIS application to take this config
file into account...


--

 

[Andy Sutorius]

Dan,

Read this article it should help.
http://www.theserverside.net/articles/article.tss?l=FormAuthentication

Andy

 

[Dan]

Thank you all guys, I tried some fixes but it still does not work... The
subdirectory "admin" is just a directory of the unique (root) web
application, but this should not harm as suggested by the article pointed by
Andy. I tried to follow this article by making the following changes:

1) remove the web.config file in admin subdir
2) add forms authentication to the root web.config file, and a <location>
tag to specify that the admin subdir should be protected, as follows:

---> in <configuration> / <system.web> tree of the root config file:

<authentication mode="Forms">
<forms name=".ASPXAUTH" path="/" loginUrl="FrmLogin.aspx" protection="All"
timeout="30">
<credentials passwordFormat="Clear">
<user name="Mickey" password="Mouse"/>
</credentials>
</forms>
</authentication>

<authorization>
<allow users="*" />
</authorization>

<location path="admin">
<authorization>
<deny users="?"/>
</authorization>
</location>

Anyway, I still get the same results, i.e. all works fine but no protection
is active for any file under admin folder. I can add here the whole process
of creating the sample application here so that someone can try reproducing
the issue, maybe there is something wrong with my approach as I have changed
the VS2003 default location because I need ALL my web apps files in my local
drive folder. Here it is how I created the web application (see
http://www.codeproject.com/useritems/ASPNET_projects.asp):

1. I create my project folder in my local drive, e.g. C:\MyProject.

2. I create a folder named "www" inside C:\MyProject (=C:\MyProject\www),
where all the apps files will be stored.

3. In IIS I create a new virtual directory making it point to
C:\MyProject\www.

4. In VS2003 I create a new Blank Solution and save it in C:\MyProject, so
that if its name is Dummy its physical folder will be C:\MyProject\Dummy.

5. In VS2003 I add a New Project to the blank solution making it point it to
http://localhost/myproject.

If you then change the root web.config file as specified above and create an
admin folder, place some page into it and hyperlink it from the root folder
you should access it with no protection, which is of course wrong. Any idea?

 

[Guest]

Dan, you can only protect .aspx pages this way, as .html, etc. bypasses the
whole process. Is your dummy page .aspx?

Bill

 

[Andy Sutorius]

Dan,

Make sure that your location tag is between the </system.web> and
</configuration> tags. I have been working on the same scenario as you for
the past 3 days. Hopefully we can get you up and running today. I see that
you were missing the <system.web> tag from your location tag. Also make sure
that you have your login page in the root directory. I think you had the
rest of it right. No web.config in the admin folder just the files you want
to protect.

Take a look at mine, www.sutorius.com/psyche, click one of the hyperlinks
and type in user1 for the username and password.

My web.config in the root directory
<configuration>
<system.web>
</system.web>

<location path="admin" allowOverride="true">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

</configuration>

Andy

 

[Dan]

Thank you both guys, I have finally managed to get it work! The problem was
in the position of the <location> section in the XML file; frankly I find
this <system.web> tag a bit confusing in the general doc structure, but now
I know how to deal with it. Also, I did not know that the protection
mechanism was limited to aspx pages, anyway I was trying with an aspx one.
Thanks again to you all and have a nice day!

 

[Dennis Dobslaf]

Thank you both guys, I have finally managed to get it work! The problem was
in the position of the <location> section in the XML file; frankly I find
this <system.web> tag a bit confusing in the general doc structure, but now
I know how to deal with it. Also, I did not know that the protection
mechanism was limited to aspx pages, anyway I was trying with an aspx one.
Thanks again to you all and have a nice day!

Hello. According to the Dan's problem, I've nearly the same. But it's
not the wrong position in the web.config file. I really don't know the
solution. Maybe you can help me...

I have a WebApplication with no subdirectories to secure. On my local
computer it works fine. I followed the steps of the msdn (I do not find
the url yet, but it works(local)).
First I created a Webapplication with a few aspx sites. Then I added the
authentication and authorizaten tags to my web.config file and I created
a login.aspx. After compiling the project the browser tries to connect
to the default.aspx an redirects to the login.aspx (as expected).
That's the local computer (running WinXP Pro, Visual Studio 2002,
..NET-Framework(1.1 ?), IIS).

For another project I have to develop a new solution on a (test-)server.
I did the same steps as descriped above. And it doesn't work! I ask the
employees here and a few dotnet-boards, but I can't get any solution
right now. The server is running with Win2k3 Server, Visual Studio 2003,
..NET-Framework (1.1), IIS, WSS(!). Maybe there's a possible problem (the
WSS). We have another server without WSS, where the authentication works
fine. Do you know what I have to do, that it works an the server with
WSS too? Or any other solution?

Thanks!