0

im trying to deny access to files and folders for anonymous users via webconfig for the application folder "/" and allow access to special controller paths ("Shared", "Verfolgung").

The configuration for the path "Shared" works but the access to "Verfolgung" requieres a authentification.

Maybe you tell me whats wrong?

Regards, float

part of web.config:

<authentication mode="Forms">
   <forms loginUrl="~/Account/LogOn" path="/" protection="All" timeout="2880" />
</authentication> 
<location path="Verfolgung">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</location>    
<location path="Shared">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</location>
float
  • 1,265
  • 5
  • 22
  • 38

2 Answers2

5

In ASP.NET MVC you should not use the location element in the web.config. Whereas the web forms engine mapped to physical files on disk, the MVC engine using routing. This means that you could inadvertently allow access to a "protected controller" through a custom route by accident.

The recommended way of securing ASP.NET MVC applications is through the use of the Authorize attribute, as seen in the example below: 

public class HomeController : Controller
{
    [Authorize]
    public ActionResult Index()
    { 
        return View();
    }
}

The controller action is what you want to protect and not the route. The ASP.NET MVC Security bod, Levi Broderick is rather vocal about this issue:

  1. Excluding an action from authorization in ASP.NET MVC 2
  2. Problem with Authorization with IIS and MVC.
Community
  • 1
  • 1
Rebecca
  • 13,914
  • 10
  • 95
  • 136
  • Well, i have to share a classic asp and a mvc project in one folder. So i have to protect the route because in classic asp theres no routing... – float Apr 26 '11 at 14:56
  • You probably want to split the ASP Webforms pages into a separate location folder and use the web.config to secure it, and the MVC in the way I outlined above using the attribute. Both have very different security arrangements. – Rebecca May 20 '11 at 10:45
  • See my MVC 4 version http://blogs.msdn.com/b/rickandy/archive/2012/03/23/securing-your-asp-net-mvc-4-app-and-the-new-allowanonymous-attribute.aspx – RickAndMSFT Mar 23 '12 at 22:00
1

Try this, 

       <location path="Verfolgung">
           <system.web>
               <authorization>
                   <deny users="?"/>
                   <allow users="*" />
               </authorization>
          </system.web>
       </location>
Furqan Hameedi
  • 4,372
  • 3
  • 27
  • 34
  • Hi, that doesn't work. Im getting forwarded to the LogOn Page. – float Mar 02 '11 at 07:51
  • @float: try defining a harcoded route for this controller e.g routes.MapRoute("Verfolgung","{controller}/{action}/{id}", new { controller = "Verfolgung", action = "Index", }); – Furqan Hameedi Mar 02 '11 at 08:03
  • I added this Codeline (with the action "Details") to the Method RegisterRoutes (after the Default Route) in the Global.asax.cs File. But i'm getting forwarded to the LogOn page. – float Mar 02 '11 at 08:14
  • Try it before the default route. – Furqan Hameedi Mar 02 '11 at 08:15
  • Adding it before the default route, starts the controller "Verfolgung" directly when calling the Website. This is causing an error, because the Controller "Verfolgung" has only the Action "Details" which needs a id. – float Mar 02 '11 at 08:38
  • @Furqan I modfied the code so that only /Verfolgung/Details will be mapped to the Controller Verfolgung with the Action Details. Now im getting no error but i still get forwarded to the LogOn page. – float Mar 02 '11 at 09:00