.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
david stephan
Gaurav Pal
Post New Web Links

Authorization tag in Web.Config in MVC folder

Posted By:      Posted Date: September 23, 2010    Points: 0   Category :ASP.Net

I created a new MVC Web Application (not the empty one -- the one with the Account controller stuff).

I created a new folder under Views and placed a new View in it.

I created a Controller for the Folder.

I created a web.config in the Folder and used this content:

 <?xml version="1.0"?>
      <deny users="?" />

When I run the app, I can visit my new View even though I'm an anonymous user.

What gives? Do the web.config authorization rules not apply to MVC? Do I have to do something to the Controller or to the web.config or to the root web.config?

Help is appreciated.



View Complete Post

More Related Resource Links

Help with authorization in web.config to deny access to files in a folder



I have a web site that has a folder called Files that contains PDF files.  These PDF files should not be accessible to people who have not signed in to the web site. 

The login URL is www.mysite.com/Account/Login.aspx and the register URL is www.mysite.com/Account/Register.aspx. 

Once the person is signed in they can go to www.mysite.com/Documents/Documents.aspx.  This page has a gridview that lists the PDF files in the Files folder with a link to them.  If the person is not signed in, he/she can't view this Documents.aspx page.  However, if anyone has the URL to the PDF files, they can view those files without having to sign in.

How can I prevent someone from accessing the PDF files in this folder?

The site is hosted on GoDaddy using IIS 6.0.

Thanks in advance.

How in web.config work in MVC



I would like to secure any URL below the http://MyServer/Admins and limit it to a specific role.

In webforms it was straight forward. I just put a child web.config in the /Admin/ folder and add <authorization>  <allow roles> tags to it.

How would be the equivalent technique in MVC?

Thank you,


Why are folder web.config files excluded?

I am asking this mainly out of curiosity. When access rules are created for folders using WSAT, web.config files are generated in these folders. I thought these rules should be deployed with the application (It is at least the case for all my applications), but these file are not included after creation so they are not deployed by default. What is the rationale behind this?

My master page won't load when using authorization in web.config

I don't have any sub catalogs for the .aspx files and this is my web.config file:<system.web> <compilation debug="true" targetFramework="4.0" /> <authentication mode="Forms"> <forms loginUrl="Login.aspx" name="sqlAuthCookie" timeout="60" /> </authentication> <authorization> <deny users="?" /> <allow users="*" /> </authorization> </system.web> It's as if the Login.aspx won't grab the Site.Master if I add this authorization.I get directed to the Login.aspx if I try to enter any other page, but without seeing the master page.Is this enough info to solve this or do you need to know how the other pages looks like? Let me know!Thanks in advance.Niklas

Web.config Authorization Roles with Local Groups with Domain Groups in them


I am "Domain\MyDomainUserName"

If I do this:

      <allow users="Domain\MyDomainUserName" />
      <deny users="*" />

I can access the website I've created on my local machine in debug mode; and with my domain account as a local administrator, if I do this:

      <allow roles="BUILTIN\Administrators" />
      <deny users="*" />

I can still access the website; and with my domain account in a Domain Group named "Domain\DomainLocalSecurityGroup", if I do this:

      <allow roles="DOMAIN\DomainLocalSecurityGroup" />
      <deny users="*" />

I can still access the website; HOWEVER, if I create a Local Group on my machine named "LocalMachineGroup" and I add "Domain\MyDomainUser

Clean Web.Config Files (VS 2010 and .NET 4.0 Series)

.NET 4 includes a new version of the CLR, and a new .NET 4 specific machine.config file (which is installed side-by-side with the one used by .NET 2, .NET 3 and .NET 3.5).

The new .NET 4 machine.config file now automatically registers all of the ASP.NET tag sections, handlers and modules that we've added over the years, including the functionality for:

.ASP.NET Dynamic Data
.ASP.NET Routing (which can now be used for both ASP.NET WebForms and ASP.NET MVC)
.ASP.NET Chart Control (which now ships built-into ASP.NET V4)
What this means is that when you create a new "Empty ASP.NET application" project in VS 2010, you'll find that the new default application-level web.config file is now clean and simple:

URL Authorization



I have 2 tables with foreign key and other requrired things to get the use data from the logged in user name.

When i visit the page that should shows the logged in user name information, I get the error of return nothing nullexception etc...

I did set the url authorization on this page and now getting (unauthorized access)

I used the login page with login control and from its propreties i did made a destination page is the (information.aspx) it is the page i want to show the user data and did the url authorization on it and it should be permitted for that specific logged in user, but even when i logged in, i still getting the (aunothrized access). 

How can i let this page knows that i am already logged in and accept me as a logged user and same as the one i gave the permit to it in the web.config?


reading values from config files in NUnit tests


One of my NUnit tests has to read in some values from config files.  In my main application this process works perfectly well, however when I run the unit test, the code that reads in the values from the config files doesnt read anything in.  Ive tried putting app.config in my unit test project (I even tried web.config) but nothing seems to work.  Are there any special steps involved when reading from config files in an nunit test ?

NUnit and config files


Ive created an NUnit test project in my solution and have added 3 tests.  They all fail with the same error

SetUp : System.TypeInitializationException : The type initializer for 'Systems.Utils.ConstantHelpers' threw an exception.
  ----> System.NullReferenceException : Object reference not set to an instance of an object.


SetUp : System.TypeInitializationException : The type initializer for 'Systems.Utils.ConstantHelpers' threw an exception.

  ----> System.NullReferenceException : Object reference not set to an instance of an object.

heres the test method

        public void CreateDataContext_ConnectionString_ReturnsDataCon

Modifying connection String in Web config using Install Wizard



Im trying to create a Web Deployment Project, the built in setup and deployment is very good in Visual Studio, i need to able to add an additional step in the setup to change the connection string in the Web config file. Ive seen a lot of articles on how to do this and in particular this http://weblogs.asp.net/scottgu/archive/2007/06/15/tip-trick-creating-packaged-asp-net-setup-programs-with-vs-2005.aspx#7162670 I am however stuck on the final part of this tutorial, im using the code Scott provided but have two errors,  heres part of my code where the errors are

using System;
using System.Configuration;
using System.Configuration.Install;
using System.ComponentModel;
using System.Diagnostics;
using System.IO;
using System.DirectoryServices;

 void ConfigureDatabase(string targetSite, string targetVDir, string connectionString)
            // Retrieve "Friendly Site Name" from IIS for TargetSite
            DirectoryEntry entry = new DirectoryEntry("IIS://LocalHost/" + targetSit

Web deployment project - web.config section replacement does not add remove tag


I have a web application that is actually installed as a component of a third party site.  In some configurations, I need to remove certain connection strings and re-add them.  I'm replacing this web.config section with a xml file that includes the following:

      <remove name="MyOverridenConnection"/>
      <add connectionString="Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=MyDb;Data Source=MyServer" name="MyOverridenConnection"

For some reason the remove tag is left out during the substitution and I end up with the following in the installed config:

      <add connectionString="Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=MyDb;Data Source=MyServer" name="MyOverridenConnection"

Is there any way to issue removes in replaced sec

Claims-Based Apps: Claims-Based Authorization with WIF


Over the past few years, federated security models and claims-based access control have become increasingly popular. Platform tools in this area have also come a long way. Windows Identity Foundation (WIF) is a rich identity model framework designed for building claims-based applications and services and for supporting active and passive federated security scenarios.

Michele Leroux Bustamante

MSDN Magazine November 2009

Service Station: Authorization In WCF-Based Services


Windows Communication Foundation (WCF) provides an easy role-based system and a more powerful and complex claims-based API for implementing authorization in services.

Dominick Baier and Christian Weyer

MSDN Magazine October 2008

The ASP Column: What's in ASP.NET Config Files?


Even though you've been using ASP. NET for a while, how much do you really know about ASP. NET configuration files? While you've probably touched the Web. config file from time to time, there are some nuances involved in configuring ASP.

George Shepherd

MSDN Magazine September 2004

Authorize It: Use Role-Based Security in Your Middle Tier .NET Apps with Authorization Manager


Authorization Manager in Windows Server 2003 represents a significant improvement in the administration of role-based security, making it more scalable, flexible, and easier to implement. Using Authorization Manager, you can define roles and the tasks those roles can perform. You can nest roles to inherit characteristics from other roles, and you can define application groups. In addition, Authorization Manager lets you use scripts to modify permissions dynamically, and it allows you to wrap your security logic in a security policy that can be stored in Active Directory. Authorization Manager also includes an easy-to-use API for running access checks. The author discusses all of these topics and demonstrates them with a working sample.

Keith Brown

MSDN Magazine November 2003

Copying files to a folder on web server



I have few files in FolderA on the web server.

I want the users to select a fews files from FolderA and copy them to FolderB on the same web server.

I want to list all the files in FolderA and allow the user to select a few files and copy.

I want to copy the files programatically when the user selects a few files and click on Copy button.

How to copy the files quickly from folderA to FolderB?




Razor View Engine and Add Namespace in Web.Config Problem



I am working on a MVC project with Razor view engine and I have the following:


This only works if I have on the same view the following:

  @using SquishIt.Framework;

However, on my Web.Config I have the following:


      <!-- Namespaces -->
        <add namespace="System"/>
        <add namespace="System.Web.Mvc"/>
        <add namespace="System.Web.Mvc.Ajax"/>
        <add namespace="System.Web.Mvc.Html"/>
        <add namespace="System.Web.Routing"/>
        <add namespace="Microsoft.Web.Mvc"/>
        <add namespace="SquishIt.Framework"/>


So if "SquishIt.Framework" namespace is added on Web.Config why do I need to have the @using on the view?

ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend