How do I set up a web forms application with identity and owin to deny all pages except the login?
This configuration in web.config not work for me:
<system.web>
<authorization>
<deny users="*"/>
</authorization>
<authentication mode="None"/>
Error message: The request filtering module is configured to deny a request where the query string is too long.
OWIN startup class:
public void ConfigureAuth(IAppBuilder app)
{
// Configure the db context, user manager and signin manager to use a single instance per request
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
// Configure the sign in cookie
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, Usuario>(
validateInterval: TimeSpan.FromMinutes(0),
regenerateIdentity: (manager, user) => manager.GenerateUserIdentityAsync(user))
}
});
Project structure
Edit:
On web.config inside account folder there is this configuration.
<configuration>
<location path="Manage.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
This works for Manage.aspx page.
I do not want to do this for every page. I want to put in the global web.config of the site.
I experimented a lot with Web.config
and always had errors as already described here. Then I gave it up and just added a filter to Global.asax
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
string cTheFile = HttpContext.Current.Request.Path;
if (!cTheFile.EndsWith("Login"))
{
if (HttpContext.Current.User == null ||
HttpContext.Current.User.Identity == null ||
!HttpContext.Current.User.Identity.IsAuthenticated)
{
Response.Redirect("~/Account/Login", true);
Response.End();
return;
}
}
}
This worked well for me, although I m not sure, if it is an optimal solution.
You can just configure it in your web.config like this:
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/>
</authorization>
</system.web>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
EDIT: Added configuration for extra long request string
If your request becomes too long, you can add this in your web.config to overcome the problem:
<system.webServer>
<security>
<requestFiltering>
<requestLimits maxQueryString="nnn"/>
</requestFiltering>
</security>
</system.webServer>
I hope this fixes it now.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With