Deny all pages without login on Asp.net Web Forms with Identity Framework and Owin

Question

How do I set up a web forms application with identity and owin to deny all pages except the login?

This configuration in web.config not work for me:

 <system.web>
    <authorization>
      <deny users="*"/>
    </authorization>
    <authentication mode="None"/> 

Error message: The request filtering module is configured to deny a request where the query string is too long.

OWIN startup class:

 public void ConfigureAuth(IAppBuilder app)
        {
            // Configure the db context, user manager and signin manager to use a single instance per request
            app.CreatePerOwinContext(ApplicationDbContext.Create);
            app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
            app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);

            // Enable the application to use a cookie to store information for the signed in user
            // and to use a cookie to temporarily store information about a user logging in with a third party login provider
            // Configure the sign in cookie
            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
                Provider = new CookieAuthenticationProvider
                {
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, Usuario>(
                        validateInterval: TimeSpan.FromMinutes(0),
                        regenerateIdentity: (manager, user) => manager.GenerateUserIdentityAsync(user))
                }
            });

Project structure

Edit:

On web.config inside account folder there is this configuration.

<configuration>

  <location path="Manage.aspx">
    <system.web>
      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>
  </location>

</configuration>

This works for Manage.aspx page.

I do not want to do this for every page. I want to put in the global web.config of the site.

Answer 1

I experimented a lot with Web.config and always had errors as already described here. Then I gave it up and just added a filter to Global.asax

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
  string cTheFile = HttpContext.Current.Request.Path;
  if (!cTheFile.EndsWith("Login"))
  {
    if (HttpContext.Current.User == null || 
      HttpContext.Current.User.Identity == null || 
      !HttpContext.Current.User.Identity.IsAuthenticated)
    {
      Response.Redirect("~/Account/Login", true);
      Response.End();
      return;
    }
  }
}

This worked well for me, although I m not sure, if it is an optimal solution.

Answer 2

You can just configure it in your web.config like this:

<system.web>
    <authorization>
        <deny users="?"/>
        <allow users="*"/>
    </authorization>
</system.web>
<location path="Login.aspx">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</location>

EDIT: Added configuration for extra long request string

If your request becomes too long, you can add this in your web.config to overcome the problem:

<system.webServer>
  <security>
     <requestFiltering>
         <requestLimits maxQueryString="nnn"/>
     </requestFiltering>
  </security>
</system.webServer>

I hope this fixes it now.