Problem with Authorization and variations in Sharepoint? - sharepoint

Hello i have a website in Sharepoint that is using variations. I have for sites with variation: ES, CA, EU, EN. I use authorization with roles and i put restrictions in the location tag in web.config. This is not working. Everybody can enter es/admin.
<location path="es/admin">
<system.web>
<authorization>
<allow roles="administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>
But, if I use one site that is not a variation, for example, like this:
<location path="prueba">
<system.web>
<authorization>
<allow roles="administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>
it works, there is a redirection.
If this is not possible, please give alternatives, i use a custom membership provider and role provider, so how can i restrict this site in a variation to only a group?

This is because variations aren't actual locations and so the web.config option won't work - they are a little url trick which defines what is read from the database.

Related

IIS Authorization Rules multiple Groups levels web.config

I am currently using the following in my IIS 10 web.config to limit access to my website.
We have planed to add another group here to give access to some parts of the website to other users.
My questions is what is best approach here?
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="" roles="WebSuperUsers" />
</authorization>
</security>
New group needs to have access to index file in root and some other pages located under different folders.

IIS Server: Restrict users to access files of server

I have one server, which allows users to host their web app free of cost.
In server I have 4 different pools.
2 pools are for .Net Framework,
1 pool is for .Net MVC,
1 pool is for .Net Core 3.1
Each pools has 50+ appliations.
For security testing I have created one program, Which takes fullpath/location of file and read that file form IIS server. If any user upload that type of code in my server then they can assess any files.
Now, that is the issue with my server.
Now, I want to do, My users can access only their application resources not other's too.
But, I don't know how to do this.
In order to restrict users to access files in IIS, we could refer to the below configuration in root web.config file.
<location path="myfolder">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<!--for authentication, we should enable either windows authentication or form authentication in IIS authentication module.-->
<add accessType="Allow" roles="Administrators" />
</authorization>
</security>
</system.webServer>
</location>
It will restrict everything under Myfolder. In particular, rule out a specific file.
<location path="my.jpg">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="Administrators" />
</authorization>
</security>
</system.webServer>
</location>
Feel free to let me know if there is anything I can help with.

IIS 10 .Net Authorization woes with AD groups

I'm trying to secure a simple ASP.net website hosted on an internal IIS10 instance so that only a specific AD group can access it.
All my testing (and the final usage) would be internal to the same domain on which the IIS server resides - no external or cross-domain usage will occur.
Within Site Authentication I only have Windows Authentication enabled with a HTTP 401 Challenge response type. Enabled providers are Negotiate and NTLM (in that order), Extended Protection is Off and Kernel-mode authentication is enabled
In .NET Authorisation Rules I have no explicit Deny Rules.
If I add a 'Specified users' Allow Rule for my user account (and thus the user for which I'm testing access to the website) then I am able to access the website. At this point the relevant area of the web.config file looks like this:
<authorization>
<allow users="MYDOMAIN\MYUSERACCOUNT" />
</authorization>
If I remove that Allow Rule and add a 'Specified roles or user groups' Allow Row for an AD group for which my user account is a member of then I am unable to access the website and browsing to it prompts me for a Sign in dialog box which entering my AD credentials then gives a 401 error.
At this point the relevant area of the web.config file looks like this:
<authorization>
<allow roles="MYDOMAIN\AwesomeUsers" />
</authorization>
I've tried changing various Authentication settings (changing the order, disabling Kernel-mode authentication etc), adding the domain groups in the 'allow users' section in the Web.config but I just cant get AD group authentication working.
IIS isn't my strong point so would really appreciate any hints or tips I can try, Thanks! :)
try to use below code:
web.config:
<configuration>
<system.web>
<authentication mode="Windows" />
<authorization>
<allow roles="DOMAIN\ADGROUP" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
applicationHost.config:
<configuration>
<location path="YOUR-APP">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>
</configuration>

web.config forms auth security not working

This is my web config below. All i'm really trying to do is deny all anonymous users to the entire site unless they have the cookie. However, nothing I do seems to be able to make the security work.
I'm using anonymous authentication enabled with application pool identity
and forms auth with cookies. The site always allows users in and it's driving me insane!
Thanks!
<configuration>
<location path=".">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
Any and all help is welcomed!!
If you want to deny access to the whole site, then you don't need a location section. Just put the authentication and authorization sections directly in system.web, like so:
<configuration>
<system.web>
....
<authentication mode="Forms">
<forms loginUrl="~/Login.aspx" timeout="120" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</configuration>

Permissions in "All Site Content" Page

Is there a way to deny the access to the All Site Content" page in SharePoint 2007?
I know I can hide the lists and the link to the page, but users can still access via the URL
Thanks in advance
You can keep out anonymous users with the ViewFormPagesLockDown feature.
But the best suggestion I've seen for keeping out all users is to modify the web.config file:
<location path="_layouts/viewlsts.aspx">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>

Resources