Publishing an ASP.NET site that uses Membership components.
Tuesday, June 17, 2008 10:25There appears to be a bug in the publishing of ASP.NET sites that use Membership components to a remote web server.
If you create a new Visual Studio 2008 ASP.NET project that uses Membership components, and use the ASP.NET Web Site Administration Tool to secure access to folders within the project, these permissions are, by default, not carried over to the remote location. This will make all secured folders publicly available at the remote site.
Yet, this can be easily fixed.
The root cause of this, is that the ASP.NET Web Site Administration Tool will create small Web.config files in the protected subfolders. These small Web.config files hold the security information of the secured folder.
An example of such a Web.config file:
<?xml version="1.0" encoding="utf-8"?> <configuration> <system.web> <authorization> <allow roles="Administrator" /> <deny users="*" /> </authorization> </system.web> </configuration>
This small example restricts access to the folder that holds this Web.config file to users in the Administrator role, and prevents access to this folder for all other roles and users.
Because the ASP.NET Web Site Administration Tool created the Web.config files outside of Visual Studio, Visual Studio does not know of these files. They are simply not part of the project. So if you publish the ASP.NET Project to a remote web server, these Web.config files are not published rendering the affected folder accessible to all users.
The fix is easy;
Go to Visual Studio and right-click the folder you protected using the ASP.NET Web Site Administration Tool. From the menu, click ‘Add‘ and choose ‘Existing Item…‘. In the ‘Add Existing Item‘ dialog that is displayed, browse to the folder you have in your project. Locate the Web.config file in that folder and click on it. Then click on ‘Add‘. The file should now appear in the folder of your project.
Select the Web.config file and check the properties. Next to ‘Build Action‘ it should read ‘Content‘. Next to ‘Copy to Output Directory‘ it should read ‘Copy always‘.
Do this for all folders you changed the permissions for by using the ASP.NET Web Site Administration Tool.
If you now publish the project to a remote location, the Web.config files will be publish as being part of the project and your folders are now protected again.
Leave a Reply
You must be logged in to post a comment.
