Re: Problem with web.config access-restricted subdirectory

From: David Pyper (David.Pyper_at_MUHC.McGill.CA)
Date: 01/27/04

  • Next message: Bill Belliveau: "Re: Framework v1.1 & LogonUser workaround" 
    Date: 27 Jan 2004 12:40:34 -0800

    Hi,

    This message is intended for anyone that happens to read this thread
    in an attempt to implement web.config's <location> restriction. The
    problems I had were due to the fact that while web.config can impose
    its restrictions on a subdirectory, it cannot do so on a subdirectory
    that has its own assembly. In order to successfully impose access
    restrictions to subdirectories, the served content has to share the
    same assembly (typically located in /bin).

    To illustrate this, you create an IIS application either through
    Visual Studio or through Internet Services Manager. The web.config
    should be modified to include a section that looks like the following:

    <authentication mode="Forms">
        <forms loginUrl="/Parent/Login.aspx" />
    </authentication>

    <authorization>
        <deny users="?" />
        <allow users="*" />
    </authorization>

    Then (and this is where I went wrong) you create a subdirectory in
    /Parent (either through Explorer, Visual Studio, -- right-click on
    project in Solution Explorer, select Add then New Folder, and name it
    what you want -- or however else you create subdirs) and then add your
    served content (like .aspx files). Here's my /Parent/Default.aspx:

    <%@ Page Language="vb" AutoEventWireup="false"
    Codebehind="Default.aspx.vb" Inherits="Parent._Default" trace="True"%>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML>
            <HEAD>
                    <title>Default</title>
                    <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
                    <meta name="CODE_LANGUAGE" content="Visual Basic .NET 7.1">
                    <meta name="vs_defaultClientScript" content="JavaScript">
                    <meta name="vs_targetSchema"
    content="http://schemas.microsoft.com/intellisense/ie5">
            </HEAD>
            <body>
                    <form id="Form1" method="post" runat="server">
                            This is the default page.
                    </form>
            </body>
    </HTML>

    And now /Parent/Login.aspx

    <%@ Page Language="vb" AutoEventWireup="false"
    Codebehind="Login.aspx.vb" Inherits="Parent.Login" trace="True"%>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML>
            <HEAD>
                    <title>Login</title>
                    <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
                    <meta name="CODE_LANGUAGE" content="Visual Basic .NET 7.1">
                    <meta name="vs_defaultClientScript" content="JavaScript">
                    <meta name="vs_targetSchema"
    content="http://schemas.microsoft.com/intellisense/ie5">
            </HEAD>
            <body>
                    <form id="Form1" method="post" runat="server">
                            <asp:Button id="btnLogin" runat="server" Text="Login"></asp:Button>
                    </form>
            </body>
    </HTML>

    And now the code-behind of /Parent/Login.aspx:

    Imports System.Web.Security

    Public Class Login
        Inherits System.Web.UI.Page

    #Region " Web Form Designer Generated Code "

        'This call is required by the Web Form Designer.
        <System.Diagnostics.DebuggerStepThrough()> Private Sub
    InitializeComponent()

        End Sub
        Protected WithEvents btnLogin As System.Web.UI.WebControls.Button

        'NOTE: The following placeholder declaration is required by the
    Web Form Designer.
        'Do not delete or move it.
        Private designerPlaceholderDeclaration As System.Object

        Private Sub Page_Init(ByVal sender As System.Object, ByVal e As
    System.EventArgs) Handles MyBase.Init
            'CODEGEN: This method call is required by the Web Form
    Designer
            'Do not modify it using the code editor.
            InitializeComponent()
        End Sub

    #End Region

        Private Sub btnLogin_Click(ByVal sender As System.Object, _
            ByVal e As System.EventArgs) Handles btnLogin.Click

            FormsAuthentication.RedirectFromLoginPage(Session.SessionID.ToString,
    False)

        End Sub

    End Class

    And finally the access-restricted /Parent/Child/Default.aspx file:

    <%@ Page Language="vb" AutoEventWireup="false"
    Codebehind="Default.aspx.vb" Inherits="Parent._Default1"
    trace="True"%>
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML>
            <HEAD>
                    <title>Default</title>
                    <meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
                    <meta name="CODE_LANGUAGE" content="Visual Basic .NET 7.1">
                    <meta name="vs_defaultClientScript" content="JavaScript">
                    <meta name="vs_targetSchema"
    content="http://schemas.microsoft.com/intellisense/ie5">
            </HEAD>
            <body>
                    <form id="Form1" method="post" runat="server">
                            This is the default child page.
                    </form>
            </body>
    </HTML>

    Any attempt to access /Parent/Child/Default.aspx without being
    authenticated redirects you to /Parent/Login.aspx. Click the Login
    button, and you're now authenticated and redirected to
    /Parent/Child/Default.aspx. Works like clockwork.

    I hope that helps. I wish the documentation on web.config made that
    clearer, it could have saved me a lot of grief. For some reason this
    distinction, if made, is not clear and the point is not made despite
    that I suspect it's a common problem for many.

    Good luck!

    David

  • Next message: Bill Belliveau: "Re: Framework v1.1 & LogonUser workaround"