Re: Forms auth / Location element

From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 03/22/05 

Date: Tue, 22 Mar 2005 01:46:13 -0800

Hello Mark,

you so far only used deny="?" -

there are also <allow user=".." /> and <allow role=".." />

to give different users different access rights to your application, you
have to couple the users with roles, a common place to do this is in the
AuthenticateRequest event in gobal.asax or a HttpModule...

your web.config could look like this then:

<location path="Admin/">
 <system.web>
 <authorization>
   <allow roles="Admin" />
   <deny users="*" />
 </authorization>
 </system.web>
</location>

for an example how to do it - you can download this sample:
http://www.leastprivilege.com/content/binary/FormsAuthBestPractice.zip

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Greetings!
>
> I am attempting to secure the root of an IIS virtual directory and an
> Admin subdirectory separately from one another. At first, I attempted
> to create an additional Web.Config in the /Admin folder to direct
> unauthenticated access attempts to URLs within this directory to a
> different login page. The ASP.Net runtime complained that the
> <authentication/> element should only be used at the root level (or
> perhaps it was the <forms/> element).
>
> After returning to the drawing board, I attempted to create two
> <location/> elements within the root level Web.Config file. The
> contents of the root Web.Config file are inserted below. There are
> two <location/> elements. One for the root of the virtual directory
> and another for the /Admin subdirectory.
>
> Unauthenticated attempts to access root level URLs are properly
> redirected to /Login.aspx. However, once authenticated to this folder
> the client may request any URL within the /Admin folder without being
> subject to the additional authentication/authorization that I would
> like to enforce upon administrative use.
>
> Is it the case that "Forms" based authentication can only be employed
> once during a client's session? (i.e. Once they are authenticated,
> they are authenticated ... period!) And also, that only one form can
> be established for a particular IIS virtual directory or application?
> If this is not the case, then any guidance as to what I have
> configured wrong will be greatly appreciated.
>
> Thanks in advance,
> Mark
> Contents of Web.Config follow:
> <?xml version="1.0" encoding="utf-8" ?>
> <configuration>
> <location>
> <system.web>
> <compilation defaultLanguage="vb" debug="true" />
> <customErrors mode="Off" />
>
> <authentication mode="Forms">
> <forms name=".rootAccessCookie" loginUrl="Login.aspx"
> protection="All" timeout="30" path="/" />
> </authentication>
> <authorization>
> <deny users="?" /> <!-- Deny all unauthenticated/unauthorized
> users -->
> </authorization>
>
> <trace enabled="false" requestLimit="10" pageOutput="false"
> traceMode="SortByTime" localOnly="true" />
>
> <sessionState
> mode="InProc"
> stateConnectionString="tcpip=127.0.0.1:42424"
> sqlConnectionString="data
> source=127.0.0.1;Trusted Connection=yes"
> cookieless="false"
> timeout="20"
> />
> <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
>
> </system.web>
> </location>
> <location path="Admin/">
> <system.web>
> <compilation defaultLanguage="vb" debug="true" />
>
> <customErrors mode="Off" />
>
> <authentication mode="Forms">
> <forms name=".adminAccessCookie" loginUrl="Admin/Login.aspx"
> protection="All" timeout="30" path="Admin/" />
> </authentication>
> <authorization>
> <deny users="?" /> <!-- Deny all unauthenticated/unauthorized
> users -->
> </authorization>
>
> <trace enabled="false" requestLimit="10" pageOutput="false"
> traceMode="SortByTime" localOnly="true" />
>
> <sessionState
> mode="InProc"
> stateConnectionString="tcpip=127.0.0.1:42424"
> sqlConnectionString="data
> source=127.0.0.1;Trusted Connection=yes"
> cookieless="false"
> timeout="20"
> />
> <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
>
> </system.web>
> </location>
> </configuration>
>