Re: authorization location override



From what I can tell, if you <deny users="*"> at the root, it can't be
overridden. I'm not sure if this is correct. So I allowed anonymous access
to the root directory and then put all of my other files in a new folder and
allowed access for each role and then denied all others.

<system.web>
<authentication mode="Forms">
<forms name="form1" loginUrl="~/Login.aspx" protection="All"></forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="main">
<system.web>
<authorization>
<allow roles="test"/>
<deny users="*" />
</authorization>
</system.web>
</location>

Gene

"Joe Kaplan" wrote:

If you move the unsecure pages to a separate folder and implement the
location tag on just the folder path, does that give you the desired
behavior?

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Gene" <Gene@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1CBA5713-4A9C-4910-9C31-EFEB83FACFB4@xxxxxxxxxxxxxxxx
I can't get the location override to work in the web.config. Only
authenticated user with specific roles should be able to access the
application except for some pages need public access (3 or 4 pages). I
have
tested the main authorization section and it works correctly, but the
location override doesn't allow all identities like it should.

Markup from web.config file:

<configuration>
<system.web>
<authentication mode="Windows"/>
<authorization>
<deny users="?" />
<allow roles="test" />
<deny users="*" />
</authorization>
</system.web>
<location path="~/Default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>

Thanks for any insight,
Gene


.



Relevant Pages

  • Re: Roles - Access Rule Storage
    ... The suggestion with Reflector was mostly just to look at the code to see how ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... You might also want to look at the Authorization Manager API if you ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Roles - Access Rule Storage
    ... You might also want to look at the Authorization Manager API if you ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... exact same thing in your module, but store the authorization policy in the ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: ASP.NET Role Authorization Override
    ... authentication. ... SkipAuthorization property on HttpContext to override the behavior of the ... policy where only members of a certain role may access any page in the ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Form authentication and files that shouldny be authenticated
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... clients, should be able to visit them. ...
    (microsoft.public.dotnet.security)