Problem with web.config inheritance and <authorization> section

[Max2006]

Hi,

I have the following tags in my root web.config file:

<authorization>
<allow roles="RoleA,RoleB"/>
<deny users="*"/>
</authorization>

I also have a public folder in my application called "~/Public"

I like to put all publicly available aspx pages in the "~/Public" folder.
Here is what I have in the web.config file within "~/Public" folder:

<?xml version="1.0"?>
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>


The problem is that none of pages in "~/Public" folder are available for
public users. I guess still thetag <deny users="*"/> in root web.config is
in effect.

How can I make the pages within "~/Public" folder available for anonymous
users?

Any help would be appreciated,
Max

 

[nahid]

Hi,

I have the following tags in my root web.config file:

<authorization>
<allow roles="RoleA,RoleB"/>
<deny users="*"/>
</authorization>

I also have a public folder in my application called "~/Public"

I like to put all publicly available aspx pages in the "~/Public" folder.
Here is what I have in the web.config file within "~/Public" folder:

<?xml version="1.0"?>
<configuration>
<appSettings/>
<connectionStrings/>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>

The problem is that none of pages in "~/Public" folder are available for
public users. I guess still thetag <deny users="*"/> in root web.config is
in effect.

How can I make the pages within "~/Public" folder available for anonymous
users?

Any help would be appreciated,
Max

hi,

it seems you trying right way,but you should place all component like
css other user control masterpage in publice forder too.

what type error you get while try to view public folder files..

nahid
http://nahidulkibria.blogspot.com/
http://www.kaz.com.bd

 

[Juan T. Llibre]

re:
!> <authorization>
!> <allow roles="RoleA,RoleB"/>
!> <deny users="*"/>
!> </authorization>

You need to specify the *location* for which that rule applies.

There's sample code in this article :
http://www.dotnetcoders.com/web/Articles/ShowArticle.aspx?article=186

There's background info, and more sample code, at :
http://msdn2.microsoft.com/En-US/library/aa478958.aspx

 

[Max2006]

Hi Juan,

Actually, specifying the *location* is identical with having a web.config
inside the folder.

Once I have <deny users="*"/> in my root folder, it enforces it's effect to
all sub-folders, no matter what the have in their web.config's
authorization section.

I think I need to put some ?tags? in my sub-folder's web.config to void the
effet of <deny users="*"/> within the root web.config.

Regards,
Max

 

[Juan T. Llibre]

re:
!> Actually, specifying the *location* is identical with having a web.config inside the folder.

If that were true, the location tag would not need to exist.
It exists for a reason.

re:
!> Once I have <deny users="*"/> in my root folder, it enforces it's effect to
!> all sub-folders, no matter what the have in their web.config's authorization section.

Exactly. You have to deny users *by their location*.

re:
!> I think I need to put some ?tags? in my sub-folder's web.config to void the
!> effect of <deny users="*"/> within the root web.config.

You won't be able to do that, I think, although I'd be most
interested if you could refute my thinking in that sense.

I think that what you have to do is, in the root web.config, specify *by location*
the subdirectories of the root where you want users authorized, or not.

If you do come up with an alternate solution, please post it,
although it seems to me that doing what I suggest will do it.

Hi Juan,

Actually, specifying the *location* is identical with having a web.config inside the folder.

 

[Max2006]

re:
!> Actually, specifying the *location* is identical with having a
web.config inside the folder.

If that were true, the location tag would not need to exist.
It exists for a reason.

re:
!> Once I have <deny users="*"/> in my root folder, it enforces it's
effect to
!> all sub-folders, no matter what the have in their web.config's
authorization section.

Exactly. You have to deny users *by their location*.

re:
!> I think I need to put some ?tags? in my sub-folder's web.config to void
the
!> effect of <deny users="*"/> within the root web.config.

You won't be able to do that, I think, although I'd be most
interested if you could refute my thinking in that sense.

I think that what you have to do is, in the root web.config, specify *by
location*
the subdirectories of the root where you want users authorized, or not.

If you do come up with an alternate solution, please post it,
although it seems to me that doing what I suggest will do it.

 

[Max2006]

Thanks Juan for help.

re:
!> Actually, specifying the *location* is identical with having a
web.config inside the folder.

If that were true, the location tag would not need to exist.
It exists for a reason.

re:
!> Once I have <deny users="*"/> in my root folder, it enforces it's
effect to
!> all sub-folders, no matter what the have in their web.config's
authorization section.

Exactly. You have to deny users *by their location*.

re:
!> I think I need to put some ?tags? in my sub-folder's web.config to void
the
!> effect of <deny users="*"/> within the root web.config.

You won't be able to do that, I think, although I'd be most
interested if you could refute my thinking in that sense.

I think that what you have to do is, in the root web.config, specify *by
location*
the subdirectories of the root where you want users authorized, or not.

If you do come up with an alternate solution, please post it,
although it seems to me that doing what I suggest will do it.

 

[Steven Cheng[MSFT]]

Hi Max,

Have you got the problem resolved? Based on my understanding, using a
web.config file in sub directory does be identical to using a <location>
section in root web.config. Also, I've performed some simple local test
and the public pages(in a sub folder mark with <allow users="*" /> should
be visible to all users no matter how you configure authorization setting
in root web.config file. I think there maybe something else result to your
application's problem behavior.

You can also try a simple forms authentication application to see whether
you can duplicate the same issue.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

It certainly seems like the root authorization takes precedence - I too have
a web config with


<authorization>
<deny users="?" />
<allow users="*" />
</authorization>

and then



<!-- Allow public access to all files in the public folder-->
<location path="Public">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

None-the-less, I get a login form for pages in Public.

Removing the deny from the global authorization allows public access to the
pages in the Public folder, but also to pages in the root directory.

 

[Steven Cheng[MSFT]]

Hi Quincy,

Thanks for your input.

Seems my test result is quite different. I've tried both approaches(using a
web.config file in sub folder and using the <location> element to specify
sub folder setting), and in b oth cases, sub folder's authorization rules
will take precedence. And this is also the expected behavior. If you feel
necessary, I can send a test project to you.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Steven Cheng[MSFT]]

Hi Max,

Any progress on this issue? If you still have any questions on this, please
feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



This posting is provided "AS IS" with no warranties, and confers no rights.