Requiring Authorization for a Single Subfolder

J

Johnnie Norsworthy

ASP.NET 2.0

How do I configure my web site to require forms authorization only for a
subfolder off the root? I know how to set Web.config for forms
authentication for the whole site, but I need the root folder to allow all
read access, and a single subfolder to require authorization.

Thanks for any assistance.

-Johnnie
 
J

Juan T. Llibre

This should work in your root web.config :

<location path="/">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="/yoursubfolder">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
 
J

Johnnie Norsworthy

Juan T. Llibre said:
This should work in your root web.config :

<location path="/">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="/yoursubfolder">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
Click to expand...

Thank you very very much Juan! I don't know where I missed that in the
documentation, because I sure looked for it awhile.
 
J

Juan T. Llibre

Don't get too excited, Johnnie.

I think I have a typo in the example I sent you,
and you still have to setup Forms Authorization for the subdirectory.

;-)

The typo is that the slash is not needed for the subdir, and I think you can even get
away without setting the location path for the main directory, by simply including :

<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="/yoursubfolder">
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/subdir"
timeout="20" >
</forms>
</authentication>

<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>

Test both modes...and let me know how it went.

See a complete example at this KB :

http://support.microsoft.com/default.aspx?scid=kb;en-us;316871

The difference in that example, of course, is that instead
of requiring authorization, it allows it with :

<allow users ="*" />

But using <allow users ="?" /> requires that the user be authenticated.

You still have to setup Forms authentication for that subdirectory, though.
 
J

Johnnie Norsworthy

Here is the Web.Config I used to make it work with some parts simplified:


<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<appSettings/>
<connectionStrings/>
<system.web>
<compilation debug="true">
<assemblies>
...
</assemblies>
</compilation>
<authentication mode="Forms">
<forms loginUrl="login.aspx">
<credentials passwordFormat="Clear">
<user name="Test" password="Test"/>
</credentials>
</forms>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
<customErrors mode="RemoteOnly" defaultRedirect="error.htm">
<error statusCode="403" redirect="security.htm"/>
<error statusCode="404" redirect="missing.htm"/>
</customErrors>
</system.web>

<location path="customer">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>

Thanks for your help,
Johnnie
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Authorization Confusion 3
Restricted permission on subfolder 6
Need Authorization to Shared Resources 3
Windows Authorization 14
Forms authentication in a subfolder problem, please help 3
Forms Authentication for single directory 1
Authorization 1
Remove HttpModule for a subfolder 2

Members online

Total: 69 (members: 3, guests: 66)
Robots: 439

Forum statistics

Threads
473,995
Messages
2,570,233
Members
46,820
Latest member
GilbertoA5

Latest Threads

Top