How to limit access to admin subfolder using web.config file?

[Paul Glavich [MVP - ASP.NET]]

For the 'admin' area, you should have something like the following i nthe
authorisation section of your web.config:-

<allow roles="AdminRole" />
<deny users="*" />

This way, only those users who have been assigned an admin role are allowed
in, and everyone else is denied. For your login procedure, you need to do
some form of user lookup (typically via DB) and assign an 'AdminRole' to the
current user, and create a forms principle that is attached to the current
HttpContext (HttpContext.Current.User) so that this role check can be
performed by the runtime.

--
- Paul Glavich
Microsoft MVP - ASP.NET


"Frenny Thomas via .NET 247" <anonymous@dotnet247.com> wrote in message
news:u6Koc2PjEHA.3664@TK2MSFTNGP12.phx.gbl...
I'm in quite of a dilemma, and for the first time: all the articles and
discussion forums on the 'net hasn't helped me get rid of my page errors :(

I have my web.config file in the root directory. I have a subdirectory
called /admin/ underneath it. I want all users to be able to view any page
in the root directory. If a user tries to access any page in the /admin/
subfolder, I want him/her to be redirected to a login page (located in the
subfolder itself).

I have tried two methods of doing the job, but neither have worked. Can
anyone give me any suggestions/explanations??

Method 1
----------------------------------------------------------------------------
----
<configuration>
<system.web>
<customErrors mode="Off"/>
<compilation debug="true"/>
<authorization>
<allow users="*"/>
</authorization>
</system.web>


<location path="admin">
<system.web>
<customErrors mode="Off"/>
<compilation debug="true"/>
<authentication mode="Forms">
<forms name="frmLogin"
loginUrl="login.aspx">
</forms>
</authentication>
<authorization>
<deny users ="?" />
</authorization>
</system.web>

</location>

</configuration>

Method 2 [After I moved the login.aspx page back up to the root directory]
----------------------------------------------------------------------------
----
<configuration>
<system.web>
<customErrors mode="Off" />
<compilation debug="true" />
<authentication mode="Forms">
<forms name="frmLogin"
path="/"
loginUrl="login.aspx"
protection="All"
timeout="20"></forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="admin">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
</configuration>

-----------------------
Posted by a user from .NET 247 ([url]http://www.dotnet247.com/[/url])

<Id>Y8SOtJu2bEOu3CPsYMCl/w==</Id>

[Seth Westfall]

Your second option was close, just need to add one more line to make it
work.

Here is the complete section
<location path="admin">
<system.web>
<authorization>
<deny users="?" />
<allow users ="*" />
</authorization>
</system.web>
</location>

since you want to limit unauthenticated users from accessing the
directory the deny users=? does that but once they are authenticated it
does not specify who to let access the directory so you need the allow
users="*" to accomplish that.

Just curious though, why do you want all users to have access to your
admin directory, you can limit this to just admins by specifying the
administrator names or id, which ever you use in the allow users.

Currently for one of my applications I have this set to
<allow users="1"/> which only gives the administrator of my website
access to the administration functions.

thanks,
Seth

*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!

[Seth Westfall]

change your second method to this:

<configuration>
<system.web>
<customErrors mode="Off" />
<compilation debug="true" />
<authentication mode="Forms">
<forms name="frmLogin"
path="/"
loginUrl="login.aspx"
protection="All"
timeout="20"></forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="admin">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>

adding the <allow users="*"/> after denying the unauthenticated.

Since this is an admin directory you might not want to give access to
all users but just specify specific logins:
example:
<allow users="administrator,bob,text,etc" />
This will only give access to this directory to those users that are
administrators of the application.

Any other questions e-mail me at [email]tristealth@hotmail.com[/email]

thanks,
Seth


*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!

[Frenny Thomas]

How do I 'assign a role' to a user? Once authenticated? Based on values
I receive from the database query on that username and password?




*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!