Subfolders and security, please help!!

Jay · Jay

Hi,

I'm having some terrible difficulty setting up security on
sub-folders of my ASP.NET application. Here's essentially
what is happening:

1. I create my application at [url]http://localhost[/url]

2. Since I'm creating it at the root, VS.NET gives it the
initial namespace, solution name, and project name as
localhost.

3. I change all of that to my project name. Let's
say "testsite"

4. I also rename WebForm1.aspx to Default.aspx

5. Then I build and test to make sure everything still
works. It does.

6. Next I right-click on the project name in my solution
explorer, and click "Add New Folder." I call my new
folder admin. And it's going to contain protected content.

7. Then I add a login.aspx file in the admin folder, and a
default.aspx in the admin folder. I set the default.aspx
in the admin folder as the start page.

8. I then add a web.config file in the Admin folder. I
set it up to use forms authentication and deny all
anonymous users.

----------------------------

At this point, I "think" everything should work fine.
When the solution builds, it should try to launch the
default.aspx folder in my Admin subfolder, realize I
haven't been authenticated, and send me to the login.aspx
page in my admin subfolder.

Of course, it doesn't work. I get some strange error
suggesting the the admin subfolder needs to be setup as an
application in IIS.

Let me continue...

9. I go into IIS and setup the admin subfolder as an
application.

10. After that I can't even get the login.aspx page to
load up. I get an error: can't load type
testsite._default or something like that

11. At this point, I can't get anything else to work in
the site. If I tell IIS that the admin folder is not an
application, then I get one error... if I create it as an
application, I get another.

-------------------------------

So here's what I want:

A) I want my root default website on my Windows XP pro
machine to be called something other than "localhost" when
I setup the vs.net project. I think I know how to do this.

B) I want to be able to create a sub-folder called "Admin"
and have all pages in that folder protected by forms
authentication (with the exception of course of the
login.aspx page itself)

C) Any other pages off the root website should not be
protected.

D) I'll likely have a couple more sub-folders off the main
root website I'll want protected, too.

Anyone have any suggestions?

Thanks very much.

Eugene Jenihov · Eugene Jenihov

Hi...

You can use location element in root web.config
<configuration>
<location path="Logon.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>

"Jay" <anonymous@discussions.microsoft.com> wrote in message
news:0b5501c3c3dd$d16f58f0$a301280a@phx.gbl...

> Hi,
>
> I'm having some terrible difficulty setting up security on
> sub-folders of my ASP.NET application. Here's essentially
> what is happening:
>
> 1. I create my application at [url]http://localhost[/url]
>
> 2. Since I'm creating it at the root, VS.NET gives it the
> initial namespace, solution name, and project name as
> localhost.
>
> 3. I change all of that to my project name. Let's
> say "testsite"
>
> 4. I also rename WebForm1.aspx to Default.aspx
>
> 5. Then I build and test to make sure everything still
> works. It does.
>
> 6. Next I right-click on the project name in my solution
> explorer, and click "Add New Folder." I call my new
> folder admin. And it's going to contain protected content.
>
> 7. Then I add a login.aspx file in the admin folder, and a
> default.aspx in the admin folder. I set the default.aspx
> in the admin folder as the start page.
>
> 8. I then add a web.config file in the Admin folder. I
> set it up to use forms authentication and deny all
> anonymous users.
>
> ----------------------------
>
> At this point, I "think" everything should work fine.
> When the solution builds, it should try to launch the
> default.aspx folder in my Admin subfolder, realize I
> haven't been authenticated, and send me to the login.aspx
> page in my admin subfolder.
>
> Of course, it doesn't work. I get some strange error
> suggesting the the admin subfolder needs to be setup as an
> application in IIS.
>
> Let me continue...
>
>
> 9. I go into IIS and setup the admin subfolder as an
> application.
>
> 10. After that I can't even get the login.aspx page to
> load up. I get an error: can't load type
> testsite._default or something like that
>
> 11. At this point, I can't get anything else to work in
> the site. If I tell IIS that the admin folder is not an
> application, then I get one error... if I create it as an
> application, I get another.
>
> -------------------------------
>
> So here's what I want:
>
> A) I want my root default website on my Windows XP pro
> machine to be called something other than "localhost" when
> I setup the vs.net project. I think I know how to do this.
>
> B) I want to be able to create a sub-folder called "Admin"
> and have all pages in that folder protected by forms
> authentication (with the exception of course of the
> login.aspx page itself)
>
> C) Any other pages off the root website should not be
> protected.
>
> D) I'll likely have a couple more sub-folders off the main
> root website I'll want protected, too.
>
> Anyone have any suggestions?
>
> Thanks very much.

Joe Audette · Joe Audette

If the admin folder is protected by the web.config, I
don't see how the login page could be in the admin
folder. It would not let you get to the login page
becuase you're not logged in. The login page needs to be
in an un-protected folder.

Joe

>-----Original Message-----
>Hi,
>
>I'm having some terrible difficulty setting up security

on

>sub-folders of my ASP.NET application. Here's

essentially

>what is happening:
>
>1. I create my application at [url]http://localhost[/url]
>
>2. Since I'm creating it at the root, VS.NET gives it

the

>initial namespace, solution name, and project name as
>localhost.
>
>3. I change all of that to my project name. Let's
>say "testsite"
>
>4. I also rename WebForm1.aspx to Default.aspx
>
>5. Then I build and test to make sure everything still
>works. It does.
>
>6. Next I right-click on the project name in my solution
>explorer, and click "Add New Folder." I call my new
>folder admin. And it's going to contain protected

content.

>
>7. Then I add a login.aspx file in the admin folder, and

a

>default.aspx in the admin folder. I set the

default.aspx

>in the admin folder as the start page.
>
>8. I then add a web.config file in the Admin folder. I
>set it up to use forms authentication and deny all
>anonymous users.
>
>----------------------------
>
>At this point, I "think" everything should work fine.
>When the solution builds, it should try to launch the
>default.aspx folder in my Admin subfolder, realize I
>haven't been authenticated, and send me to the

login.aspx

>page in my admin subfolder.
>
>Of course, it doesn't work. I get some strange error
>suggesting the the admin subfolder needs to be setup as

an

>application in IIS.
>
>Let me continue...
>
>
>9. I go into IIS and setup the admin subfolder as an
>application.
>
>10. After that I can't even get the login.aspx page to
>load up. I get an error: can't load type
>testsite._default or something like that
>
>11. At this point, I can't get anything else to work in
>the site. If I tell IIS that the admin folder is not an
>application, then I get one error... if I create it as

an

>application, I get another.
>
>-------------------------------
>
>So here's what I want:
>
>A) I want my root default website on my Windows XP pro
>machine to be called something other than "localhost"

when

>I setup the vs.net project. I think I know how to do

this.

>
>B) I want to be able to create a sub-folder

called "Admin"

>and have all pages in that folder protected by forms
>authentication (with the exception of course of the
>login.aspx page itself)
>
>C) Any other pages off the root website should not be
>protected.
>
>D) I'll likely have a couple more sub-folders off the

main

>root website I'll want protected, too.
>
>Anyone have any suggestions?
>
>Thanks very much.
>.
>

Hi Joe,

Yes, that seems like a logical assumption. But actually I
believe Microsoft built .NET taking that into
consideration. I'm always able to get to the URL I
specify as the LoginURL in the <Authentication> section of
the web.config.

>-----Original Message-----
>If the admin folder is protected by the web.config, I
>don't see how the login page could be in the admin
>folder. It would not let you get to the login page
>becuase you're not logged in. The login page needs to be
>in an un-protected folder.
>
>Joe
>
>

>>-----Original Message-----
>>Hi,
>>
>>I'm having some terrible difficulty setting up security

>on

>>sub-folders of my ASP.NET application. Here's

>essentially

>>what is happening:
>>
>>1. I create my application at [url]http://localhost[/url]
>>
>>2. Since I'm creating it at the root, VS.NET gives it

>the

>>initial namespace, solution name, and project name as
>>localhost.
>>
>>3. I change all of that to my project name. Let's
>>say "testsite"
>>
>>4. I also rename WebForm1.aspx to Default.aspx
>>
>>5. Then I build and test to make sure everything still
>>works. It does.
>>
>>6. Next I right-click on the project name in my solution
>>explorer, and click "Add New Folder." I call my new
>>folder admin. And it's going to contain protected

>content.

>>
>>7. Then I add a login.aspx file in the admin folder, and

>a

>>default.aspx in the admin folder. I set the

>default.aspx

>>in the admin folder as the start page.
>>
>>8. I then add a web.config file in the Admin folder. I
>>set it up to use forms authentication and deny all
>>anonymous users.
>>
>>----------------------------
>>
>>At this point, I "think" everything should work fine.
>>When the solution builds, it should try to launch the
>>default.aspx folder in my Admin subfolder, realize I
>>haven't been authenticated, and send me to the

>login.aspx

>>page in my admin subfolder.
>>
>>Of course, it doesn't work. I get some strange error
>>suggesting the the admin subfolder needs to be setup as

>an

>>application in IIS.
>>
>>Let me continue...
>>
>>
>>9. I go into IIS and setup the admin subfolder as an
>>application.
>>
>>10. After that I can't even get the login.aspx page to
>>load up. I get an error: can't load type
>>testsite._default or something like that
>>
>>11. At this point, I can't get anything else to work in
>>the site. If I tell IIS that the admin folder is not an
>>application, then I get one error... if I create it as

>an

>>application, I get another.
>>
>>-------------------------------
>>
>>So here's what I want:
>>
>>A) I want my root default website on my Windows XP pro
>>machine to be called something other than "localhost"

>when

>>I setup the vs.net project. I think I know how to do

>this.

>>
>>B) I want to be able to create a sub-folder

>called "Admin"

>>and have all pages in that folder protected by forms
>>authentication (with the exception of course of the
>>login.aspx page itself)
>>
>>C) Any other pages off the root website should not be
>>protected.
>>
>>D) I'll likely have a couple more sub-folders off the

>main

>>root website I'll want protected, too.
>>
>>Anyone have any suggestions?
>>
>>Thanks very much.
>>.
>>

>.
>

Subfolders and security, please help!!

Thread Tools

Display