deny anonymous for all pages except the "~/" path in asp.net

Asked 10/10, 2011 at 13:54 Answered 10/10, 2011 at 14:22

Solved c#asp.net authentication authorization membership

in asp.net, i use this config section to deny anonymous users for all pages.

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
<authorization>
  <deny users="?" />
</authorization>

and i use the following to declare an exception that anonymous can access.

<location path="Welcome.aspx">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>

that works fine for me.

however, how can i set only the default page as an exception? (such as: anonymous can access only http://mysite/, but can NOT access any other pages in the site?)

i'v tried use location path="~/" or "/" and it doesn't work.

Diversified answered 10/10, 2011 at 13:54 Comment(4)

Assuming your default page is default.aspx, just use that instead of welcome.aspx. It should handle it when it's accessed at the root. – Sepia 10/10, 2011 at 14:17

thanks @doozer-blake, but I want let anonymous users access http:/ /mysite/ without default.aspx". the only workaround by now i found is allow all users for the whole site and deny users in *any other locations one by one – Diversified 10/10, 2011 at 14:49

Understood, but it's not picking that up from setting default.aspx? I can run a site locally with the exact setup and it allows anonymous to / or /default.aspx. – Sepia 10/10, 2011 at 14:52

i tried again it won't works for me. i think maybe because i am use asp.net MVC, and my home page is Home/Index, where location="Home/Index" doesn't work. – Diversified 10/10, 2011 at 14:56

If path="Default.aspx" doesn't work then it cannot be done using configuration. There's no syntax available to specify only the application root in the path attribute.

Nunhood answered 10/10, 2011 at 14:22 Comment(2)

thanks. Maybe Default.aspx works in asp.net Pages. However, i am using ASP.NET MVC, any ideas? – Diversified 10/10, 2011 at 15:50

UrlAuthorizationModule executes before MVC Authorization (using Authorize attribute) and because you are using <deny users="?"/> as default you'll never see the home page unless you are logged in. Maybe if you write your own UrlAuthorizationModule. – Nunhood 10/10, 2011 at 18:48

I think you can change your folder structre to achieve this. Then you can change the web.config to deny user

<configuration>
    <system.web>
        <authorization>
            <allow roles="administrators" />
            <deny users="?" />
        </authorization>
    </system.web>
</configuration>

Liger answered 10/10, 2011 at 14:5 Comment(0)

Recommended topics

Hot tags