Guru Sarkar's Blog: Setting Authorization Rules For A Particular Page or Folder in Web - Config

Guru Sarkar's
Blog
Home About RSS Atom Comments RSS Sign in | Join
Search
Setting authorization rules for a particular page or folder in web.config Go
I have seen so many people asking again and again how to give allow access to particular page to a person or roles. So I thought its good to put this in one place. I will discuss
how to configure web.config depending on the scenario.
Tags
We will start with a web.config without any authorization and modify it on case by case bassis. ASP.NET
No Authorization ASP.NET
We will start with the root web.config without any authorization.
Authorization
<configuration> ASP.NET
<system.web> Membership
<authentication mode="Forms"> ASP.NET roles
</authentication> </system.web> Authentication
</configuration> checkBox Code
Deny Anonymous user to access entire website Snippets
This is the case when you want everybody to login before the can start browsing around your website. i.e. The first thing they will see is a login page. CreateUser
<system.web> CreateUserWizard
<authentication mode="Forms">
CSS DataList
</authentication> Forms
<authorization>
Authentication
<deny users="?"/> //will deny anonymous users </authorization>
GridView
HyperLink
</system.web>
JavaScript jQuery
The above situation is good when user don't have to register themselves but instead their user account is created by some administrator.
ListView
Allow access to everyone to a particular page
LoginName
Sometimes you want to allow public access to your registeration page and want to restrict access to rest of the site only to logged / authenticated users .i.e. do not allow
anonymous access. Say your registration page is called register.aspx in your site's root folder. In the web.config of your website's root folder you need to have following setup. MembershipProvider
<configuration> Menu Control
NavigateUrl
<system.web>
Repeater Roles
<authentication mode="Forms"/>
<authorization> <deny users="?"/> //this will restrict anonymous user access
Roles
Authorization
</authorization>
Roles Provider
</system.web>
RowIndex
<location path="register.aspx"> //path here is path to your register.aspx page e.g. it could be ~/publicpages/register.aspx
SiteMapProvider
<system.web> Stlyes Summary
<authorization> TreeView Visual
<allow users="*"/> // this will allow access to everyone to register.aspx Studio 2010
</authorization> Web.config
</system.web> WebConfigurationManager
</location>
</configuration>
Sponsors
Till now we saw either allow users or to authenticated users only. But there could be cases where we want to allow particular user to certain pages but deny everyone
else (authenticated as well as anonymous). Starting at
$4.95/mo.
To allow access to particular user only and deny everyone else ASP.NET 4
Hosting!
Say you want to give access to user "John" to a particular page e.g. userpersonal.aspx and deny all others the location tag above should look like below: Get Up to 10
FREE MS SQL
<location path="userpersonal.aspx"> 2008 & MySQL
Databases! No
<system.web> Hidden/Setup
Fees
<authorization> WinHost.com
<allow users="John"/> // allow John ..note: you can have multiple users seperated by comma e.g. John,Mary,etc ASP.NET Web
Hosting - 6
<deny users="*"/> // deny others
Months Free
</authorization> Award Winning
ASP.NET 4.0
</system.web> Hosting w/ Full
Trust, MVC2 &
</location> Silverlight 4
DiscountASP.NET
Allow only users in particular Role
Gerber Life
Here I am will not show how to setup roles. I assume you have roles managment setup for users. We will see now what needs to be done in web.config to Grow-Up®
configure authorization for a particular role. e.g You have two roles. Customer and Admin and two folders CustomerFolder and AdminFolder. Users in Whole Life Child
Admin role can access both folders. Users in Customers role can access only CustomerFolder and not AdminFolder. You will have to add location tags Insurance Up To
$50K In
for each folder path as shown below:
for each folder path as shown below:
Coverage. Get A
Free Quote!
<location path="AdminFolder">
www.GerberLife.com
<system.web>
advertise here
<authorization>
<allow roles="Admin"/> //Allows users in Admin role
<deny users="*"/> // deny everyone else News
</authorization>
</system.web>
Navigation
</location> Home
<location path="CustomerFolder"> Blogs
<system.web>
<authorization> Archives
<allow roles="Admin, Customers"/> //Allow users in Admin and Customers roles
September 2010
<deny users="*"/> // Deny rest of all (3)
</authorization> July 2010 (1)
</system.web> April 2010 (1)
</location> March 2010 (2)
Alternate way - using individual web.config for each Folder January 2010 (3)
Alternative to above mentioned method of using <location../> tag, you can add web.config to each folder and configure authorization accordingly almost similar to
November 2009
one show above but not using location tag. Taking same eg. as above. Add web.config to both the folders AdminFolder and CustomerFolder.
(1)
Web.config in AdminFolder should look like:
October 2009 (2)
<configuration>
June 2009 (2)
<system.web>
May 2009 (1)
<authorization>
January 2009 (2)
December 2008
<deny users="*"/> // deny everyone else (1)
</authorization> November 2008
(2)
</system.web>
September 2008
</configuration> (1)
Web.config in CustomerFolder should look like:
<configuration>
<system.web>
<authorization>
<allow roles="Admin, Customers"/> //Allow users in Admin and Customers roles
<deny users="*"/> // Deny rest of all
</authorization>
</system.web>
</configuration>
Images and CSS files
Say you have all your images and CSS in a seperate folder called images and you are denying anonymous access to your website. In that case you might see that on your login
page you cannot see images(if any) and css(if any) applied to your login page controls.
In that case you can add a web.config to the images and css folder and allow access to everyone to that folder. So your web.config in images folder should look as below:
<configuration>
<system.web>
<authorization>
<allow users="*"/> //Allow everyone
</authorization>
</system.web>
</configuration>
Common Mistakes
I have seen people complaining that they have setup their roles correctly and also made entry to their web.config but still their authorization doesn't work. Even they have allowed
access to their role that user cannot access particular page/folder. The common reason for that is placing <deny../> before <allow ../>.
Say the web.config from AdminFolder as we have seen before is something like this:
//This web.config will not allow access to users even they are in Admin Role
<configuration>
<system.web>
<authorization>
<deny users="*"/> // deny everyone else
</authorization>
</system.web>
</configuration>
Since the authorization is done from top to bottom, rules are checked until a match is found. Here we have <deny users="*"/> first and so it will not check for allow any more and
deny access even if in Admin role.
So PUT all allows BEFORE ANY deny.
NOTE: deny works the same way as allow. You can deny particular roles or users as per your requirement.
I hope this will answer some of the question regarding how to authorize pages / folders(directories). Comments welcome.
Resources
ASP.NET Authorization : http://msdn.microsoft.com/enus/library/wce3kxhd.aspx
Authorizing Users and Roles: http://quickstarts.asp.net/QuickStartv20/aspnet/doc/security/authorization.aspx
Published Monday, September 29, 2008 1:50 PM by guru_sarkar
Filed under: Roles Authorization, ASP.NET Authorization
Comments
# re: Setting authorization rules for a particular page or folder in web.config
Monday, February 09, 2009 12:55 AM by S.Mahathi
good article,very helpful
Thursday, February 12, 2009 5:00 AM by Majid
Its a very useful article. It have resolved all type of ambiguities.
Wednesday, February 18, 2009 9:32 PM by sio2y
Clean concise and best of all .... it works!
Tuesday, March 17, 2009 1:33 PM by ctrlaltdl
Great article, but I'm still confused about one thing.
How do I allow access to everyone except the one group?
This doesn't seem to work for me.
<deny users="Sales"/>
<allow users="*"/>
Tuesday, March 17, 2009 2:48 PM by ctrlaltdl
I figured it out. I put deny first and change users to roles and added the domain name.
<deny roles="DOMAIN\Sales"/>
<allow users="*"/>
Thursday, March 26, 2009 12:36 PM by M Hooge
I use a different web.config for each folder with special access. For those who are denied access, how can I redirect them to a different page?
Thursday, March 26, 2009 4:15 PM by guru_sarkar
Hi M Hooge,
Check this: www.asp.net/.../tutorial07vb.aspx
Tuesday, May 19, 2009 10:30 AM by mgonzales3
multiple domains requires a better solution. if app is accessed by more than one domain we shouldn't need dom1\Accounting, dom2\Accounting, dom3\Accounting.
Friday, May 29, 2009 7:05 PM by M E
Nice post. Thanks. Is it possible to store and maintain users, roles, page paths, passwords, etc., in a central location or database?
Monday, June 01, 2009 1:10 PM by guru_sarkar
Hi M E,
Yes it is possible to do what you are asking.
Check here: www.asp.net/.../security
Tuesday, August 18, 2009 10:11 AM by NitinSawant
thanks
Wednesday, September 23, 2009 6:05 AM by Subhra
Boss the below section denies for all users. Don't know for what reasons, tried much.
I am getting user validated and should not be authorised but its actually denying all.
see if you can sight any reasons.
<location path="userpersonal.aspx">
<system.web>
<authorization>
<allow users="John"/> // allow John ..note: you can have multiple users seperated by comma e.g. John,Mary,etc
<deny users="*"/> // deny others
</authorization>
</system.web>
</location>
Wednesday, September 23, 2009 3:03 PM by guru_sarkar
Subhra,
The settings you are pointing to should allow user who is loggedin with username "John" and deny rest.
Make sure user 'John' is in fact authenticated.
May be you might want to provide more details.
Sunday, September 27, 2009 3:51 PM by sukumarraju
Hi Guru
It is very helpful article. Can I know how you managed to get source code in blog? When i tried using Live writer, i could not figure out the any tool to publish source code. It simply
publishing as Text.
Thursday, October 01, 2009 5:03 PM by guru_sarkar
sukumarraju,
I think I just copypasted from VS source code file and the colors etc. was taken up by editor. I don't remember of using any tool like they have on asp.net Forums site.
# ASP Membership/Role Model + Sitemap Security Trimming &laquo; ?????????????????????????????????
Monday, November 02, 2009 2:44 AM by ASP Membership/Role Model + Sitemap Security Trimming « ?????????????????????????????????
Pingback from ASP Membership/Role Model + Sitemap Security Trimming &laquo; ?????????????????????????????????
Tuesday, December 01, 2009 12:21 PM by vision
thanx
Friday, January 22, 2010 9:57 AM by Deângelo
Very usefull this blog, tnks.
Thursday, January 28, 2010 1:09 AM by sachinr_33
Much needed article
Sunday, April 11, 2010 9:59 AM by Nimrod
Great article, this doesn't work with Firefox using IIS 7.5
Monday, April 12, 2010 11:21 AM by guru_sarkar
Nimrod,
Can you provide more info on that...as there should be something else going on and not the configurations in web.config....
Monday, April 12, 2010 1:04 PM by Viswas
The articles is very good , easily understandable and very useful.
Tuesday, June 29, 2010 9:44 AM by james
excellent piece.. short concise and to the point.. thanks
Thursday, July 15, 2010 4:58 AM by Lax
Thanks for such a useful article.
Leave a Comment
Title (required)
re: Setting authorization rules for a particular page or folder in web.config
Name (required)
Your URL (optional)
Comments (required)
Remember Me?
Submit
Terms of Use

Guru Sarkar's Blog: Setting Authorization Rules For A Particular Page or Folder in Web - Config

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Guru Sarkar's Blog: Setting Authorization Rules For A Particular Page or Folder in Web - Config

Hochgeladen von

Copyright:

Verfügbare Formate

Guru Sarkar's

Home About RSS Atom Comments RSS Sign in | Join

Das könnte Ihnen auch gefallen