Joe,
Thanks for the suggestion. The markup from the web.config file is as follows:
<!-- site-wide authorization: only allow Administrators access -->
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH"
slidingExpiration="true" protection="All" />
</authentication>
<authorization>
<allow roles="Administrators"/>
<deny users="*"/>
</authorization>
</system.web>
<!-- location override: let any authenticated user access the EditUser page
-->
<location path="Users/EditUser.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
As you can see, my approach was to limit access by role site-wide, but then
for the page I wanted an exclusion for, simply restrict anonymous users from
accessing it, which I thought would be logically equivalent to allowing any
authenticated user, irrespective of role, access it. Perhaps this is not how
ASP.NET interprets it, and this may be the disjuncture. Maybe the <location>
element isn't viewed as an override on the <authorization> element, since it
isn't explicitly specified. That being the case, how does one turn it off in
a sub-directory?
I'd like to establish this policy via configuration versus code, if
possible. I'd be quite surprised if there wasn't a way to achieve what I'm
trying to do, given how simple it seems: make every page in the site require
Administrators membership except for 1 page, which would only require user
authentication.
Thanks again,
-Mike
"Joe Kaplan" wrote:
> Perhaps you could show the markup from the web.config? There may be an
> error in your location tag usage that is preventing it from giving you the
> desired results.
>
> An alternate approach would be to handle the "Authenticate" event in
> global.asax, check for a request for the specific excluded page and use the
> SkipAuthorization property on HttpContext to override the behavior of the
> UrlAuthorizationModule (the <allow><deny> tags in web.config). This
> approach is a bit dangerous because you need to do matching on the URL which
> can lead to security issues if you have any problems with your string
> matching and it may be harder to maintain, but sometimes you need the extra
> flexibility the code solution gives you.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> "Mike" <> wrote in message
> news:4103AFCE-E3D7-4B6B-BF4B-...
> > Hello,
> >
> > I am having difficulty achieving a result I expected to be very easy with
> > ASP.NET role authorization. I would like to set a site-wide authorization
> > policy where only members of a certain role may access any page in the
> > site,
> > but I would like suspend this authorization policy for *one* single page
> > in
> > the site, so that any authenticated user may access the page, no matter
> > which
> > role they are assigned to or even if they have no roles.
> >
> > I have tried using a <location> element to turn off role authorization for
> > the single page, but it doesn't seem to have any affect. Authenticated
> > users
> > without the proper role that try to access the unrestricted page are
> > prompted
> > over and over again to log in, which indicates that a role is still needed
> > for the page. How can I override the site-wide role authorization
> > requirement
> > and turn it off for the one page?
> >
> > TIA,
> > -Mike
>
>
Similar Threads
