http://p2p.wrox.com/topic.asp?TOPIC_ID=8699

I found it :)

So apparently I hadn't tried everyone's suggestions hard enough. I just tried and succeeded with a working solution that several people had pointed out. Not sure why I wasn't able to get it before.

It seems that you can only specify the login page details of forms authentication in the root web.config. However, it would seem to make sense that even with forms auth set up, you could still allow the root of the application to allow all anonymous users and restrict subdirectories (with supplemental web.config files) or individual files (with the <location> nodes in the web.config(s)).

I was looking at the comments in the default web.config and began thinking about something. The comment says "Wildcards: "*" mean everyone, "?" means anonymous (unauthenticated) users".

So wouldn't that imply that this:

    <allow users="?" />

would allow anonymous but deny authenticated users? That's the way I interpret it. But it doesn't perform that way. I guess the concept of an "anonymous" user is kind of loose.

Peter
------------------------------------------------------
Work smarter, not harder.

I need to secure a section of it: MyWebApp/privateSection.
Don't put the location to be denied in the system.web part, but after it. Each page must be specified in a location path to be denied. (I don't know if you can deny a whole sub-directory in one statement.

<system.web>

        <authentication mode="Forms">
            <forms name="MyWebApp" loginUrl="Login.aspx" protection="All" path="/" />
        </authentication>
</system.web>

 <location path="privateSection.aspx">
        <system.web>
            <authorization>
                <deny users="?" />
            </authorization>
        </system.web>
 </location>
</configuration>

HtH


Sandra MacGregor

Yes you can. You can put a separate web.config file in the folder you want secure

mysecurefolder/
<configuration>
  <system.web>
    <authorization>
      <deny users="?" />
    </authorization>
  </system.web>
</configuration>

Hi...This topic is quite interesting to me. So, if what you were saying is true about being able to specify authentication tag only in the root web.config, how would you achieve something like this.

I have 2 secure folders, say 'user' and 'admin'. I specify two web.config files within the folders with the autorization tag containing -- <deny users="?"> --. The problem is they have two different login pages. How can I redirect them to their corresponding login pages using the <authentication> tag??

I have been thinking about this for a while but couldn't come up with anything except making the two login pages same. This seems fine since there are only two types of users in this case. What if we have 4 or 5 types of users???

SJ.