Authentication per page

planoie · November 15th, 2003, 01:28 PM

I have been doing some reading about ASP.Net authentication in an effort to answer a question regarding ASP.Net security settings per page.

According to the docs, ASP.Net authentication settings can be set at the web application/virtual directory, sub directory and page level. I know how to do all of those except the page. I've been looking around in the documentation and I can't find anything addressing this.

Anybody know?

Peter
------------------------------------------------------
Work smarter, not harder.

jbenson001 · November 17th, 2003, 12:40 PM

Are you talking about page leve authentication in the Web.Config?

jacob · November 17th, 2003, 01:02 PM

Well, I do not know anything about authorization, so I guess thats a good start, however I looked up the word in my book ;) !

In the web.config file one seem to be able to use a location tag. An example is given in the book...

Code:

<configuration>
  <location path="somePath/somefile.aspx">
    <system.web>
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>
</configuration>

Is that it!?

Hope it helps

Jacob.

jbenson001 · November 17th, 2003, 01:19 PM

In the authentication section put this:
<authentication mode="Forms"/>
<forms name ="any name here (bogus cookie name) loginURL="page to redirect to">

In the code behind:
Imports System.Web.Security

In Page_Load
FormsAuthentication.RedirectFromLogin("", False)

the "" tells it to go to the page previously requestd, the False tells it not to create a cookie.

Hope this helps.

planoie · November 17th, 2003, 01:39 PM

Thanks Jim and Jacob.

Perhaps I wasn't explicit enough with my question:

I have a site: MyWebApp. It should be public, all anonymous visitors can view it. I need to secure a section of it: MyWebApp/privateSection. I know how to do this the other way around to allow anonymous users to access that section. All I have to do is add a empty web.config with nothing but
<configuration>
    <system.web>
        <authorization>
            <allow users="?" />

I guess my question is more something like: If I have a public web application, how do I secure sub directories (or specific pages if necessary). Essentially, I need to add <authentication...> in the web.config for only certain sub directories, and possibly different configurations for each.

I have never seen anything about this <location> node that Jacob speaks of. I'll investigate this further. Perhaps the answer that I'm looking for.

Peter
------------------------------------------------------
Work smarter, not harder.

planoie · November 17th, 2003, 01:47 PM

I was waiting for my local framework SDK to load as I was writing the last post. After posting, I did a search for "web.config location" and found the <location> node SDK document. Funny how I had never noticed the location node in the config file schema before (probably because it's not in the default web.config file). I now see that I should be able to specify a sub directory or a specific file in the location path attribute.

Thanks for pointing this out Jacob, you've provided me with today's moment of "Doh!"

Peter
------------------------------------------------------
Work smarter, not harder.

planoie · November 17th, 2003, 03:54 PM

Ok, so I added what looks like this to my web.config.

    <location path="Members">
        <system.web>

            <authentication mode="Forms">
                <forms name="Members" loginUrl="/Members/login.aspx" path="/" />
            </authentication>

            <authorization>
                <deny users="?" />
            </authorization>

        </system.web>
    </location>

I get this error:
It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.

I usually get this error when I try to define a node in a web.config that lives in a subdirectory below the application root yet this is all in the root web.config.

Also, I tried putting all the other stuff (from the default web.config) into another <location> node, but with not path. No difference. When I change the path to something that doesn't work (like "Members/"), I can see a protected page without the login redirect so that says to me that it's not matching the path. But when the path matches, it crashes on the web.config syntax.

Any ideas?

Peter
------------------------------------------------------
Work smarter, not harder.

planoie · November 17th, 2003, 03:59 PM

Incidentally, I also tried with a path to a file "Members/index.aspx" just to check. No luck there either, same error.

Oh, and I also rearranged the order of the locations (not that I thought that would make a difference, but maybe my web.config feng shui was off ;)).

Peter
------------------------------------------------------
Work smarter, not harder.

jbenson001 · November 17th, 2003, 04:09 PM

let me ask a stupid question, is members configured as a WEB in IIS?

planoie · November 17th, 2003, 04:34 PM

That's no stupid question Jim! I meant to mention that...

No... originally I thought, "Oh, I'll just create that subdir as an application so I can set up the web.config as i need it." But then of course, it was looking for the dll in the /bin which wasn't there, and all my application root reference stuff was off.

Good catch though. :)

Peter
------------------------------------------------------
Work smarter, not harder.