8

in asp.net, i use this config section to deny anonymous users for all pages.

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
<authorization>
  <deny users="?" />
</authorization>

and i use the following to declare an exception that anonymous can access.

<location path="Welcome.aspx">
  <system.web>
    <authorization>
      <allow users="*" />
    </authorization>
  </system.web>
</location>

that works fine for me.

however, how can i set only the default page as an exception? (such as: anonymous can access only http://mysite/, but can NOT access any other pages in the site?)

i'v tried use location path="~/" or "/" and it doesn't work.

Improve this question
4
  • Assuming your default page is default.aspx, just use that instead of welcome.aspx. It should handle it when it's accessed at the root.
    – Doozer Blake
    Commented Oct 10, 2011 at 14:17
  • thanks @doozer-blake, but I want let anonymous users access http:/ /mysite/ without default.aspx". the only workaround by now i found is allow all users for the whole site and deny users in *any other locations one by one
    – marstone
    Commented Oct 10, 2011 at 14:49
  • Understood, but it's not picking that up from setting default.aspx? I can run a site locally with the exact setup and it allows anonymous to / or /default.aspx.
    – Doozer Blake
    Commented Oct 10, 2011 at 14:52
  • i tried again it won't works for me. i think maybe because i am use asp.net MVC, and my home page is Home/Index, where location="Home/Index" doesn't work.
    – marstone
    Commented Oct 10, 2011 at 14:56

2 Answers 2

Reset to default
3

If path="Default.aspx" doesn't work then it cannot be done using configuration. There's no syntax available to specify only the application root in the path attribute.

Improve this answer
2
  • thanks. Maybe Default.aspx works in asp.net Pages. However, i am using ASP.NET MVC, any ideas?
    – marstone
    Commented Oct 10, 2011 at 15:50
  • UrlAuthorizationModule executes before MVC Authorization (using Authorize attribute) and because you are using <deny users="?"/> as default you'll never see the home page unless you are logged in. Maybe if you write your own UrlAuthorizationModule.
    – Max Toro
    Commented Oct 10, 2011 at 18:48
0

I think you can change your folder structre to achieve this. Then you can change the web.config to deny user

<configuration>
    <system.web>
        <authorization>
            <allow roles="administrators" />
            <deny users="?" />
        </authorization>
    </system.web>
</configuration>
Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.