Dana,
You've locked down the entire application. You'll want to specify only
certain pages to protect. Here is a sample web.config file that allows
access to an entire application but locks down a single directory:
***Note the <location> section at the bottom which contains a second
<system.web> section.
1.. <?xml version="1.0" encoding="utf-8" ?>
2.. <configuration>
3..
4.. <system.web>
5..
6.. <!-- AUTHENTICATION
7.. This section sets the authentication policies of the application.
Possible modes are "Windows",
8.. "Forms", "Passport" and "None"
9.. -->
10.. <authentication mode="Forms">
11.. <!-- The name attribute below specifies the name of the browser
cookie that contains the authentication ticket. By default the cookie is
named .ASPXAUTH. If you are configuring multiple apps on the same server,
you should give a uniques cookie name for each app. loginUrl is the page to
which users are auto-redirected to when authentication is required. timeout
is the amnt. of time in minutes before a cookie expires. The default is 30
min. -->
12.. <forms name="LoginCookieName" loginUrl="admin/login.aspx"
timeout="20">
13.. <credentials passwordFormat="SHA1">
14.. <user name="UserName"
password="C8FEBA6A531A71A9AC1BA0D982163C9AADA69820"/>
15.. </credentials>
16.. </forms>
17.. </authentication>
18..
19.. <!-- AUTHORIZATION
20.. This section sets the authorization policies of the application. You
can allow or deny access
21.. to application resources by user or role. Wildcards: "*" mean
everyone, "?" means anonymous
22.. (unauthenticated) users.
23.. -->
24.. <authorization>
25.. <!-- allowing anonymous users access to the entire app -->
26.. <allow users="?" />
27.. </authorization>
28..
29.. <!-- APPLICATION-LEVEL TRACE LOGGING
30.. Application-level tracing enables trace log output for every page
within an application.
31.. Set trace enabled="true" to enable application trace logging. If
pageOutput="true", the
32.. trace information will be displayed at the bottom of each page.
Otherwise, you can view the
33.. application trace log by browsing the "trace.axd" page from your web
application
34.. root.
35.. -->
36.. <trace enabled="false" requestLimit="10" pageOutput="false"
traceMode="SortByTime" localOnly="false" />
37..
38..
39.. <!-- GLOBALIZATION
40.. This section sets the globalization settings of the application.
41.. -->
42.. <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
43.. </system.web>
44..
45.. <!-- LOCATION
46.. The "<location>" tag allows a developer to specify a particular
folder / file to set
47.. properties for.
48.. -->
49.. <location path="admin">
50.. <system.web>
51..
52.. <!-- AUTHORIZATION
53.. This section sets the authorization policies of the application. You
can allow or deny access
54.. to application resources by user or role. Wildcards: "*" mean
everyone, "?" means anonymous
55.. (unauthenticated) users.
56.. -->
57.. <authorization>
58.. <!-- I use the code below to allow one and only one user to access
the ADMIN folder
59.. (directory). My login script returns a username and not an id value.
If it returned an id
60.. value then the id value would be used instead. I then deny all users
and anonymous users.
61.. Thus only one user, the site admin, can access the folder "Admin" and
any pages in that
62.. folder. -->
63.. <allow users="UserName"></allow>
64.. <deny users="*"></deny>
65.. <deny users="?"></deny>
66.. </authorization>
67.. </system.web>
68.. </location>
69.. </configuration>
--
Sincerely,
S. Justin Gengo, MCP
Web Developer / Programmer
www.aboutfortunate.com
"Out of chaos comes order."
Nietzsche