can I set web.config to require authentication only for some files?

Discussion in 'ASP .Net' started by Bennett Haselton, Sep 10, 2004.

  1. If I add this to my web.config file:

    <authentication mode="Forms">
    <forms name=".ASPXUSERDEMO" loginUrl="login.aspx" protection="All"
    timeout="60" />
    </authentication>

    I can configure the application so that users who try to access a page
    in the application, get redirected to login.aspx where they have to
    sign in. (And the "signing in" is handled in the codebehind page of
    login.aspx.)

    What if I want to configure authentication so that it's only required
    for certain files? Or only for certain directories? Is there a way
    to specify in the <forms> tag or in the <authentication> tag that you
    want authentication to apply only to certain files or directories? I
    couldn't find any documented way.

    If you create a subdirectory and put a web.config file in there with
    its own <authentication mode="Forms"> tag, in an attempt to make
    authentication apply only to files in that directory, then you get the
    ASP.Net error:

    It is an error to use a section registered as
    allowDefinition='MachineToApplication' beyond application level.

    As a last resort I could create a new project directory as a
    sub-directory under the top-level project directory, but that sounds
    inelegant; it'd be better to be able to manage all files in a single
    project.

    -Bennett
     
    Bennett Haselton, Sep 10, 2004
    #1
    1. Advertising

  2. Bennett,
    To change the authentication in specific directories all you have to do
    is put a web.config file in that directory:

    I noticed that in your example you didn't have the code below. This code
    basically says that you have to be logged in to have access to the site.
    Maybe you don't want this, but based upon your question I'm assuming you do.
    <authorization>
    <deny users="?"/>
    </authorization>

    Example: The example below basically says that you anybody can have access
    to the files in this directory even if they are not logged in.

    <authorization>
    <allow users="*"/>
    </authorization>

    To specify at the file level within a site or directory:


    <location path="MyFile.aspx">
    <system.web>
    <authorization>
    <allow users="*"/>
    </authorization>
    </system.web>
    </location>

    HTH

    --
    Lateralus [MCAD]


    "Bennett Haselton" <> wrote in message
    news:...
    > If I add this to my web.config file:
    >
    > <authentication mode="Forms">
    > <forms name=".ASPXUSERDEMO" loginUrl="login.aspx" protection="All"
    > timeout="60" />
    > </authentication>
    >
    > I can configure the application so that users who try to access a page
    > in the application, get redirected to login.aspx where they have to
    > sign in. (And the "signing in" is handled in the codebehind page of
    > login.aspx.)
    >
    > What if I want to configure authentication so that it's only required
    > for certain files? Or only for certain directories? Is there a way
    > to specify in the <forms> tag or in the <authentication> tag that you
    > want authentication to apply only to certain files or directories? I
    > couldn't find any documented way.
    >
    > If you create a subdirectory and put a web.config file in there with
    > its own <authentication mode="Forms"> tag, in an attempt to make
    > authentication apply only to files in that directory, then you get the
    > ASP.Net error:
    >
    > It is an error to use a section registered as
    > allowDefinition='MachineToApplication' beyond application level.
    >
    > As a last resort I could create a new project directory as a
    > sub-directory under the top-level project directory, but that sounds
    > inelegant; it'd be better to be able to manage all files in a single
    > project.
    >
    > -Bennett
     
    Lateralus [MCAD], Sep 10, 2004
    #2
    1. Advertising

  3. You can specify some pages to require login, and others to not require login
    via your web.config file by using the <location> tag.

    Here is an example with sample code that you can download and play with.
    http://www.dotnetbips.com/displayarticle.aspx?id=117

    --
    I hope this helps,
    Steve C. Orr, MCSD, MVP
    http://Steve.Orr.net


    "Bennett Haselton" <> wrote in message
    news:...
    > If I add this to my web.config file:
    >
    > <authentication mode="Forms">
    > <forms name=".ASPXUSERDEMO" loginUrl="login.aspx" protection="All"
    > timeout="60" />
    > </authentication>
    >
    > I can configure the application so that users who try to access a page
    > in the application, get redirected to login.aspx where they have to
    > sign in. (And the "signing in" is handled in the codebehind page of
    > login.aspx.)
    >
    > What if I want to configure authentication so that it's only required
    > for certain files? Or only for certain directories? Is there a way
    > to specify in the <forms> tag or in the <authentication> tag that you
    > want authentication to apply only to certain files or directories? I
    > couldn't find any documented way.
    >
    > If you create a subdirectory and put a web.config file in there with
    > its own <authentication mode="Forms"> tag, in an attempt to make
    > authentication apply only to files in that directory, then you get the
    > ASP.Net error:
    >
    > It is an error to use a section registered as
    > allowDefinition='MachineToApplication' beyond application level.
    >
    > As a last resort I could create a new project directory as a
    > sub-directory under the top-level project directory, but that sounds
    > inelegant; it'd be better to be able to manage all files in a single
    > project.
    >
    > -Bennett
     
    Steve C. Orr [MVP, MCSD], Sep 10, 2004
    #3
  4. Thanks, that worked! At least once I figured out where the <location>
    tag was supposed to go so that the web.config file would be parsed
    correctly (it had to go just before the closing </configuration> tag
    but I couldn't tell that from the tutorial).

    In my original message I had said it broke when I tried putting a
    web.config file in the subdirectory, but that was because I also had
    the <authentication mode="Forms"> tag in that web.config file, and it
    was giving a run-time error because that attribute can only be set in
    the application-level web.config file. Once I changed the web.config
    file in the subdirectory so that it only set the <authorization>
    setting, it worked.

    (I assume this means that within the same application, you can't have
    one authentication method for one set of pages and a different
    authentication method for another set of pages, but that's not
    something I need anyway.)

    One last question though: is there a way to specify multiple files and
    directories in the "path" attribute of the <location> tag:

    <location path="subdir">
    <system.web>
    <authorization>
    <deny users="?" />
    </authorization>
    </system.web>
    </location>

    I tried entering multiple files separated by commas or semicolons, but
    that always gave a run-time error.

    It's not a huge pain to add a new <location> tag every time I create a
    new page that needs to have required authentication, but I was
    curious.

    -Bennett

    "Steve C. Orr [MVP, MCSD]" <> wrote in message news:<>...
    > You can specify some pages to require login, and others to not require login
    > via your web.config file by using the <location> tag.
    >
    > Here is an example with sample code that you can download and play with.
    > http://www.dotnetbips.com/displayarticle.aspx?id=117
    >
    > --
    > I hope this helps,
    > Steve C. Orr, MCSD, MVP
    > http://Steve.Orr.net
    >
    >
    > "Bennett Haselton" <> wrote in message
    > news:...
    > > If I add this to my web.config file:
    > >
    > > <authentication mode="Forms">
    > > <forms name=".ASPXUSERDEMO" loginUrl="login.aspx" protection="All"
    > > timeout="60" />
    > > </authentication>
    > >
    > > I can configure the application so that users who try to access a page
    > > in the application, get redirected to login.aspx where they have to
    > > sign in. (And the "signing in" is handled in the codebehind page of
    > > login.aspx.)
    > >
    > > What if I want to configure authentication so that it's only required
    > > for certain files? Or only for certain directories? Is there a way
    > > to specify in the <forms> tag or in the <authentication> tag that you
    > > want authentication to apply only to certain files or directories? I
    > > couldn't find any documented way.
    > >
    > > If you create a subdirectory and put a web.config file in there with
    > > its own <authentication mode="Forms"> tag, in an attempt to make
    > > authentication apply only to files in that directory, then you get the
    > > ASP.Net error:
    > >
    > > It is an error to use a section registered as
    > > allowDefinition='MachineToApplication' beyond application level.
    > >
    > > As a last resort I could create a new project directory as a
    > > sub-directory under the top-level project directory, but that sounds
    > > inelegant; it'd be better to be able to manage all files in a single
    > > project.
    > >
    > > -Bennett
     
    Bennett Haselton, Sep 10, 2004
    #4
  5. Bennett Haselton

    Frank Mamone Guest

    If you have that many single pages to protect then you should consider
    reviewing your application architecture.

    However, you can indeed specify a directory to protect as a relative path in
    the location element like <location path= " /mydirectory">.

    You cannot, as far as I know use a list of files. Of course, you can put all
    those files in the same directory and protect that.

    Here is a link to the docs.

    http://msdn.microsoft.com/library/d...e/html/cpconconfigurationlocationsettings.asp

    Watch the wrap!

    - Frank


    "Bennett Haselton" <> wrote in message
    news:...
    > Thanks, that worked! At least once I figured out where the <location>
    > tag was supposed to go so that the web.config file would be parsed
    > correctly (it had to go just before the closing </configuration> tag
    > but I couldn't tell that from the tutorial).
    >
    > In my original message I had said it broke when I tried putting a
    > web.config file in the subdirectory, but that was because I also had
    > the <authentication mode="Forms"> tag in that web.config file, and it
    > was giving a run-time error because that attribute can only be set in
    > the application-level web.config file. Once I changed the web.config
    > file in the subdirectory so that it only set the <authorization>
    > setting, it worked.
    >
    > (I assume this means that within the same application, you can't have
    > one authentication method for one set of pages and a different
    > authentication method for another set of pages, but that's not
    > something I need anyway.)
    >
    > One last question though: is there a way to specify multiple files and
    > directories in the "path" attribute of the <location> tag:
    >
    > <location path="subdir">
    > <system.web>
    > <authorization>
    > <deny users="?" />
    > </authorization>
    > </system.web>
    > </location>
    >
    > I tried entering multiple files separated by commas or semicolons, but
    > that always gave a run-time error.
    >
    > It's not a huge pain to add a new <location> tag every time I create a
    > new page that needs to have required authentication, but I was
    > curious.
    >
    > -Bennett
    >
    > "Steve C. Orr [MVP, MCSD]" <> wrote in message

    news:<>...
    > > You can specify some pages to require login, and others to not require

    login
    > > via your web.config file by using the <location> tag.
    > >
    > > Here is an example with sample code that you can download and play with.
    > > http://www.dotnetbips.com/displayarticle.aspx?id=117
    > >
    > > --
    > > I hope this helps,
    > > Steve C. Orr, MCSD, MVP
    > > http://Steve.Orr.net
    > >
    > >
    > > "Bennett Haselton" <> wrote in message
    > > news:...
    > > > If I add this to my web.config file:
    > > >
    > > > <authentication mode="Forms">
    > > > <forms name=".ASPXUSERDEMO" loginUrl="login.aspx" protection="All"
    > > > timeout="60" />
    > > > </authentication>
    > > >
    > > > I can configure the application so that users who try to access a page
    > > > in the application, get redirected to login.aspx where they have to
    > > > sign in. (And the "signing in" is handled in the codebehind page of
    > > > login.aspx.)
    > > >
    > > > What if I want to configure authentication so that it's only required
    > > > for certain files? Or only for certain directories? Is there a way
    > > > to specify in the <forms> tag or in the <authentication> tag that you
    > > > want authentication to apply only to certain files or directories? I
    > > > couldn't find any documented way.
    > > >
    > > > If you create a subdirectory and put a web.config file in there with
    > > > its own <authentication mode="Forms"> tag, in an attempt to make
    > > > authentication apply only to files in that directory, then you get the
    > > > ASP.Net error:
    > > >
    > > > It is an error to use a section registered as
    > > > allowDefinition='MachineToApplication' beyond application level.
    > > >
    > > > As a last resort I could create a new project directory as a
    > > > sub-directory under the top-level project directory, but that sounds
    > > > inelegant; it'd be better to be able to manage all files in a single
    > > > project.
    > > >
    > > > -Bennett
     
    Frank Mamone, Sep 10, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    2
    Views:
    1,530
    Tommy
    Feb 13, 2004
  2. ad
    Replies:
    2
    Views:
    735
  3. CSharpner
    Replies:
    0
    Views:
    1,094
    CSharpner
    Apr 9, 2007
  4. Ollie Riches
    Replies:
    1
    Views:
    1,660
    Gregory A. Beamer
    Dec 4, 2008
  5. Nick Johnson

    Windows Application App.config Files vs. web.config

    Nick Johnson, Mar 12, 2007, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    683
    Nick Johnson
    Mar 12, 2007
Loading...

Share This Page