formsauthentication ignores web.config

[Dirk Meusel]

Background:
In the root of my webapp the web.config looks like:

<authentication mode="Forms">
<forms loginUrl="login.aspx">
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
The folder is set in IIS to Application Status

In a subdirectory, where I want to have access controlled, I changed
web.config to :

<authorization>
<allow roles="Chefs"></allow>
<deny users="*"></deny>
</authorization>

Problem:
I still can access all the files in the subdirectory, despite no
authentication has been taken place. no login.aspx or whatever is
displayed, when I try to access a file unauthorised.

Any Idea??

thanks
dirk

 

[John Saunders]

Background:
In the root of my webapp the web.config looks like:

<authentication mode="Forms">
<forms loginUrl="login.aspx">
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
The folder is set in IIS to Application Status

In a subdirectory, where I want to have access controlled, I changed
web.config to :

<authorization>
<allow roles="Chefs"></allow>
<deny users="*"></deny>
</authorization>

Problem:
I still can access all the files in the subdirectory, despite no
authentication has been taken place. no login.aspx or whatever is
displayed, when I try to access a file unauthorised.

Try putting the following into the top-level web.config:

<configuration>
<location path="dir/subdir">
<system.web>
<authorization>
<allow roles="Chefs"></allow>
<deny users="*"></deny>
</authorization>
</system.web>
</location>
</configuration>

 

[Dirk Meusel]

thanks for your quick reply, John,

It does not work either! I even tried to set the subdirectory to
Application Status within IIS nothing changes.

Even if I have the following in the web.config of the subdirectory:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>

I still get full access without any redirecting to login.aspx. It seems
as ASP.NET simply does ignore the web.config in the subdirectory.

Do you have any further idea?

 

[John Saunders]

thanks for your quick reply, John,

It does not work either! I even tried to set the subdirectory to
Application Status within IIS nothing changes.

Even if I have the following in the web.config of the subdirectory:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</configuration>

I still get full access without any redirecting to login.aspx. It seems
as ASP.NET simply does ignore the web.config in the subdirectory.

Do you have any further idea?

It does work. All of my web sites use it.

Remove the web.config from the subdirectory. Also, try using <location
path=".." allowOverride="false"> instead.

Also, I should have stated the set of paths I meant in my example. I was
talking about a site like:

http://site/
http://site/dir
http://site/dir/subdir

The <location> element I provided should allow only Chefs into subdir.

 

[Jerry III]

Dirk, what you're doing wrong is having a web.config in the directory you
want to control. That essentially creates a new ASP.NET application that has
no ties to the parent app and therefore doesn't know there's a form
authentication (and your authorization setup is ignored because of that).
Just remove the web.config from the subdir you want to control.

The first example below - you're allowing anonymous users to access your
app. In the second you're only allowing single user to access it, that's why
you're getting the login form. What did you expect?

Jerry