Master pages and Forms Authorization

[gilly3]

I'd like to use a master page for (nearly) every page in my ASP.NET 2.0
website.

I also have some webpages that I'd like to protect by using forms
authorization.

I have a page that requires authenticated users, so I've dropped it in a
virtual application with a web.config that denies access to anonymous users
like so:

<authorization>
<allow users="*" />
<deny users="?" />
</authorization>

This page also uses the global master page which resides at the root level.

Trying to load this page results in an exception:

The virtual path '/MasterPage.master' maps to another application, which is
not allowed.

Is this really by design? It's a real bummer when two great new features
don't play well with each other. Am I missing something here? Can I
utilize forms authorization without putting my protected pages in a virtual
application? Alternatively, is there a way to use a single master page in
several virtual applications?

thanks

-ivan.

 

[Erik Funkenbusch]

I'd like to use a master page for (nearly) every page in my ASP.NET 2.0
website.
Ok.

I also have some webpages that I'd like to protect by using forms
authorization.
Ok.

I have a page that requires authenticated users, so I've dropped it in a
virtual application with a web.config that denies access to anonymous users
like so:

Why? You don't have to specify a new web application to protect just a few
pages. You can specificy protection of individual pages in the location
section of the web.config.

<authorization>
<allow users="*" />
<deny users="?" />
</authorization>

As a side note, this won't work. This will allow all users, all the time.
You want to reverse the order of those, since asp will take the first valid
condition and apply it, in this case allow all users. Reverse it so that
unauthenticated users are denied first.