What happens when you need to protect your whole site so that only Authenticated users can access our site.
Since I received this question twice this week I thought I’d share a tip.
To allow ONLY authenticated access to your site using Forms authentication you can add a section like this on e to your application’s web.config file.
<authentication mode="Forms"> <forms loginUrl="Login.aspx" name="Login" protection="All"/> </authentication> <authorization> <deny users="?"/> </authorization>
The problem is that it seems lots of folks don’t want users to automatically redirect to the Login.aspx page when they navigate to their site home page.
To require authentication for all the pages in your web application EXCEPT the home page (Default.aspx))
Also add a location section to your web.config file that explicitly allows anonymous users to access JUST the default.aspx page.
<location path="default.aspx"> <system.web> <authorization> <allow users="*"/> </authorization> </system.web> </location>
You can use the web.config location element to specify folders as well as pages which makes it a very powerful construct.
How do we achieve this if the website is using Windows Authentication not forms?
RE: Site Authentication Required, Except Default.aspx
Pingback from Site Authentication Required, Except Default.aspx : Misfit Geek
subbaraokv I don’t believe you can, since Windows Authentication is set for the whole application you cannot define single pages within that application to ignore it.
The workaround would be to create a new website in IIS that allows anonymous authentication to the root directory.
Then create a subdirectory and convert it to an application which you can enable Windows Authentication on.
Visitors hitting the homepage will be able to see it unauthenticated, but requests to the subdirectory will require windows authentication. Hope this helps.
If you want to do it with Windows Authentication then you could use roles
<authorization>
<allow roles="AnActiveDirectoryRole"/>
<deny users="*" />
</authorization>
I had the same type of problem I just put all of the pages I wanted to protect in folders and set authorization in the web.config files and left the pages open to the public in the root
<configuration>
<appSettings/>
<system.web>
<authorization>
<allow roles="Administrators"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>
I have one question ,what if I mention the users name in the
<deny users="xyz" />
My login name is xyz
What will happen?
<DENY
when I add xyz in the <deny users="xyz" ?>
its letting me to login to the page….
krish,
I setup several web sites in our enterprise and I always had to include the domain name for allow/deny.
Example: <allow users="domain\xyz"/>
Not sure if you would need the machine (computer) name if you are just using a stand alone server.
BTW Joe, Thanks for the Tip. I hadn’t thought about the location path for doing that. I always made sub directories
Yea, I always used sub directorys for protected areas and hadn’t about it untill people emailed me and asked.
so if I want to make my site members I can use forms excellent cool info thanks for the tip
Hi Joe, nice tip ! Thanks
Nice to hear smart people, Hi Joe, I am back to read all again!
Sincerely, LukCAD
Hi, I have created 2 subfolder and I need to give permission to 2 different roles. I have writen like this:
<location path="Member">
<system.web>
<authorization>
<deny users="?"/>
<allow roles="Member"/>
</authorization>
</system.web>
</location>
<location path="Admin">
<system.web>
<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>
But this allows boths the roles to both the folder resources.
May i know how fix this?
Great stuff Joe!
simple but important tips.
thanks joe.
Thanks you!
This is sample, someone who is web dev should knowledge
(^..^)
Thanks for user authentication tips. I’m new to aspx, I’m much grateful for any helpful info.
Hi Joe, nice tip ! Thanks
Good tips! Thank you, Joe.