CODEWITHSUNDEEP
asp.netiisiis-7web-configforms-authentication
Darthtong
Darthtong

Reputation: 1037

Web.config Forms Auth > protect root but allow access to subdirectory

Here's my problem...

I have a website running in II7 integrated pipeline mode and I want to enable forms auth on the entire website apart from the '/secure/' directory which contains the login form.

My web config currently looks something like this...

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <customErrors mode="Off"/>
        <authentication mode="Forms">
            <forms name=".ASPXAUTH" loginUrl="secure/login.aspx" protection="All" path="/" timeout="999999" slidingExpiration="true" enableCrossAppRedirects="true">
                <credentials passwordFormat="Clear">
                    <user name="user1" password="xxxxxx"/>
                </credentials>
            </forms>
        </authentication>
        <authorization>
            <allow users="user1"/>
            <deny users="*"/>
        </authorization>    
    </system.web>
    <location path="secure">
        <system.web>
            <authorization>
                <allow users="*"/>
            </authorization>
        </system.web>
    </location>
    <system.webServer>
        <!--Enabling Forms Authentication for the Entire Application-->
        <modules> 
            <remove name="FormsAuthenticationModule" />    
            <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />    
            <remove name="UrlAuthorization" />    
            <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />    
            <remove name="DefaultAuthentication" />    
            <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />    
        </modules>
    </system.webServer>
</configuration>

When I visit the website URL I just get an endless loop of redirects. I've tried putting the location specific auth rules above the system.web section but this had no effect.

Any ideas?

Cheers,

Robin

Upvotes: 0

Views: 1928

Answers (1)

Dima
Dima

Reputation: 1761

Access permissions are hierarchical. That is if you are forbidden to access some parent, you are forbidden to access all of its children, no matter what permissions are set to children. You can move login form to the root directory and set permissions for the form - it will work.

Upvotes: 3

Related Questions