Reputation: 9881
How to allow anonymous user access to virtual directory
I am currently preventing anonymous users access to my root application.
/web.config
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
But am allowing anonymous access to public resources (Images, CSS, etc.):
<location path="Images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Now, I would like to add a virtual directory which should be accessible to anonymous users. I added a configuration based on the Images path, but whenever I try to access that location, I get redirected to the login page with the ReturnURL set to the virtual directory.
<location path="virtualDirectory">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
In addition, I tried to specify the global authorization within my virtual directory's web.config but get an error saying I can only have that once
/virtualDirectory/web.config:
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
How can I allow anonymous access to a virtual directory when my root application is preventing anonymous access?
Upvotes: 6
Views: 7010
Answers (4)
Reputation: 20034
Some notes.
The asterisk mark (*) represents all identity.
The question mark (?) represents the anonymous identity.
So ideally, you don't need to set to allow authentication for the anonymous user for your virtualDirectory in the global web.config.
Go to IIS, under your Virtual Directory > select Authentication > Enable Anonymous Authentication.
Refer
How to: Create and Configure Virtual Directories in IIS
Upvotes: 3
Reputation: 22054
In your global web.config encapsulate the
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
with
<location path="." inheritInChildApplications="false">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
It means - authorization is enforced only in root app, not for the child apps.
Upvotes: 4
Reputation: 2213
Your authorization rules looks good. The last error you are getting is because you can have authorization section (in fact any section) only once per folder/file/path. So either have it globally i.e. under <location path="virtualDirectory"> or only in web.config of Virtual Directory. Having it in both places will give you an error. What is authentication set at Virtual Directory.
Make sure anonymous is enabled along with the allow authorization rule. (IIS Manager ->Sites -> your specific site->virtual directory-> in the central pane Authentication )
Also in IIS GUI there are ASP.NET Authorization rules (the one you are using currently) and IIS Authorization rules. Make sure there aren't any deny IIS Authorization rules.
Upvotes: 0
Reputation: 3952
In your global web.config remove
<location path="virtualDirectory">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Then go to IIS manager and
In the Virtual directory Home area, double-click Authentication
Right-click Anonymous Authentication, and then click Enable
Upvotes: 0
Related Questions
- "HTTP status 401: Access Denied" error for web service even when the virtual directory allows Anonymous access
- Allow anonymous access to a directory in a IIS site that uses Windows Authentication
- Authorize a directory for anonymous users IIS 7.5?
- IIS Virtual Directory access restricted to only one user
- IIS 7.5/ASP.NET - Anonymous access to everything except one directory - how?
- how to prevent access to virtual directory without login to a website
- How to deny anonymous users to virtual directory
- Virtual Directory, remote host with authentication
- IIS Virtual Folders Permissions per User Account
- Authentication for IIS content in virtual directory under ASP.NET MVC website