I want to use forms authentication on my website. Looking at the documentat
ion, I create a sample site for testing. One of my requirements is to ensur
e that SOME pages required an authenticated user and some others, like the h
ome page is not required.
I specified the <deny users="?" /> on the web.config, but this is causing AL
L pages require the authentication. How can I mix both, without loosing the
web.config setup? I know that I can manually check the IsAuthenticated pro
perty on pages I want to en
force security, but I have an idea that there is some kind of Page property
to specify that is secure, maybe I just dream it!
ThanksSearch the help files for the <location> element.
It lookes something like this
<location path="Logon.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
Usually if you can organize your content in folders representing
different level of security and creating a web.config file for each of
these you are better off, but the Location element will give you the
ultimate flexibiltiy and even more chances to forget to secure something :)
MR. UNDERHILL wrote:
> I want to use forms authentication on my website. Looking at the documentation, I
create a sample site for testing. One of my requirements is to ensure that SOME pa
ges required an authenticated user and some others, like the home page is not requir
ed.
I specified the <deny users="?" /> on the web.config, but this is causing AL
L pages require the authentication. How can I mix both, without loosing the
web.config setup? I know that I can manually check the IsAuthenticated pro
perty on pages I want to
enforce security, but I have an idea that there is some kind of Page property to specify th
at is secure, maybe I just dream it!
>
> Thanks
When you said that you can "organize your content in folders representing di
fferent level of security", do you mean, multiple web applications (virtual
directories)? or folders withing the same web application?. I understand th
at you can have only ONE we
b.config located at the ROOT of your web application (virtual directory). C
ould explain me a little bit more your approach.
Having the <allow users="?"/> is going to allow ALL unauthenticated users to
get access to ALL pages, which actually defeats the purpose of using these
feature!
What I'm trying to do is have a <deny users="?"/>, but at the same time ALLO
W access to anybody to non restricted pages, I was thinking that the way to
do this will be having some kind of property set a the page level to specify
that the page is not check
ing authentication or something like. This will give flexibility to mix pag
es that requires authentication and some others that not.
Thanks
-- Joseph E Shook [MVP - ADSI] wrote: --
Search the help files for the <location> element.
It lookes something like this
<location path="Logon.aspx"><system.web><authorization><allow users="?"/></a
uthorization></system.web></location>
Usually if you can organize your content in folders representing
different level of security and creating a web.config file for each of
these you are better off, but the Location element will give you the
ultimate flexibiltiy and even more chances to forget to secure something :)
MR. UNDERHILL wrote:
> I want to use forms authentication on my website. Looking at the documentation, I
create a sample site for testing. One of my requirements is to ensure that SOME pa
ges required an authenticated user and some others, like the home page is not requ[/
color]
ired. I specified the <deny users="?" /> on the web.config, but this is cau
sing ALL pages require the authentication. How can I mix both, without loos
ing the web.config setup? I know that I can manually check the IsAuthentica
ted property on pages I wan
t to enforce security, but I have an idea that there is some kind of Page property to speci
fy that is secure, maybe I just dream it!
If you read this you will start to see the ways one can place multiple
web.config files in a single web application. It forms a inheritance
and override behavior. Here is the link...
http://msdn.microsoft.com/library/d...nfiguration.asp
MR. UNDERHILL wrote:
> When you said that you can "organize your content in folders representing differen
t level of security", do you mean, multiple web applications (virtual directories)?
or folders withing the same web application?. I understand that you can have only O
NE
web.config located at the ROOT of your web application (virtual directory). Could explain
me a little bit more your approach.
> Having the <allow users="?"/> is going to allow ALL unauthenticated users
to get access to ALL pages, which actually defeats the purpose of using thes
e feature!
> What I'm trying to do is have a <deny users="?"/>, but at the same time ALLOW acce
ss to anybody to non restricted pages, I was thinking that the way to do this will b
e having some kind of property set a the page level to specify that the page is not
che
cking authentication or something like. This will give flexibility to mix pages that requi
res authentication and some others that not.
>
>
> Thanks
>
>
> -- Joseph E Shook [MVP - ADSI] wrote: --
> Search the help files for the <location> element.
> It lookes something like this
> <location path="Logon.aspx"><system.web><authorization><allow users="
?"/></authorization></system.web></location>
>
> Usually if you can organize your content in folders representing
> different level of security and creating a web.config file for each o
f
> these you are better off, but the Location element will give you the
> ultimate flexibiltiy and even more chances to forget to secure someth
ing :)
>
> MR. UNDERHILL wrote:
>
quired. I specified the <deny users="?" /> on the web.config, but this is c
ausing ALL pages require the authentication. How can I mix both, without lo
osing the web.config setup? I know that I can manually check the IsAuthenti
cated property on pages I w
ant to enforce security, but I have an idea that there is some kind of Page property to spe
cify that is secure, maybe I just dream it!
>
That's really great. Thanks for your help!
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment