Setting authorization rules for a particular page or folder in web.config

guru_sarkar — Mon, 29 Sep 2008 17:50:00 GMT

I have seen so many people asking again and again how to give allow access to particular page to a person or roles. So I thought its good to put this in one place. I will discuss how to configure web.config depending on the scenario.

We will start with a web.config without any authorization and modify it on case by case bassis.

No Authorization

We will start with the root web.config without any authorization.

<configuration>
<system.web>
<authentication mode="Forms">
</authentication>
</system.web>

</configuration>

Deny Anonymous user to access entire website

This is the case when you want everybody to login before the can start browsing around your website. i.e. The first thing they will see is a login page.

<system.web>
<authentication mode="Forms">
</authentication>
<authorization>
<deny users="?"/> //will deny anonymous users
</authorization>

</system.web>

The above situation is good when user don't have to register themselves but instead their user account is created by some administrator.

Allow access to everyone to a particular page

Sometimes you want to allow public access to your registeration page and want to restrict access to rest of the site only to logged / authenticated users .i.e. do not allow anonymous access. Say your registration page is called register.aspx in your site's root folder. In the web.config of your website's root folder you need to have following setup.

<configuration>

<system.web>

<authentication mode="Forms"/>
<authorization> <deny users="?"/> //this will restrict anonymous user access
</authorization>
</system.web>

<location path="register.aspx"> //path here is path to your register.aspx page e.g. it could be ~/publicpages/register.aspx
<system.web>
<authorization>
<allow users="*"/> // this will allow access to everyone to register.aspx
</authorization>

</system.web>
</location>

</configuration>

Till now we saw either allow users or to authenticated users only. But there could be cases where we want to allow particular user to certain pages but deny everyone else (authenticated as well as anonymous).

To allow access to particular user only and deny everyone else

Say you want to give access to user "John" to a particular page e.g. userpersonal.aspx and deny all others the location tag above should look like below:

<location path="userpersonal.aspx">
<system.web>
<authorization>
<allow users="John"/> // allow John ..note: you can have multiple users seperated by comma e.g. John,Mary,etc
<deny users="*"/> // deny others
</authorization>
</system.web>

</location>

Allow only users in particular Role

Here I am will not show how to setup roles. I assume you have roles managment setup for users. We will see now what needs to be done in web.config to configure authorization for a particular role. e.g You have two roles. Customer and Admin and two folders CustomerFolder and AdminFolder. Users in Admin role can access both folders. Users in Customers role can access only CustomerFolder and not AdminFolder. You will have to add location tags for each folder path as shown below:

<location path="AdminFolder">

<system.web>
<authorization>
<allow roles="Admin"/> //Allows users in Admin role
<deny users="*"/> // deny everyone else
</authorization>
</system.web>

</location>
<location path="CustomerFolder">

<system.web>
<authorization>
<allow roles="Admin, Customers"/> //Allow users in Admin and Customers roles
<deny users="*"/> // Deny rest of all
</authorization>
</system.web>

</location>

Alternate way - using individual web.config for each Folder

Alternative to above mentioned method of using <location../> tag, you can add web.config to each folder and configure authorization accordingly almost similar to one show above but not using location tag. Taking same eg. as above. Add web.config to both the folders - AdminFolder and CustomerFolder.

Web.config in AdminFolder should look like:

<configuration>

<system.web>

<authorization>
<allow roles="Admin"/> //Allows users in Admin role
<deny users="*"/> // deny everyone else
</authorization>
</system.web>

</configuration>
Web.config in CustomerFolder should look like:

<configuration>

<system.web>

<authorization>
<allow roles="Admin, Customers"/> //Allow users in Admin and Customers roles
<deny users="*"/> // Deny rest of all
</authorization>
</system.web>

</configuration>

Images and CSS files

Say you have all your images and CSS in a seperate folder called images and you are denying anonymous access to your website. In that case you might see that on your login page you cannot see images(if any) and css(if any) applied to your login page controls.

In that case you can add a web.config to the images and css folder and allow access to everyone to that folder. So your web.config in images folder should look as below:

<configuration>

<system.web>
<authorization>
<allow users="*"/> //Allow everyone

</authorization>
</system.web>

</configuration>

Common Mistakes

I have seen people complaining that they have setup their roles correctly and also made entry to their web.config but still their authorization doesn't work. Even they have allowed access to their role that user cannot access particular page/folder. The common reason for that is placing <deny../> before <allow ../>.

Say the web.config from AdminFolder as we have seen before is something like this:

//This web.config will not allow access to users even they are in Admin Role

<configuration>

<system.web>

<authorization>

<deny users="*"/> // deny everyone else
<allow roles="Admin"/> //Allows users in Admin role
</authorization>
</system.web>

</configuration>

Since the authorization is done from top to bottom, rules are checked until a match is found. Here we have <deny users="*"/> first and so it will not check for allow any more and deny access even if in Admin role.

So PUT all allows BEFORE ANY deny.

NOTE: deny works the same way as allow. You can deny particular roles or users as per your requirement.

I hope this will answer some of the question regarding how to authorize pages / folders(directories). Comments welcome.

Resources

ASP.NET Authorization : http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx
Authorizing Users and Roles: http://quickstarts.asp.net/QuickStartv20/aspnet/doc/security/authorization.aspx

Guru Sarkar's Blog : ASP.NET Authorization

Setting authorization rules for a particular page or folder in web.config