Setting authorization rules for a particular page or folder in web.config

I have seen so many people asking again and again how to give allow access to particular page to a person or roles. So I thought its good to put this in one place. I will discuss how to configure web.config depending on the scenario.

We will start with a web.config without any authorization and modify it on case by case bassis.

No Authorization

We will start with the root web.config without any authorization.

<configuration>

<system.web>

<authentication mode="Forms">

</authentication> </system.web>

</configuration>

Deny Anonymous user to access entire website

This is the case when you want everybody to login before the can start browsing around your website. i.e. The first thing they will see is a login page.

<system.web>

<authentication mode="Forms">

</authentication>

<authorization>

<deny users="?"/> //will deny anonymous users </authorization>

</system.web>

The above situation is good when user don't have to register themselves but instead their user account is created by some administrator.

Allow access to everyone to a particular page

     Sometimes you want to allow public access to your registeration page and want to restrict access to rest of the site only to logged / authenticated users .i.e. do not allow anonymous access. Say your registration page is called register.aspx in your site's root folder. In the web.config of your website's root folder you need to have following setup.

<configuration>

<system.web>

<authentication mode="Forms"/>

<authorization> <deny users="?"/>  //this will restrict anonymous user access

</authorization>

</system.web>
<location path="register.aspx"> //path here is path to your register.aspx page e.g. it could be ~/publicpages/register.aspx
<system.web>
<authorization>

<allow users="*"/> // this will allow access to everyone to register.aspx

</authorization>

</system.web>

</location>

</configuration>

Till now we saw either allow users or to authenticated users only. But there could be cases where we want to allow particular user to certain pages but deny everyone else (authenticated as well as anonymous). 

To allow access to particular user only and deny everyone else

      Say you want to give access to user "John" to a particular page e.g. userpersonal.aspx and deny all others the location tag above should look like below:

<location path="userpersonal.aspx">
<system.web>
<authorization>

<allow users="John"/> // allow John ..note: you can have multiple users seperated by comma e.g. John,Mary,etc

<deny users="*"/>  // deny others

</authorization>

</system.web>

</location>

Allow only users in particular Role

Here I am will not show how to setup roles. I assume you have roles managment setup for users. We will see now what needs to be done in web.config to configure authorization for a particular role. e.g You have two roles. Customer and Admin and two folders CustomerFolder and AdminFolder. Users in Admin role can access both folders. Users in Customers role can access only CustomerFolder and not AdminFolder. You will have to add location tags for each folder path as shown below:

<location path="AdminFolder">

<system.web>

<authorization>

<allow roles="Admin"/> //Allows users in Admin role

<deny users="*"/> // deny everyone else

</authorization>

</system.web>

</location>

<location path="CustomerFolder">

<system.web>

<authorization>

<allow roles="Admin, Customers"/> //Allow users in Admin and Customers roles

<deny users="*"/> // Deny rest of all

</authorization>

</system.web>

</location>

Alternate way - using individual web.config for each Folder

Alternative to above mentioned method of using <location../> tag, you can add web.config to each folder and configure authorization accordingly almost similar to one show above but not using location tag. Taking same eg. as above. Add web.config to both the folders - AdminFolder and CustomerFolder.

Web.config in AdminFolder should look like:

<configuration>

<system.web>

<authorization>

<allow roles="Admin"/> //Allows users in Admin role

<deny users="*"/> // deny everyone else

</authorization>
</system.web>

</configuration>

Web.config in CustomerFolder should look like: 

<configuration>

<system.web>

<authorization>

<allow roles="Admin, Customers"/> //Allow users in Admin and Customers roles

<deny users="*"/> // Deny rest of all

</authorization>
</system.web>

</configuration>

Images and CSS files

Say you have all your images and CSS in a seperate folder called images and you are denying anonymous access to your website. In that case you might see that on your login page you cannot see images(if any) and css(if any) applied to your login page controls.

In that case you can add a web.config to the images and css folder and allow access to everyone to that folder. So your web.config in images folder should look as below:

<configuration>

<system.web>
<authorization>

<allow users="*"/> //Allow everyone

</authorization>

</system.web>

</configuration>

Common Mistakes

I have seen people complaining that they have setup their roles correctly and also made entry to their web.config but still their authorization doesn't work. Even they have allowed access to their role that user cannot access particular page/folder. The common reason for that is placing <deny../> before <allow ../>.

Say the web.config from AdminFolder as we have seen before is something like this:

//This web.config will not allow access to users even they are in Admin Role 

<configuration>

<system.web>

<authorization>

<deny users="*"/> // deny everyone else

<allow roles="Admin"/> //Allows users in Admin role

</authorization>

</system.web>

</configuration>

Since the authorization is done from top to bottom, rules are checked until a match is found. Here we have <deny users="*"/> first and so it will not check for allow any more and deny access even if in Admin role.

So PUT all allows BEFORE ANY deny.

NOTE: deny works the same way as allow. You can deny particular roles or users as per your requirement. 

Update: Issue with IIS 7

With IIS 7 you will have to give access to IUSR Anonymous user account to your folder that contains your css or images files. Check resource below.

I hope this will answer some of the question regarding how to authorize pages / folders(directories).

Comments welcome.

Resources

83 Comments

  • good article,very helpful

  • Its a very useful article. It have resolved all type of ambiguities.

  • Clean concise and best of all .... it works!

  • Great article, but I'm still confused about one thing.

    How do I allow access to everyone except the one group?

    This doesn't seem to work for me.


  • I use a different web.config for each folder with special access. For those who are denied access, how can I redirect them to a different page?

  • Hi M Hooge,

    Check this: http://www.asp.net/learn/security/tutorial-07-vb.aspx

  • multiple domains requires a better solution. &nbsp;if app is accessed by more than one domain we shouldn't need dom1\Accounting, dom2\Accounting, dom3\Accounting.

  • Nice post. &nbsp;Thanks. &nbsp;Is it possible to store and maintain users, roles, page paths, passwords, etc., in a central location or database?

  • Hi M E,

    Yes it is possible to do what you are asking.
    Check here: http://www.asp.net/learn/security/

  • thanks

  • Boss the below section denies for all users. Don't know for what reasons, tried much.
    I am getting user validated and should not be authorised but its actually denying all.
    see if you can sight any reasons.
    &lt;location path="userpersonal.aspx"&gt;
    &lt;system.web&gt;
    &lt;authorization&gt;
    &lt;allow users="John"/&gt; // allow John ..note: you can have multiple users seperated by comma e.g. John,Mary,etc
    &lt;deny users="*"/&gt; &nbsp;// deny others
    &lt;/authorization&gt;
    &lt;/system.web&gt;
    &lt;/location&gt;

  • Subhra,
    The settings you are pointing to should allow user who is logged-in with username "John" and deny rest.
    Make sure user 'John' is in fact authenticated.
    May be you might want to provide more details.

  • Hi Guru

    It is very helpful article. Can I know how you managed to get source code in blog? When i tried using Live writer, i could not figure out the any tool to publish source code. It simply publishing as Text.

  • sukumarraju,

    I think I just copy-pasted from VS source code file and the colors etc. was taken up by editor. I don't remember of using any tool like they have on asp.net Forums site.

  • thanx

  • Very usefull this blog, tnks.

  • Much needed article

  • Great article, this doesn't work with Firefox using IIS 7.5

  • Nimrod,
    Can you provide more info on that...as there should be something else going on and not the configurations in web.config....

  • The articles is very good , easily understandable and very useful.

  • excellent piece.. short concise and to the point.. thanks

  • Thanks for such a useful article.

  • Great. &nbsp;Images and CSS not getting applied is solved after reading and understanding the article. Also, how to configure various users and roles based authorization is clearly explained. &nbsp;Thank you for the article.

    Sudar

  • The article is concise but covers the topic in great detail. It's like a one-stop-shop article. Helped me a lot. Thanks. Expecting more such CONCISE articles.

  • This Is very useful artical for making authentication................thanks

  • Excellent article, just what I needed. Thank you so much!

  • The articles is very good , easily understandable and very useful.

  • muy buen aporte ,me sirvio de gran ayuda


    excelente

  • Great Post!

    Thanks and best regards!

  • Setting authorization rules for a particular page or folder in web config.. Outstanding :)

  • I've putted my pages authorization in main web.config file but its not working,
    i've 1 page inside Forms folder which is Test.aspx
    in my root web.config before i've putted the below tag









    i've 2 users admin and user, on Test.aspx when i select View in Browser it shows me Login page which is correct but when i login through any account admin/user it is showing me Test.aspx which is wrong, Test.aspx should only be seen by admin

    can anyone please tell me what i am missing here

  • urac12,
    Have you configured the forms authentication correctly? Because with your current setting I see it will deny everyone to view Test.aspx.
    And your authorization order should be like this:





  • Thank you so much for this! &nbsp;I've been trying to figure out how to do individual security and I'd find a partial example with the &lt;location&gt; then an example with the separate web.config. &nbsp;I couldn't figure out which was right. &nbsp;:) &nbsp;Thanks to you, I now know they are both different ways of doing it. &nbsp;That's the biggest problem I have with microsoft....many ways to do one thing and rarely does one bother to compare them.

  • Great Article..

    Thanks

  • very helpful indeed

  • thanks...it helped me lot.

  • Hi,

    We have two name groups like BB Staff or IS Group. allow/deny doesn't seem to work with spaces.

    Is there a way to substitute spaces?

    Thanks

    p.s. Great article

  • Sergio,
    I never came across that but quick search gave this: http://forums.asp.net/t/1389861.aspx/1
    Let me know if that doesn't help and I will do some testing.

  • Great article - especially your tip about the 'allow/deny'-order - thanks!

  • This is very helpful. It prevents you from creating a highly complex, nested file system structure in order to apply different configuration settings on the content on that folder. However, I still don't know whether we can use a location element for "2" files or not. For example, can we have something like this:

    &lt;location path='register.aspx, ~/en/eula.aspx'&gt;

  • Saeed Neamati,
    No you can't used multiple locations in path. The best way is to put the files in one folder(if feasible) otherwise you will have to add separate location element for each path.

  • In webservice web.config the following gives an error as shown below.

    &lt;authorization&gt;

    &nbsp; &nbsp;&lt;allow roles="Domain\AD-group-name"/&gt;

    &nbsp; &nbsp;&lt;deny users="*"/&gt;

    &lt;/authorization&gt;

    -----------

    Error:-

    Access is denied.

    Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.

    Error message 401.2.: You do not have permission to view this directory or page using the credentials you supplied.

    ----------

  • Very good article.

  • You simplified the stuff than anyone out there

  • Thank you for a great lesson! &nbsp;Very well written.

    My problem is, I can enter into a browser the full url of an Adobe Acrobat *.pdf located in a "protected" directory, and the file will come right up?

    How can I use the deny anonymous user command to prevent this?

    Thanks in advance.

    I am trying to create a simple

  • Thanks for this article. very helpful. More power

  • Great article thanks

  • Very good article but I have to check for all condition.

  • @Barry
    .pdf files will not be secured via these setting unless you tell IIS to treat them as .aspx files. Search for "Securing non-asp.net files" and you should get good articles.

  • access deny! i think login page is needed in other to type the user "john". nice article thanks.

  • Hiii This is Krishna... Ur Answers which are Multiple for "Setting authorization rules for a particular page or folder in web.config" is Very much useful in my projects...

    Thanks Alot....

    U r Great...?
    Plz dont quit posting...!!!

  • Excellent article!

  • nice work , it really helped me lot

  • gr8 artical thanx.......

  • Very helpful, thank you for the article.

  • very helpful any beginner would be looking for such a thing/information. Thanks

  • after i create all of this code in different folder , my question Sir Sarkar is
    how can i add the user in their Roles who successfully logged in in my site

    ex. User: Robert
    Password: Guest

    how can i add Robert to Guest Roles can to restrict or access admin folder ones he logged in ? I use Visual Basic.

    Thanks Sir.

  • Very nice article and too good description.
    Solved my issue. Thanks a lot!!!!

  • Great article.I ahd one requirement.My Web app uses windows authentication and uploads file to server.
    The uploaded files are to saved to different directories based on username.How can i restrict a user to upload files only to one particular container by changing settings in web.config.
    Please help me in this scenario

    My mail id is bshanmukeshwar@live.com

  • I have a folder called reports with sub folders. Each folder has a webconfig file which specifies user access. This webconfig work on my local machine but not the server. Any ideas?

  • Caolong,
    What kind of authentication and authorization are you using? If you are using built-in membership and roles providers make sure they are properly configured.

  • Great888!!!!!! :)

    I was confused since last 2 years..........now feeling good :)

    Thanks!

  • thanks.
    Is it possible to define 1 user in web.config and allow him to a specific folder like admin?

  • naji,
    yes...There's one example above.

  • I have a set of folders where I have

    &nbsp; &nbsp; &nbsp; &nbsp;&lt;allow users="domain\user1, domain\user2, domain\user3, domain\user4" /&gt;

    &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&lt;deny users="*" /&gt;

    This works perfectly. &nbsp;But I copied the entire set of folders and files to the same server but the access fails with a 401-unauthorized error. &nbsp;What am I missing?

  • Joe,
    With forms authentication I believe you should be redirected to your login page ideally.
    Is the access denied to the user1, etc. or to some other asp.net Network/Service account?

  • Ultimate article... Is it possible to show how to assign the roles to each user when they log in ?

  • hi, how the system knows which role the user who is accessing it?

    how to manage the roles?

  • Santosh,
    Do you mean brand new roles when a user is created or retrieving roles upon login?
    Refer this tutorial: http://www.asp.net/web-forms/tutorials/security/roles/creating-and-managing-roles-cs

  • jcanez,
    Please check this tutorial: http://www.asp.net/web-forms/tutorials/security/roles/creating-and-managing-roles-cs
    Also check this video: http://www.asp.net/web-forms/videos/how-do-i/how-do-i-secure-my-site-using-membership-and-roles

  • You have saved my day!
    Thanks!

  • Please tell me how can I add these tags from code behind.

  • Shraddha,
    Check these:
    http://weblogs.asp.net/gurusarkar/archive/2008/11/18/changing-user-password-in-web-config.aspx
    http://stackoverflow.com/questions/15401577/modify-web-config-via-c-sharp-insert-above-a-particular-line

  • Thanks a ton - appreciate the great detail and this helped me fix my issue!

  • I have Default.aspx and web.config in root folder.

    I added these lines in the web.config:

    &lt;system.web&gt;

    &nbsp; &lt;authentication mode="Forms"&gt;

    &nbsp; &nbsp; &nbsp;&lt;forms loginUrl="~/account/login" timeout="2880" path="/" /&gt;

    &nbsp; &lt;/authentication&gt;

    &nbsp; &lt;authorization&gt;

    &nbsp; &nbsp;&lt;deny users="?" /&gt;

    &nbsp;&lt;/authorization&gt;

    &lt;/system.web&gt;

    &lt;location path="Default.aspx"&gt;

    &nbsp;&lt;system.web&gt;

    &nbsp; &nbsp;&lt;authorization&gt;

    &nbsp; &nbsp; &nbsp;&lt;allow users="*" /&gt;

    &nbsp; &nbsp;&lt;/authorization&gt;

    &nbsp;&lt;/system.web&gt;

    &lt;/location&gt; &nbsp; &nbsp;

    I did exactly as shown in the article. However, when i navigated to Default.aspx --&gt; I was taken to the login page. It's denying access. Any idea what i did wrong there?

  • Kevin,
    I don't see anything wrong in the settings. Is that an asp.net MVC app?

  • So frustrating! I had deny BEFORE allow and spent a day beating my head against a wall before I figured it out.

  • Yousay "put all allows before deny, but that is WRONG. &nbsp;You need to have any &lt;deny users="?" /&gt; first before allows (even if at a higher level) or you won't even have the user authenticated. &nbsp;And there are good reasons to have a deny first. &nbsp;Say you want to deny one specific group, but then allow anyone else. &nbsp;Since it processes in order until a match is found you NEED the deny before the allow or a user that falls in both groups would be allowed in, even if you are trying to deny everyone in a certain group and they belong to that group.

  • How can i check this in c# code?

  • MR,
    That's a general rule based on how the rules are scanned from top to bottom. But if putting deny first in your case makes sense, you can use it.

  • @Girish,
    What exactly you want to check in C# code? You can check Request.IsAuthenticated to check is user is authenticated. You can use User.IsInRole or built-in asp.net Roles.IsUserInRole fro checking authorization.

  • God bless you. I have struggled with this for two days.

  • very good article,very helpful

Comments have been disabled for this content.