Securing ASP.Net Pages - using the location tag
March 26, 2010
posted by Brad Kingsley
I recently posted a blog showing how to set up ASP.NET authentication and password protect an entire website. What if you don't want to secure the entire website though? Or if you want to have different users authorized to different parts of the site?
Let's say you want to allow anyone to access the root of the website but you have two secure subfolders - "secure1" and "secure2" - that you only want certain users to access. Below demonstrates the use of the <location> tag to configure specific security settings for those individual folders.
<configuration>
<system.web>
<authentication mode="Forms">
<forms name="TestAuthCookie" loginUrl="login.aspx" timeout="30">
<credentials passwordFormat="Clear">
<user name="user1"password="pass1"/>
<user name="user2"password="pass2"/>
</credentials>
</forms>
</authentication>
</system.web>
<location path="secure1">
<system.web>
<authorization>
<allow users="user1"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="secure2">
<system.web>
<authorization>
<allow users="user2"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>
When setting up the access rules (within the <authorization> attribute) be sure to not only set an <allow> but also a <deny> value as I did above. Otherwise your defined user will have access - but so will everyone else.
This example allows only user1 to access secure1 and only user2 to access secure2.
