Mixing secure and unsecure pages with Forms Authentication

Search the help files for the <location> element.

It lookes something like this

<location path="Logon.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>

Usually if you can organize your content in folders representing
different level of security and creating a web.config file for each of
these you are better off, but the Location element will give you the
ultimate flexibiltiy and even more chances to forget to secure something :)

MR. UNDERHILL wrote:

I want to use forms authentication on my website. Looking at the documentation, I create a sample site for testing. One of my requirements is to ensure that SOME pages required an authenticated user and some others, like the home page is not required. I specified the <deny users="?" /> on the web.config, but this is causing ALL pages require the authentication. How can I mix both, without loosing the web.config setup? I know that I can manually check the IsAuthenticated property on pages I want to enforce security, but I have an idea that there is some kind of Page property to specify that is secure, maybe I just dream it!
Thanks

When you said that you can "organize your content in folders representing different level of security", do you mean, multiple web applications (virtual directories)? or folders withing the same web application?. I understand that you can have only ONE web.config located at the ROOT of your web application (virtual directory). Could explain me a little bit more your approach

Having the <allow users="?"/> is going to allow ALL unauthenticated users to get access to ALL pages, which actually defeats the purpose of using these feature

What I'm trying to do is have a <deny users="?"/>, but at the same time ALLOW access to anybody to non restricted pages, I was thinking that the way to do this will be having some kind of property set a the page level to specify that the page is not checking authentication or something like. This will give flexibility to mix pages that requires authentication and some others that not

Thank
----- Joseph E Shook [MVP - ADSI] wrote: ----

Search the help files for the <location> element

It lookes something like thi

<location path="Logon.aspx"><system.web><authorization><allo w users="?"/></authorization></system.web></location

Usually if you can organize your content in folders representing
different level of security and creating a web.config file for each of
these you are better off, but the Location element will give you the
ultimate flexibiltiy and even more chances to forget to secure something :

MR. UNDERHILL wrote

I want to use forms authentication on my website. Looking at the documentation, I create a sample site for testing. One of my requirements is to ensure that SOME pages required an authenticated user and some others, like the home page is not required. I specified the <deny users="?" /> on the web.config, but this is causing ALL pages require the authentication. How can I mix both, without loosing the web.config setup? I know that I can manually check the IsAuthenticated property on pages I want to enforce security, but I have an idea that there is some kind of Page property to specify that is secure, maybe I just dream it

Thank

If you read this you will start to see the ways one can place multiple
web.config files in a single web application. It forms a inheritance
and override behavior. Here is the link...

http://msdn.microsoft.com/library/de...figuration.asp
MR. UNDERHILL wrote:

When you said that you can "organize your content in folders representing different level of security", do you mean, multiple web applications (virtual directories)? or folders withing the same web application?. I understand that you can have only ONE web.config located at the ROOT of your web application (virtual directory). Could explain me a little bit more your approach.

Having the <allow users="?"/> is going to allow ALL unauthenticated users to get access to ALL pages, which actually defeats the purpose of using these feature!

What I'm trying to do is have a <deny users="?"/>, but at the same time ALLOW access to anybody to non restricted pages, I was thinking that the way to do this will be having some kind of property set a the page level to specify that the page is not checking authentication or something like. This will give flexibility to mix pages that requires authentication and some others that not.

Thanks


----- Joseph E Shook [MVP - ADSI] wrote: -----

Search the help files for the <location> element.

It lookes something like this

<location path="Logon.aspx"><system.web><authorization><allo w users="?"/></authorization></system.web></location>

Usually if you can organize your content in folders representing
different level of security and creating a web.config file for each of
these you are better off, but the Location element will give you the
ultimate flexibiltiy and even more chances to forget to secure something :)

MR. UNDERHILL wrote:

> I want to use forms authentication on my website. Looking at the documentation, I create a sample site for testing. One of my requirements is to ensure that SOME pages required an authenticated user and some others, like the home page is not required. I specified the <deny users="?" /> on the web.config, but this is causing ALL pages require the authentication. How can I mix both, without loosing the web.config setup? I know that I can manually check the IsAuthenticated property on pages I want to enforce security, but I have an idea that there is some kind of Page property to specify that is secure, maybe I just dream it!

>>> Thanks

That's really great. Thanks for your help!