can I set web.config to require authentication only for some files?

Bennett,
To change the authentication in specific directories all you have to do
is put a web.config file in that directory:

I noticed that in your example you didn't have the code below. This code
basically says that you have to be logged in to have access to the site.
Maybe you don't want this, but based upon your question I'm assuming you do.
<authorization>
<deny users="?"/>
</authorization>

Example: The example below basically says that you anybody can have access
to the files in this directory even if they are not logged in.

<authorization>
<allow users="*"/>
</authorization>

To specify at the file level within a site or directory:
<location path="MyFile.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

HTH

--
Lateralus [MCAD]
"Bennett Haselton" <be*****@peacefire.org> wrote in message
news:e6**************************@posting.google.c om...

If I add this to my web.config file:

<authentication mode="Forms">
<forms name=".ASPXUSERDEMO" loginUrl="login.aspx" protection="All"
timeout="60" />
</authentication>

I can configure the application so that users who try to access a page
in the application, get redirected to login.aspx where they have to
sign in. (And the "signing in" is handled in the codebehind page of
login.aspx.)

What if I want to configure authentication so that it's only required
for certain files? Or only for certain directories? Is there a way
to specify in the <forms> tag or in the <authentication> tag that you
want authentication to apply only to certain files or directories? I
couldn't find any documented way.

If you create a subdirectory and put a web.config file in there with
its own <authentication mode="Forms"> tag, in an attempt to make
authentication apply only to files in that directory, then you get the
ASP.Net error:

It is an error to use a section registered as
allowDefinition='MachineToApplication' beyond application level.

As a last resort I could create a new project directory as a
sub-directory under the top-level project directory, but that sounds
inelegant; it'd be better to be able to manage all files in a single
project.

-Bennett

You can specify some pages to require login, and others to not require login
via your web.config file by using the <location> tag.

Here is an example with sample code that you can download and play with.
http://www.dotnetbips.com/displayarticle.aspx?id=117

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net
"Bennett Haselton" <be*****@peacefire.org> wrote in message
news:e6**************************@posting.google.c om...

If I add this to my web.config file:

<authentication mode="Forms">
<forms name=".ASPXUSERDEMO" loginUrl="login.aspx" protection="All"
timeout="60" />
</authentication>

I can configure the application so that users who try to access a page
in the application, get redirected to login.aspx where they have to
sign in. (And the "signing in" is handled in the codebehind page of
login.aspx.)

What if I want to configure authentication so that it's only required
for certain files? Or only for certain directories? Is there a way
to specify in the <forms> tag or in the <authentication> tag that you
want authentication to apply only to certain files or directories? I
couldn't find any documented way.

If you create a subdirectory and put a web.config file in there with
its own <authentication mode="Forms"> tag, in an attempt to make
authentication apply only to files in that directory, then you get the
ASP.Net error:

It is an error to use a section registered as
allowDefinition='MachineToApplication' beyond application level.

As a last resort I could create a new project directory as a
sub-directory under the top-level project directory, but that sounds
inelegant; it'd be better to be able to manage all files in a single
project.

-Bennett

Thanks, that worked! At least once I figured out where the <location>
tag was supposed to go so that the web.config file would be parsed
correctly (it had to go just before the closing </configuration> tag
but I couldn't tell that from the tutorial).

In my original message I had said it broke when I tried putting a
web.config file in the subdirectory, but that was because I also had
the <authentication mode="Forms"> tag in that web.config file, and it
was giving a run-time error because that attribute can only be set in
the application-level web.config file. Once I changed the web.config
file in the subdirectory so that it only set the <authorization>
setting, it worked.

(I assume this means that within the same application, you can't have
one authentication method for one set of pages and a different
authentication method for another set of pages, but that's not
something I need anyway.)

One last question though: is there a way to specify multiple files and
directories in the "path" attribute of the <location> tag:

<location path="subdir">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

I tried entering multiple files separated by commas or semicolons, but
that always gave a run-time error.

It's not a huge pain to add a new <location> tag every time I create a
new page that needs to have required authentication, but I was
curious.

-Bennett

"Steve C. Orr [MVP, MCSD]" <St***@Orr.net> wrote in message news:<e4*************@tk2msftngp13.phx.gbl>...

You can specify some pages to require login, and others to not require login
via your web.config file by using the <location> tag.

Here is an example with sample code that you can download and play with.
http://www.dotnetbips.com/displayarticle.aspx?id=117

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net
"Bennett Haselton" <be*****@peacefire.org> wrote in message
news:e6**************************@posting.google.c om...

If I add this to my web.config file:

<authentication mode="Forms">
<forms name=".ASPXUSERDEMO" loginUrl="login.aspx" protection="All"
timeout="60" />
</authentication>

I can configure the application so that users who try to access a page
in the application, get redirected to login.aspx where they have to
sign in. (And the "signing in" is handled in the codebehind page of
login.aspx.)

What if I want to configure authentication so that it's only required
for certain files? Or only for certain directories? Is there a way
to specify in the <forms> tag or in the <authentication> tag that you
want authentication to apply only to certain files or directories? I
couldn't find any documented way.

If you create a subdirectory and put a web.config file in there with
its own <authentication mode="Forms"> tag, in an attempt to make
authentication apply only to files in that directory, then you get the
ASP.Net error:

It is an error to use a section registered as
allowDefinition='MachineToApplication' beyond application level.

As a last resort I could create a new project directory as a
sub-directory under the top-level project directory, but that sounds
inelegant; it'd be better to be able to manage all files in a single
project.

-Bennett

If you have that many single pages to protect then you should consider
reviewing your application architecture.

However, you can indeed specify a directory to protect as a relative path in
the location element like <location path= " /mydirectory">.

You cannot, as far as I know use a list of files. Of course, you can put all
those files in the same directory and protect that.

Here is a link to the docs.

http://msdn.microsoft.com/library/de...onsettings.asp

Watch the wrap!

- Frank
"Bennett Haselton" <be*****@peacefire.org> wrote in message
news:e6**************************@posting.google.c om...

Thanks, that worked! At least once I figured out where the <location>
tag was supposed to go so that the web.config file would be parsed
correctly (it had to go just before the closing </configuration> tag
but I couldn't tell that from the tutorial).

In my original message I had said it broke when I tried putting a
web.config file in the subdirectory, but that was because I also had
the <authentication mode="Forms"> tag in that web.config file, and it
was giving a run-time error because that attribute can only be set in
the application-level web.config file. Once I changed the web.config
file in the subdirectory so that it only set the <authorization>
setting, it worked.

(I assume this means that within the same application, you can't have
one authentication method for one set of pages and a different
authentication method for another set of pages, but that's not
something I need anyway.)

One last question though: is there a way to specify multiple files and
directories in the "path" attribute of the <location> tag:

<location path="subdir">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>

I tried entering multiple files separated by commas or semicolons, but
that always gave a run-time error.

It's not a huge pain to add a new <location> tag every time I create a
new page that needs to have required authentication, but I was
curious.

-Bennett

"Steve C. Orr [MVP, MCSD]" <St***@Orr.net> wrote in message

news:<e4*************@tk2msftngp13.phx.gbl>...

You can specify some pages to require login, and others to not require login via your web.config file by using the <location> tag.

Here is an example with sample code that you can download and play with.
http://www.dotnetbips.com/displayarticle.aspx?id=117

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net
"Bennett Haselton" <be*****@peacefire.org> wrote in message
news:e6**************************@posting.google.c om...

If I add this to my web.config file:

<authentication mode="Forms">
<forms name=".ASPXUSERDEMO" loginUrl="login.aspx" protection="All"
timeout="60" />
</authentication>

I can configure the application so that users who try to access a page
in the application, get redirected to login.aspx where they have to
sign in. (And the "signing in" is handled in the codebehind page of
login.aspx.)

What if I want to configure authentication so that it's only required
for certain files? Or only for certain directories? Is there a way
to specify in the <forms> tag or in the <authentication> tag that you
want authentication to apply only to certain files or directories? I
couldn't find any documented way.

If you create a subdirectory and put a web.config file in there with
its own <authentication mode="Forms"> tag, in an attempt to make
authentication apply only to files in that directory, then you get the
ASP.Net error:

It is an error to use a section registered as
allowDefinition='MachineToApplication' beyond application level.

As a last resort I could create a new project directory as a
sub-directory under the top-level project directory, but that sounds
inelegant; it'd be better to be able to manage all files in a single
project.

-Bennett