Securing a folder in ASP.NET web directory is not working

Question

I have read and implemented this SO post on the subject but it is not working. It is Forms Based Authentication. Do I have to implement Membership/Roles? If so, how? The following is not working in the sense is that all users still can get to SavAdmin folder.

<location path="~/SavAdmin">
    <system.web>
      <authorization>
        <allow roles="Savitas Admin"/>
       <deny users="?" />
      </authorization>

What happened to the Web Site Administration Tool in Visual Studio 2013 to create Roles, etc?

You didn't implement that; you went past what it offered. Authentication is different than authorization. You've gone into the authorization route, with specific roles being authorized to specific folders. — George Stocker, Apr 01 '14 at 17:12
Yes, it needs. because it allow-restrict based on roles !! refer [Sample Membership Provider Implementation](http://msdn.microsoft.com/en-us/library/6tc47t75.ASPX) — huMpty duMpty, Apr 01 '14 at 17:12

Joe · Answer 1 · 2014-04-01T17:58:32.637

You don't need to implement Membership/Roles - the authorization element was available in .NET 1.x before Membership/Roles was created. But using Membership will simplify authentication when using Forms Authentication, and using Roles will simplify authorization.

The following is not working

What do you mean by "not working"?

Perhaps you are missing a deny element, such as:

<deny users="?" />

to deny anonymous users.

UPDATE

What's not working is that I can still get to that subfolder and it's list of files

I'm not clear what you mean by "get to that subfolder".

If you mean you can browse the directory, you need to configure IIS to prevent this. See the following link for more info: http://technet.microsoft.com/en-us/library/cc725840(v=ws.10).aspx

If you mean you can access aspx pages in that folder, this is probably because you don't have a <deny> element to restrict access.

What's not working is that I can still get to that subfolder and it's list of files — user2471435, Apr 01 '14 at 17:52

score 0 · Answer 2 · answered Apr 01 '14 at 17:13

0

Yes. you have to implement Membership/Roles if you use the above configuration.

Depending on whether you're using Windows Authentication or Forms etc., you can implement various mechanisms to secure the folder. let us know your authentication and the error you get etc.

answered Apr 01 '14 at 17:13

Raja Nadar

9,409
2
32
41

How do I implement Membership/Roles? Is there an easier way? I just need to secure this folder by the role – user2471435 Apr 01 '14 at 17:44
It's Forms Authentication – user2471435 Apr 01 '14 at 17:58

Securing a folder in ASP.NET web directory is not working

2 Answers2