I am trying to get the simplest example of allowing access by default, denying access unless authenticated to specific directories in IIS, to work. When you Google around, everyone says it's as simple as this:
<location path="~/pages">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
Somehow it hasn't been for me.
Here's the project structure:
Here's the Web.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/" />
</authentication>
<authorization>
<!--<deny users="*"/>-->
</authorization>
<compilation debug="true" targetFramework="4.5.1" />
<httpRuntime targetFramework="4.5.1" />
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
<location path="~/pages">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
The goal is to allow all users to access index.html and to deny access to everything in pages.
Here's my observations:
<!--<deny users="*"/>-->works when un-commented.- It doesn't work at all without
<modules runAllManagedModulesForAllRequests="true" />. Remove this,denydoesn't work anywhere. - The
denyin<location path="~/pages">doesn't work. Setting the path topagesorpages/secure.htmlor~/pages/secure.htmlalso doesn't work.
What's the problem here?
