Deny access to 'admin' folder in web.config

Question

I am new to ASP.NET, so forgive me if this is simple.

I am trying to deny access to my 'Admin' folder via web.config. I looked at another answer to a similar question and they recommend using the <location> folder, however when I insert "Admin/" into the path I get the following error:

path attribute must be a relative virtual path. It cannot start with any of ' ' '.' '/' or '\'. C:\Personal\Projects\OliverSalon\web.config

I have tried placing "Admin", "/Admin" & "Admin/"

<configuration>

<connectionStrings>
    <add name="OliverSalonConnectionString1" connectionString="Data Source=localhost;Initial Catalog=OliverSalon;Integrated Security=True" providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
    <compilation debug="false" targetFramework="4.0" />
    <authentication mode="Forms">
        <forms name="Oliver" loginUrl="Login.aspx" path="/" timeout="20">
            <credentials passwordFormat="Clear">
                <user name="OliverSalon" password="cuts"/>
            </credentials>
        </forms>
    </authentication>
    <authorization >
        <deny users="?"/>
    </authorization>
</system.web>
<location path="/Admin">
    <system.webServer>
        <directoryBrowse enabled="false"/>
    </system.webServer>
</location>

What was the error message when you used "Admin" (without any slash ?) as path location ? — nulltoken, Jan 28 '11 at 03:25

santiagoIT · Accepted Answer · 2011-01-28T03:55:19.077

25

This is way back from my web form days.

Place a web.config in your admin folder.

The contents should be:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.web>
        <authorization>
          <allow roles="admin" />
          <deny users ="*" />
        </authorization>
    </system.web>
</configuration>

** EDIT to answer your question If you set the login url the framework will automatically send you to the login page if an unauthorized user tries to access your admin folder.

        <authentication mode="Forms">
            <forms loginUrl="Login.aspx" timeout="20" slidingExpiration="true" cookieless="AutoDetect" protection="All" requireSSL="false" enableCrossAppRedirects="false" defaultUrl="Default.aspx" path="/"/>
</authentication>

edited Jan 28 '11 at 03:55

answered Jan 28 '11 at 03:41

santiagoIT

9,411
6
46
57

That works correctly to secure the admin folder, but is there a way within the web.config in the admin folder to redirect them to the Login.aspx page as well? Thanks for the help! – Jon Harding Jan 28 '11 at 03:47
If I remember correctly that should just work. If the user is not authorized they will be redirected to the login page as long as you have set the login url. I will edit my answer (better for formatting the code). – santiagoIT Jan 28 '11 at 03:51
1

When I place inside the system.web in the web.config it gives the following error: Error 1 It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS. C:\Personal\Projects\OliverSalon\Admin\web.config 15 – Jon Harding Jan 28 '11 at 04:00
LoginUrl must be added the root web.config. Do not add it to the Admin/Web.Config. Then it should be fine ;-) – santiagoIT Jan 28 '11 at 04:13
Thanks! Only other adjustment I had to make was rather than letting a role in, I let the user "OliverSalon" have access once they logged in. I know a role based is likely more secure, I will tighten this as I learn more. – Jon Harding Jan 28 '11 at 04:37

Deny access to 'admin' folder in web.config

1 Answers1

Linked