How do I configure ASP.net forms authentication to deny only a specific URL and sub-URLs?

Question

I am using ASP.NET4 with MVC3. I would like to configure my website to use forms Authentication in the following way:

• UNauthenticated users should have access to everything (i.e. /, /home, /freebies )...
• ... except for anything under /paidServices (i.e. /paidServices/fancy, /paidServices)

How do I configure this in my web.config file? My current configuration always goes to the logon page when the user hits the root URL(/), but it should not. It should only go to the logon page if the user tries to access the /paidServices url.

My configuration is as follows:

<configuration>
    <system.web>
        <authentication mode="Forms">
          <forms loginUrl="~/Account/LogOn" path="/" timeout="2880" />
        </authentication>
        <authorization>
          <allow users="*"/>
        </authorization>
    </system.web>

    <location path="~/paidServices">
        <system.web>
            <authorization>
                <deny users="?"/>
            </authorization>
        </system.web>
    </location>

    ... etc ...
</configuration>

What am I doing wrong? Is the fact that I am using ASP.NET MVC making this more complicated?

Answer 1

It's better practice to use Authorize attributes in MVC. These can be applied to a whole controller or just a single controller action.

For example:

[Authorize]
public class paidServicesController
{
 ....

Answer 2

False alarm. The configuration is question was correct. I omitted a URL in my MVC routes configuration, so the default URL (/) was going to the secure section and the Logon form was being shown as expected.

Phil Haack's Route Debugger helped pinpoint the problem: http://haacked.com/archive/2008/03/13/url-routing-debugger.aspx