none
Page without authentication in a claims-aware web site

    Question

  • Hello, is it possible to have a page in my web site which isn't covered by the WIF authentication?

    What I need to implement is a page in a claims aware asp.net web site where the user can access without WIF kicking in and redirecting her to the STS.

    What I have already tried to do it creating a simple aspx page and setting the configuration just like this in the web.config:

    <location path="NoAuthHome.aspx">
      <system.web>
       <authorization>
        <allow users="*"/>
       </authorization>
      </system.web>
    </location>
    


    However it just does not work. The WIF modules catch the request and redirect my user anyway.

    How can I do this?

    Thanks for any help.

    Friday, August 26, 2011 3:31 PM

Answers

  • Yeah. It's a pain. You either need to do one of two things:

    1. Remove the base <deny users="?" /> tag for the root folder and explicitely set one for each page - OR -
    2. Move the page that doesn't require authentication into a seperate folder and add an <allow users="*" /> for the folder

    Developer Security MVP | www.steveonsecurity.com
    • Marked as answer by EinCDM Monday, August 29, 2011 9:45 AM
    Friday, August 26, 2011 4:09 PM
  • The above config should indeed exclude NoAuthHome.aspx from authentication. It is definitely cleaner to move all pages into a separate folder, but still this should work...
    Dominick Baier | thinktecture | http://www.leastprivilege.com
    • Marked as answer by EinCDM Monday, August 29, 2011 9:45 AM
    Friday, August 26, 2011 4:53 PM

All replies

  • Yeah. It's a pain. You either need to do one of two things:

    1. Remove the base <deny users="?" /> tag for the root folder and explicitely set one for each page - OR -
    2. Move the page that doesn't require authentication into a seperate folder and add an <allow users="*" /> for the folder

    Developer Security MVP | www.steveonsecurity.com
    • Marked as answer by EinCDM Monday, August 29, 2011 9:45 AM
    Friday, August 26, 2011 4:09 PM
  • The above config should indeed exclude NoAuthHome.aspx from authentication. It is definitely cleaner to move all pages into a separate folder, but still this should work...
    Dominick Baier | thinktecture | http://www.leastprivilege.com
    • Marked as answer by EinCDM Monday, August 29, 2011 9:45 AM
    Friday, August 26, 2011 4:53 PM