locked
Authentication on only part of a website? RRS feed

  • Question

  • User-2033772850 posted

    Hi there,

    Is it possible to have one site (www.mysite.com) and have some pages non-password-protect and some pages password protected?

    This is the tutorial I was looking at following but I can't see if there is a way to (in web config??) indicate that only some pages are to be password protected.  As an example, I have a website and of the several pages on the site, the only pages I want to be password protected are called reviewerportal.aspx, reviewerstudent.aspx, reviewerrankings.aspx.

    Thanks,

    Liv

    Monday, July 21, 2014 10:41 AM

Answers

  • User281315223 posted

    You can handle this by using the Authorization settings available in your web.config file.

    It can be handled at either the user (ie username), role (ie rolename) or verb (ie POST, GET, etc) level to help define how granular you want to handle your authorization settings.

    For example, if you had two seperate pages Admin.aspx and Other.aspx and you wanted to only allow users within the Admin role to access your Admin.aspx page and any user would be allowed to access your Other.aspx page, you would use : 

    <configuration>
    	<system.web>
                    <!-- Defines that you are using Forms Authentication -->
    		<authentication mode="Forms" >
                            
    			<forms loginUrl="Login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
    			</forms>
    		</authentication>
    <!-- You can use this "higher-level" definition to apply specific rules to all users of the application and the ones that appear beneath it will override it. For example, this will deny all non-authenticated users from entering your application -->
    		<authorization>
    			<deny users="?" />
    		</authorization>
    	</system.web>
                    <!-- Use the location block to define specific settings about a single page -->
    		<location path="Admin.aspx">
    		<system.web>
    		<authorization>
                            <!-- The Admin.aspx page will deny all users except those with the "Admin" role -->
                            <deny users="*" />
    			<allow roles="Admin" />
    		</authorization>
    		</system.web>
    		</location>
                    <!-- This would allow any user to access the Other.aspx page regardless of their Role -->
    		<location path="Other.aspx">
    		<system.web>
    		<authorization>
    			<allow users ="*" />
    		</authorization>
    		</system.web>
    		</location>
    </configuration>

    Guru Sarkar has an excellent blog post on this topic which I would highly recommend reading and goes into great detail explaining all of that you need to know about implementing authorization and access within your web.config. (It covers just about every scenario that you might encounter relating to authentication)

    A few other handy resources on the topic include : 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, July 21, 2014 12:53 PM

All replies

  • User-484054684 posted

    If you are using forms authentication, probably you may put restrictions to the particular folders by using location property.

    For a particular page:

    <configuration>
       <location path="Logon.aspx">
          <system.web>
             <authorization>
                <allow users="?"/>
             </authorization>
          </system.web>
       </location>
    </configuration>

    Reference: location Element (ASP.NET Settings Schema) 

    For folders:

    <!-- Configuration for the "Sub1" subdirectory. -->
      <location path="sub1">
        <system.web>
          <!-- Put sections here -->
        </system.web>
      </location>

    Reference: How to: Configure Specific Directories Using Location Settings

    Other references: http://forums.asp.net/t/1763268.aspx?Forms+authentication+for+one+directory

    Monday, July 21, 2014 12:49 PM
  • User281315223 posted

    You can handle this by using the Authorization settings available in your web.config file.

    It can be handled at either the user (ie username), role (ie rolename) or verb (ie POST, GET, etc) level to help define how granular you want to handle your authorization settings.

    For example, if you had two seperate pages Admin.aspx and Other.aspx and you wanted to only allow users within the Admin role to access your Admin.aspx page and any user would be allowed to access your Other.aspx page, you would use : 

    <configuration>
    	<system.web>
                    <!-- Defines that you are using Forms Authentication -->
    		<authentication mode="Forms" >
                            
    			<forms loginUrl="Login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
    			</forms>
    		</authentication>
    <!-- You can use this "higher-level" definition to apply specific rules to all users of the application and the ones that appear beneath it will override it. For example, this will deny all non-authenticated users from entering your application -->
    		<authorization>
    			<deny users="?" />
    		</authorization>
    	</system.web>
                    <!-- Use the location block to define specific settings about a single page -->
    		<location path="Admin.aspx">
    		<system.web>
    		<authorization>
                            <!-- The Admin.aspx page will deny all users except those with the "Admin" role -->
                            <deny users="*" />
    			<allow roles="Admin" />
    		</authorization>
    		</system.web>
    		</location>
                    <!-- This would allow any user to access the Other.aspx page regardless of their Role -->
    		<location path="Other.aspx">
    		<system.web>
    		<authorization>
    			<allow users ="*" />
    		</authorization>
    		</system.web>
    		</location>
    </configuration>

    Guru Sarkar has an excellent blog post on this topic which I would highly recommend reading and goes into great detail explaining all of that you need to know about implementing authorization and access within your web.config. (It covers just about every scenario that you might encounter relating to authentication)

    A few other handy resources on the topic include : 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, July 21, 2014 12:53 PM