ASP.NET Forms Auth Allowing access to specific file in subdirectory when all others should be denied

Matt picture Matt · Oct 15, 2010 · Viewed 29.5k times · Source

I am having problems allowing a specific Role access to a specific page in a subdirectory.

My ASP.NET application has a directory, ~/Forms/Administration that has limited access. There is a specific file, ~/Forms/Administration/Default.aspx that I want to give 1 additional user role access to, as well as the Admin role.

In ~/Forms/Administration, I have a web.config file that looks like this:

   <?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.web>
        <authorization>
            <allow roles="Administrator, User" />
            <deny users="*"/>
        </authorization>
    </system.web>

    <location path="Forms/Administration/Default.aspx">
        <system.web>
            <authorization>
                <allow roles="Administrator, User, AdditionalUser" />
            </authorization>
        </system.web>
    </location>

</configuration>

The Admin user works just fine, but AdditionalUser always fails. I've tried a number of things - listing the location as

<location path="Forms/Administration/Default.aspx">

And as

<location path="~/Forms/Administration/Default.aspx">

Is the deny="*" from the first generic rule taking precedent? I tried changing

<deny users="*"/>

To

<deny users="?"/>

But that ends up giving AdditionalUser access to everything. Suggestions?

EDIT: I tried putting the location specific allow before the generic deny rule, in case order mattered. Same problem.

UPDATE: I am clearly missing something here: I removed the deny * config, and left only the location specific section. Then, instead of allowing on certain roles, I set that one to deny all (*). However, it is not denying me at all when I login. I even reduced the rule to not be file specific, but apply to the whole directory, and it's not denying me anything. However, the original non-location specific rules do work, so I know this config file is being read.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <location path="Forms/Administration">
        <system.web>
            <authorization>
                <deny users="*" />
            </authorization>
        </system.web>
    </location>
</configuration>

Answer

Chris Curtis picture Chris Curtis · Oct 15, 2010

Two things:

  1. The location is relative to the web.config file, so if your web.config is already in /Forms/Administration it should be corrected to be:

    <location path="Default.aspx">
        <system.web>
            <authorization>
                <allow roles="Administrator, User, AdditionalUser" />
            </authorization>
        </system.web>
    </location>
    
  2. To clarify about the order of Allow and Deny, authorization is going to apply based on the first match it finds, so order is very important. For instance:

    <deny users="*" />
    <allow users="Administrator" />
    

Administrator will be denied since it matched the first entry of deny... even though you specified to allow the Administrator user on the next line. So to only allow the Administrator, the correct syntax would be:

<allow users="Administrator" />
<deny users="*" />

In Summary

If I am reading what you want correctly, this is probably the final product you want:

<configuration>
  <system.web>
    <authorization>
        <allow roles="Administrator, User" />
        <deny users="*"/>
    </authorization>
  </system.web>

  <location path="Default.aspx">
    <system.web>
        <authorization>
            <allow roles="AdditionalUser" />
        </authorization>
    </system.web>
  </location>

</configuration>