How do I grant anonymous access to a url using FormsAuthentication?

Brian Bolton picture Brian Bolton · Aug 30, 2009 · Viewed 23.4k times · Source

For the most part, my webapp requires authentication to do anything. There are a few pages, namely the homepage, that I'd like people to be able to access without authenticating.

Specifically, I'd like to allow anonymous access to these urls:

/home 
/default.aspx

I'm using asp.net MVC and FormsAuthentication. Both urls point to the same view:

/home/index.aspx

Here is my current configuration in web.config.

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" />      
</authentication>
<authorization>           
  <deny users="?" />      
</authorization>

Reading the documentation for the authorization tag, it says "Configures the authorization for a Web application, controlling client access to URL resources." It seems like I should be able to use the authorization tag to specify a url and allow access.

Something like:

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogOn" timeout="2880" />      
</authentication>

<authorization>           
  <deny users="?" />      
</authorization>

<authorization url="/default.aspx">           
  <allow users="?" />      
</authorization>

<authorization url="/home">           
  <allow users="?" />      
</authorization>

Answer

Brian Bolton picture Brian Bolton · Sep 3, 2009

I hate to answer my own question, but since I did end up figuring it out, I figure I'd share the knowledge.

Use the location tag and put the allow and deny tags in the correct order.

The location tag can be used to configure a specific url resource. In my case I wanted to configure a few urls and folders specifically.

This didn't work at first because I didn't have the allow/deny in the correct order. According to MSDN, "the authorization module grants or denies access to a URL resource depending on whether the first access rule found is an allow or a deny rule."

In my case I needed to put all my public stuff first (default.aspx, home,styles, images, scripts) and then I put a deny on everything else. I left out the path on the last location tag. That makes it apply to all files and subfolders.

End result, a user can get to the homepage, pull up images and styles, but for everything else must log in.

Here's my web config file now:

<!--AUTHORIZATION AND AUTHENTICATION RULES-->
  <location path="default.aspx">
    <system.web>

      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>

  </location>

  <location path="Home">
    <system.web>

      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>

  </location>

  <location path="Styles">
    <system.web>

      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>

  </location>

  <location path="Scripts">
    <system.web>

      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>

  </location>

  <location path="images">
    <system.web>

      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>

  </location>

  <location allowOverride="true">
    <system.web>
      <authentication mode="Forms">
        <forms loginUrl="~/Account/LogOn" timeout="2880" slidingExpiration="true" />
      </authentication>
      <authorization>
        <deny users="?" />
      </authorization>
    </system.web>
  </location>

  <!--END AUTHORIZATION AND AUTHENTICATION RULES-->