I've tried all manner of variations in trying to restrict access to a folder, from the simplest of denying access to all users and just granting access to myself to trying a combination of roles/users etc. In particular, the folder has a mix of aspx and html files.
Can anyone assist? Here's pretty much what I have based on other similar questions:
<configuration>
<system.web>
<!-- mode=[Windows|Forms|Passport|None] -->
<authentication mode="Windows" />
</system.web>
<system.webServer>
<handlers>
<add name="HTMLHandler" type="System.Web.StaticFileHandler" path="*.html" verb="GET" />
</handlers>
</system.webServer>
<location path="AdminOnly">
<system.web>
<authorization>
<deny users="*" />
<allow users="domain\user1, domain\user2, domain\user3" />
<allow roles="domain\role1, domain\role2" />
</authorization>
</system.web>
</location>
</configuration>
EDIT
The solution has presented at last.
It was a combination of understanding the authorization segment (thanks to Tetsuya for the helpful tip in relation to ordering authorization rules), including the handler segment and also configuring the application pool for managed code.
Seems you have wrong order in composing authorization element, the allow part must be declared first to allow certain users in certain roles before denying everything else.
So, this construction below is wrong due to denying all users resolved before allowing defined users:
<location path="AdminOnly">
<system.web>
<authorization>
<deny users="*" />
<allow users="domain\user1, domain\user2, domain\user3" />
<allow roles="domain\role1, domain\role2" />
</authorization>
</system.web>
</location>
The correct order should be like this:
<location path="AdminOnly">
<system.web>
<authorization>
<allow roles="role1, role2" />
<allow users="user1, user2, user3" />
<deny users="*" />
</authorization>
</system.web>
</location>
In the reference section, Guru Sarkar explains what goes wrong:
Common Mistakes
I have seen people complaining that they have setup their roles
correctly and also made entry to their web.config but still their
authorization doesn't work. Even they have allowed access to their
role that user cannot access particular page/folder. The common reason
for that is placing <deny../> before <allow ../>. Since the authorization is done from top to bottom, rules are checked until a match is found.
Reference:
Setting authorization rules for a particular page or folder in web.config
Can you try to create new web.config in your specific folder and add this into your folder's web.config to restrict all users
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
