{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 成全新的幸福 的问题《How do I grant anonymous access to a url using For》','https://www.manongdao.com/q-276978.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
For the most part, my webapp requires authentication to do anything. There are a few pages, namely the homepage, that I'd like people to be able to access without authenticating.
Specifically, I'd like to allow anonymous access to these urls:
/home
/default.aspx
I'm using asp.net MVC and FormsAuthentication. Both urls point to the same view:
/home/index.aspx
Here is my current configuration in web.config.
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
Reading the documentation for the authorization tag, it says "Configures the authorization for a Web application, controlling client access to URL resources." It seems like I should be able to use the authorization tag to specify a url and allow access.
Something like:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
<authorization>
<deny users="?" />
</authorization>
<authorization url="/default.aspx">
<allow users="?" />
</authorization>
<authorization url="/home">
<allow users="?" />
</authorization>
I hate to answer my own question, but since I did end up figuring it out, I figure I'd share the knowledge.
Use the location tag and put the allow and deny tags in the correct order.
The location tag can be used to configure a specific url resource. In my case I wanted to configure a few urls and folders specifically.
This didn't work at first because I didn't have the allow/deny in the correct order. According to MSDN, "the authorization module grants or denies access to a URL resource depending on whether the first access rule found is an allow or a deny rule."
In my case I needed to put all my public stuff first (default.aspx, home,styles, images, scripts) and then I put a deny on everything else. I left out the path on the last location tag. That makes it apply to all files and subfolders.
End result, a user can get to the homepage, pull up images and styles, but for everything else must log in.
Here's my web config file now: