I am trying to protect a (sub)directory in my ASP.NET website that contains files (Videos, documents etc.) So I created a Web.config file:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<deny users="?"/>
<allow roles="Administrator"/>
<allow roles="Author"/>
<allow roles="Report"/>
</authorization>
</system.web>
</configuration>
These roles correspond with those defined in the asp.net roles table in my database.
I opened up IIS7 to check if the authorization rules were there and they were. But there were also 2 inherited rules that are set to "Allow all users". These rules seem to override my rules set in de Web.config. I can't delete these inherited rules.
Is there any way to disable these inherited authorization rules, only for my subfolder?
Thanks in advance!
Try to remove them from ASP.NET Configuration. Open it with small icon in the right corner of the Solution Explorer (or Project\Website->ASP.NET Configuration).
In ASP.NET Configuration use Security -> Access Rules -> Manage Access Rules for the appropriate folder.
T
Yes, you may add these authorizations through the IIS Manager using the .NET Authorization Rules as you mentioned, or in the Web.Config file. However, keep in mind that you MUST add the "Allow" rules before the "Deny" rules, because Deny always overrides at the same folder level. The order of precedence is:
If a Local Deny rule exists before any other Local Allow rules at the same folder level, none of the Allow rules will be applied. For example, if I have a parent directory of
Sales
with child foldersManagement
,Customers
, andSalesTeam
and I define a Deny rule forSales
, then all users/roles must be explicitly allowed in the child directories. Say I also have roles matching each of these folders, I would define an Allow rule for each of them to their corresponding folders, giving them access to the contents/pages therein.I hope you find this useful. I know it's an old question. Cheers ;)
In web.config of your root directory try following