I have seen so many people asking again and again how to give allow access to particular page to a person or roles. So I thought its good to put this in one place. I will discuss how to configure web.config depending on the scenario.
This is the case when you want everybody to login before the can start browsing around your website. i.e. The first thing they will see is a login page.
<deny users=“?“/> //will deny anonymous users </authorization></system.web>
The above situation is good when user don’t have to register themselves but instead their user account is created by some administrator.
Sometimes you want to allow public access to your registeration page and want to restrict access to rest of the site only to logged / authenticated users .i.e. do not allow anonymous access. Say your registration page is called register.aspx in your site’s root folder. In the web.config of your website’s root folder you need to have following setup.
<location path=“register.aspx“> //path here is path to your register.aspx page e.g. it could be ~/publicpages/register.aspx
<authorization><allow users=“*“/> // this will allow access to everyone to register.aspx
Till now we saw either allow users or to authenticated users only. But there could be cases where we want to allow particular user to certain pages but deny everyone else (authenticated as well as anonymous).
Allow only users in particular Role
Here I am will not show how to setup roles. I assume you have roles managment setup for users. We will see now what needs to be done in web.config to configure authorization for a particular role. e.g You have two roles. Customer and Admin and two folders CustomerFolder and AdminFolder. Users in Admin role can access both folders. Users in Customers role can access only CustomerFolder and not AdminFolder. You will have to add location tags for each folder path as shown below:
Alternate way – using individual web.config for each Folder
Alternative to above mentioned method of using tag, you can add web.config to each folder and configure authorization accordingly almost similar to one show above but not using location tag. Taking same eg. as above. Add web.config to both the folders – AdminFolder and CustomerFolder.
Say you have all your images and CSS in a seperate folder called images and you are denying anonymous access to your website. In that case you might see that on your login page you cannot see images(if any) and css(if any) applied to your login page controls.
I have seen people complaining that they have setup their roles correctly and also made entry to their web.config but still their authorization doesn’t work. Even they have allowed access to their role that user cannot access particular page/folder. The common reason for that is placing before .
<allow roles=“Admin“/> //Allows users in Admin role</authorization>
Since the authorization is done from top to bottom, rules are checked until a match is found. Here we have <deny users=“*“/> first and so it will not check for allow any more and deny access even if in Admin role.