ASP.NET web.config authorization settings ignored in subfolders

Question

I'm using asp.net mvc 2 and vs 2008.

I'm trying to make website with forms authorization. When i'm trying to restrict access to some pages, i'm using asp.net administration tool. There i create rule, for example, to deny access to anonimous users to whole web site. Administration tool, as expected, adds following section in the root web.config file:

 <authorization>
   <deny users="?" />
  </authorization>

When i do same thing in some subfolder, as example %ApplicationRoot%/View/Protected, administration tool, as expected too, adds web.config file in mentioned subfolder, with following code:

 <configuration>
<system.web>      
    <authorization>
        <deny users="UserName" />
    </authorization>
</system.web>

Prime difference between theese files is that root web.config authorisation section has some effect(generally speaking, it works as planned - denies all unauthenticated users from whole website). But subfolder web.config authorisation section have no effect at all. I found that then added to root config file, following code

 <location path="Protected">
  <authorization>
    <deny users="UserName" />
   </authorization>
 </location>

does the work greatly - it, as planned, denies %UserName% acces to all views, located in %ApplicationRoot%/View/Protected Folder.
This behavoir is simmilar with cassini and iis, i tried both.

The main problem is that i need kind administration tool to do the work, so i'm asking for any help with issue - why doesn't authorisation section works when web.config is located in subfolder?

P.S. I tried to place incorrect code in between <authorization> and </authorization> in subfolder's web.config:

  <authorization>
    asdfg
   </authorization>

No effect. Probably the whole section is ignored due to some issue?

P.P.S. Incorrect code out of the authorization section in the same file causes an error

Answer 1

Your problem is that your application is not a classical ASP.NET Web Forms application. What you're trying to do would work perfectly in Web Forms, but not in MVC.

In MVC world when browser requests page /People/SmartList it's not necessarily that it would be shown the /People/SmartList.cshtml from your project. In fact, your project could not even have the /People/ folder at all. The view (.cshtml file) which will be shown by MVC engine is determined by routes. And that MVC routing engine doesn't look at all at your web.config files, when it accesses those .cshtml files. Now, you can see, why your web.conig files are ignored.

But you're still able to do the authorization. Instead of using web.config files you should use the [Authorize] attribute and apply it to appropriate controller's action methods, or even to a whole controller class.

[Authorize(Users="UserName")]
public ActionResult ShowRestrictedData()
    ...