Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Deny access to 'admin' folder in web.config

I am new to ASP.NET, so forgive me if this is simple.

I am trying to deny access to my 'Admin' folder via web.config. I looked at another answer to a similar question and they recommend using the <location> folder, however when I insert "Admin/" into the path I get the following error:

path attribute must be a relative virtual path. It cannot start with any of ' ' '.' '/' or '\'. C:\Personal\Projects\OliverSalon\web.config

I have tried placing "Admin", "/Admin" & "Admin/"

<configuration>

<connectionStrings>
    <add name="OliverSalonConnectionString1" connectionString="Data Source=localhost;Initial Catalog=OliverSalon;Integrated Security=True" providerName="System.Data.SqlClient" />
</connectionStrings>
<system.web>
    <compilation debug="false" targetFramework="4.0" />
    <authentication mode="Forms">
        <forms name="Oliver" loginUrl="Login.aspx" path="/" timeout="20">
            <credentials passwordFormat="Clear">
                <user name="OliverSalon" password="cuts"/>
            </credentials>
        </forms>
    </authentication>
    <authorization >
        <deny users="?"/>
    </authorization>
</system.web>
<location path="/Admin">
    <system.webServer>
        <directoryBrowse enabled="false"/>
    </system.webServer>
</location>

like image 766
Jon Harding Avatar asked Jan 28 '11 03:01

Jon Harding


1 Answers

This is way back from my web form days.

Place a web.config in your admin folder.

The contents should be:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.web>
        <authorization>
          <allow roles="admin" />
          <deny users ="*" />
        </authorization>
    </system.web>
</configuration>

** EDIT to answer your question If you set the login url the framework will automatically send you to the login page if an unauthorized user tries to access your admin folder.

        <authentication mode="Forms">
            <forms loginUrl="Login.aspx" timeout="20" slidingExpiration="true" cookieless="AutoDetect" protection="All" requireSSL="false" enableCrossAppRedirects="false" defaultUrl="Default.aspx" path="/"/>
</authentication>
like image 78
santiagoIT Avatar answered Sep 21 '22 01:09

santiagoIT