Develop Reference

ASP.NET Forms Authorization not working for per page setup

I'm building a webforms application, separating pages into folders, authorizing web-pages within these folders using the web.config, authorizing pages to authenticated users only and allowing certain pages to certain roles.
I have a 'beheer' folder in which the page1.aspx - page6.aspx reside. I also have a web.config in that folder which is shown below.
I'm logging into the system as a user have the role 'Admin', which would mean that all pages should be available to me, if I go to page3, page4, page5 or page6 it works just fine, but going to page1 or page2 it doesn't work, I get a unauthorized message, even though page2 and page3. I can't seem to figure out what I'm missing.
<configuration>
<system.web>
<authorization>
<deny users="?" />
<!-- Deny all unauthenticated users -->
</authorization>
</system.web>
<location path="Page1.aspx" >
<system.web>
<authorization>
<allow roles="Page1,Admin,UserAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Page2.aspx" >
<system.web>
<authorization>
<allow roles="Page3,Admin,UserAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Page3.aspx" >
<system.web>
<authorization>
<allow roles="Page3,Admin,UserAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Page4.aspx,Page5.aspx,Page6.aspx" >
<system.web>
<authorization>
<allow roles="Admin,UserAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>

I doubt you actually have the Admin role assigned. This part seems wrong:
<location path="Page4.aspx,Page5.aspx,Page6.aspx" >
<system.web>
<authorization>
<allow roles="Admin,UserAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
You can't specify more than one resource on the path element. See here for more information.
Try changing it into this:
<location path="Page4.aspx" >
<system.web>
<authorization>
<allow roles="Admin,UserAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Page5.aspx" >
<system.web>
<authorization>
<allow roles="Admin,UserAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Page6.aspx" >
<system.web>
<authorization>
<allow roles="Admin,UserAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

Web.config authorization fall-through

I have in my web.config
<location path="Admin">
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="Admin/Page1">
<system.web>
<authorization>
<allow roles="SubAdmin"/>
</authorization>
</system.web>
</location>
Would this properly block everyone except "Administrator" and "SubAdmin" roles from Admin/Page1?
Or do I have to add <allow roles="Administrator"/> <deny users="?"/> to the Admin/Page1 section?

You can use it this way:
<allow roles="Admin"/>
<allow roles="SubAdmin"/>
<deny users="*"/>
For future reference: http://msdn.microsoft.com/en-us/library/8d82143t%28VS.71%29.aspx

If possible, keep web.configs in each folder instead of keeping in one web.config.
I'm not sure which role is more powerful - Administrator or SubAdmin. You need to keep the most powerful role inside the nested folder.
Inside Administrator only folder
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
Inside SubAdmin and Administrator folder
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="Administrator, SubAdmin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>

web.config location path permission issue

I have a folder that is restricted and only for logged in user. So I wrote these lines:
<location path="ABC">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
However there is a single file on which I do not want to put any restrictions. What settings should I configure in location tag?
Please don't tell me to move that particular file out of the folder because that is not possible because it is being referenced at many places and I don't want to get messed up.

Try adding the page you want no restrictions on, like this:
<location path="ABC">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="ABC/SomeFile.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

ASP.NET Role based access

I have the following site structure:
What I'd expect this to do was to deny anyone who isn't a logged-in user with the RegisteredUser role, except on Reset.aspx and Validation.aspx, where it would allow anyone (logged-in or not) to access, but this isn't the case right now.
Everyone who isn't a RegisteredUser isn't able to access these two pages, what am I doing wrong?
Update Even this won't work:
<?xml version="1.0"?>
<configuration>
<location path="Reset.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Validation.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>
It doesn't make any sense, isn't this supposed to be the system default?

You do not need to map paths, only file names:
<?xml version="1.0"?>
<configuration>
<location path="Reset.aspx">
<system.web>
<authorization>
<allow users="*" />
<deny />
</authorization>
</system.web>
</location>
<location path="Validation.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<allow roles="RegisteredUser" />
<deny users="*" />
</authorization>
</system.web>
</configuration>

Use asp.net forms authentication so only logged in users can view website

Login.aspx, passwordrecovery.aspx, and register.aspx should be the only pages accessible for logged in users. I have the following in my webconfig:
<authentication mode="Forms">
<forms loginUrl="Login.aspx" defaultUrl="Login.aspx" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
I have the following in my configuration element of my webconfig:
<location path="images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="css">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="register.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="passwordrecovery.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
I get an Error: ASP.NET Ajax client-side framework failed to load. alert box when viewing any of the public pages. How do I allow access to the asp.net client-side framework (using the location tags?)?

Check the actual url that is requested. I think those will be the calls to Webresource.axd.

I checked fiddler and added the following:
<location path="Telerik.Web.Ui.WebResource.axd">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Ajax client side framework now loads - error message is gone. For those not using the Telerik controls - I'm sure you can use something similar to:
<location path="WebResource.axd">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

I agree with Greg, put all your public resources in the root and place any protected items in a subfolder.
Ex:
<location path="login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="subfolderName">
<system.web>
<authorization>
<allow roles="myRole" />
<deny users="*" />
<!-- deny unknown users -->
<deny users="?" />
</authorization>
</system.web>
</location>