Develop Reference

ASP.NET Web Forms Authorization allow access for anonymous user to specific pages

I am using Forms Authentication with ASP.NET Web Forms and it successfully authenticates the user.
With these authorization settings in the web.config an anonymous user can only access the Login page.
<authorization>
<deny users="?" />
</authorization>
or
<location path="SubFolder">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
I am trying to use location tags to further allow anonymous access to additional pages, but they are ignored:
<location path="SubFolder/LoggedOut.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
Following ASP.NET settings inheritance the authorization tag in the location tag should overwrite the global authorization tag.
The system determines which rule takes precedence by constructing a merged list of all rules for a URL, with the most recent rules (those nearest in the hierarchy) at the head of the list. (link)
How can I deny anonymous access to all pages but those that I specify?
The answers to this question state that what I am doing is correct. But it doesn't seem to work for me. So why does this happen? Is there a way to find out what setting blocks the acccess when I try to access a page? Is there anything I am missing?

Apparently a less-restricted file can not be in a restricted directory.
However, doing the same with a less-restricted directory is ok.
I ended up placing the public files in the root and all secured files in a subfolder using following web.config:
...
<authorization>
<allow users="*" />
</authorization>
...
<location path="SubFolder">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
</location>
...
Tested in .NET-Framework 4.5, Visual Studio Enterprise 2015.

How do I block access to certain URLs with ASP.NET?

I want to block access to /admins/setting.txt and to /user_N/setting.txt from browsers.
Where can I control these requests?

You can easily add such settings to your web.config file, like this:
For a specific file:
<location path="admins/setting.txt">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
For a folder
<location path="user_N">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>

Move the folder to one under App_Data.
e.g.
example.com/App_Data/admins/setting.txt
This will prevent the files from being served.

Master Page display goes with Authorization

I am using the authorization section in web.config:
<authorization>
<allow roles="Administrator,Attorney,Director of Operations,Office Manager,Paralegal,Partner,Processor,Salary Admin,Unit Manager"/>
<deny users="*"/>
</authorization>
With this code in place, my master page CSS, as well as my images go away, and when I remove this from the web.config it displays properly. Any idea why it is showing that way? Your help will be appreciated.

This authorization section also applies to your CSS files and images. You need to use the location element to give anonymous access back to these files. Here's a knowledge base article about this. Your web.config should look something like this:
<configuration>
<system.web>
<!-- This is your section from your question -->
<authorization>
<allow roles="Administrator,Attorney,Director of Operations,Office Manager,Paralegal,Partner,Processor,Salary Admin,Unit Manager"/>
<deny users="*"/>
</authorization>
</system.web>
<!-- Now give everyone access to your "images" folders -->
<location path="Images">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>

Best practices with Forms Authentication and Routing?

My site (WebForms, C# 4.0) is using Forms Auth and by default requires login:
<authorization>
<deny users="?"/>
</authorization>
I allow unauthenticated access to the public folder (http://siteurl.com/member/public):
<location path="member/public">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
It all works fine. Then, I added a route (RouteTable.MapPageRoute(...)), so that
http://siteurl.com/member/public/view.aspx?username=someusername
can be accessed by going to:
http://siteurl.com/member/view/someusername
My problem is - now I also need to add member/view location to web.config to allow unauth access to it, so I have to have two entries for technically the same location:
<location path="member/public"> <!-- physical location -->
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="member/view"> <!-- route -->
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
I will have a bunch of those routes to pages in member/public folder, so looks like I'd have to list each of them in web.config, and it doesn't sound right...
Is there any way to tell ASP.NET to automatically apply physical path auth rules to the routing so that I woudl only need to specify unauth access to member/public and all routes to the location would automatically gain access?
Thanks!

HttpHandlers and Forms Authentication

My colleague is using an HttpHandler for compression of javascript and CSS (YUI Compressor for .NET) on an ASP.NET Web Application.
He also set up Forms Authentication. The Forms Authentication appears to be blocking the CSS and JavaScript (served by the HttpHandler) from downloading on the login page. Is there a way to exclude this HttpHandler from Forms Authentication?

Add a location tag for those resource paths in your web.config:
<location path="/js">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<location path="/css">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

I have used this snippet ('CSS' is the folder):
<location path="CSS">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>