Last post Jul 21, 2014 12:53 PM by Rion Williams
Jul 21, 2014 10:41 AM|geog272|LINK
Is it possible to have one site (www.mysite.com) and have some pages non-password-protect and some pages password protected?
This is the tutorial I was looking at following but I can't see if there is a way to (in web config??) indicate that only some pages are to be password protected. As an example, I have a website and of the several pages on the site, the only pages I want
to be password protected are called reviewerportal.aspx, reviewerstudent.aspx, reviewerrankings.aspx.
Jul 21, 2014 12:49 PM|Siva Krishna Macha|LINK
If you are using forms authentication, probably you may put restrictions to the particular folders by using location property.
For a particular page:
location Element (ASP.NET Settings Schema)
<!-- Configuration for the "Sub1" subdirectory. -->
<!-- Put sections here -->
How to: Configure Specific Directories Using Location Settings
Jul 21, 2014 12:53 PM|Rion Williams|LINK
You can handle this by using the Authorization settings available in your web.config file.
It can be handled at either the user (ie username), role (ie rolename) or verb (ie POST, GET, etc) level to help define how granular you want to handle your authorization settings.
For example, if you had two seperate pages Admin.aspx and Other.aspx and you wanted to only allow users within the Admin role to access your Admin.aspx page and any user would be allowed to access your Other.aspx page, you would use :
<!-- Defines that you are using Forms Authentication -->
<authentication mode="Forms" >
<forms loginUrl="Login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
<!-- You can use this "higher-level" definition to apply specific rules to all users of the application and the ones that appear beneath it will override it. For example, this will deny all non-authenticated users from entering your application -->
<deny users="?" />
<!-- Use the location block to define specific settings about a single page -->
<!-- The Admin.aspx page will deny all users except those with the "Admin" role -->
<deny users="*" />
<allow roles="Admin" />
<!-- This would allow any user to access the Other.aspx page regardless of their Role -->
<allow users ="*" />
Guru Sarkar has an excellent blog post on this topic which I would highly recommend reading and goes into great
detail explaining all of that you need to know about implementing authorization and access within your web.config. (It covers just about every scenario that you might encounter relating to authentication)
A few other handy resources on the topic include :