How to allow authorization for a single page only

Kuler Master 326 Reputation points
2024-11-30T13:14:36.44+00:00

Hi there,

I want to allow not logged in users access one page only. This is the content of the web.config I have inside this specific folder named Documents:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.web>
    <authorization>
        <allow roles="client" />
        <deny users="*" />
    </authorization>
  </system.web>

  <location path="Documents/Mobile.aspx">
    <system.web>
        <authorization>
            <allow users="*"/>
            <deny users="?" />
        </authorization>
    </system.web>
  </location>
</configuration>

This makes sense but as soon as I try to open that page being not logged in, I am redirected.

What I am missing? Thank you!

Internet Information Services
ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,706 questions
ASP.NET
ASP.NET
A set of technologies in the .NET Framework for building web applications and XML web services.
3,550 questions
C#
C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
11,157 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marcin Policht 30,040 Reputation points MVP
    2024-11-30T15:17:16.6633333+00:00

    Yep - the issue of being redirected to the login page may be related to the interaction between the FriendlyURL package and the <location> path specified in your web.config. FriendlyURL rewrites the URLs to be more user-friendly (e.g., turning documents/mobile-upload/{clientid} into a cleaner format). However, this rewritten path might not match the exact path you've defined in the web.config file.

    Try updating the <location> path to Match FriendlyURL Mappings. If FriendlyURL rewrites Documents/Mobile.aspx into documents/mobile-upload/{clientid}, your <location> element in web.config might not recognize the rewritten path. To fix this, you should configure your authorization rules in the rewritten format.

    1. For example
         <location path="documents/mobile-upload">
          <system.web>
              <authorization>
                  <allow users="*"/>
                  <deny users="?"/>
              </authorization>
          </system.web>
      

    </location>

       
    1. Add Exception in `Global.asax` or Middleware. If FriendlyURL rewrites the paths dynamically and you're unsure of the exact paths, you can add custom rules in your `Global.asax` or middleware to allow access to unauthenticated users for specific rewritten URLs:
    
       ```csharp
       protected void Application_BeginRequest(object sender, EventArgs e)
    {
        var path = HttpContext.Current.Request.AppRelativeCurrentExecutionFilePath.ToLower();
        if (path.StartsWith("~/documents/mobile-upload"))
        {
            // Allow unauthenticated access for this path
            HttpContext.Current.SkipAuthorization = true;
        }
    }
    
    1. Check how the FriendlyURL package rewrites your paths. You can override or exclude certain routes to prevent redirection issues:
         routes.MapPageRoute(
          "MobileUpload",
          "documents/mobile-upload/{clientid}",
          "~/Documents/Mobile.aspx"
      

    );

       
    1. Verify that the rules in your `web.config` are not conflicting. For example:
    
       - Place general rules (e.g., deny all users) outside specific `<location>` elements.
       
          - Use `<allow users="*"/>` to permit access for all users.
          
       For example:
       
       ```xml
       <configuration>
        <system.web>
            <authorization>
                <deny users="*"/>
            </authorization>
        </system.web>
    
        <location path="documents/mobile-upload">
            <system.web>
                <authorization>
                    <allow users="*"/>
                </authorization>
            </system.web>
        </location>
    </configuration>
    
    1. Ensure that forms authentication in web.config is properly configured:
       <authentication mode="Forms">
        <forms loginUrl="~/Login.aspx" timeout="30" />
    </authentication>
    

    If unauthenticated users are still being redirected, there might be a global rule enforcing redirection.


    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin


1 additional answer

Sort by: Most helpful
  1. Marcin Policht 30,040 Reputation points MVP
    2024-11-30T13:51:55.9866667+00:00

    It looks like your configuration aims to allow unauthenticated users access to the Documents/Mobile.aspx page, but the logic contains a conflicting rule that causes redirection.

    The <authorization> element in the root-level <system.web> section applies a blanket deny rule (deny users="*") for all users not explicitly matching the allow rule for the client role. This rule overrides the specific <location>-based rules for Documents/Mobile.aspx.

    To allow unauthenticated users to access Documents/Mobile.aspx while restricting access to other resources, you need to ensure the <location> element for the specific page takes precedence. Try the following

    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
      <location path="Documents/Mobile.aspx">
        <system.web>
          <authorization>
            <allow users="*" />
          </authorization>
        </system.web>
      </location>
    
      <system.web>
        <authorization>
          <allow roles="client" />
          <deny users="*" />
        </authorization>
      </system.web>
    </configuration>
    

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.