+1-888-365-2779
Try Now
More in this section

Forums / Security / Restricting a Directory by Role via web.config

Restricting a Directory by Role via web.config

4 posts, 1 answered
  1. Will
    Will avatar
    23 posts
    Registered:
    30 Jun 2009
    11 Nov 2009
    Link to this post
    Hi,
    My objective is to restrict access to a page and its child pages (all under one subdirectory), unless the user is logged in. I've read about several ways to restrict access to a directory, but I'd like to do this using only the root web.config if possible.

    I tried adding a this to the web.config but it had no effect:
    <location path="~/MembersOnly" > 
      <system.web> 
        <authorization> 
          <allow roles="Members"/> 
          <deny users="?" /> 
        </authorization> 
      </system.web> 
    </location> 

    I tried to allow only by role of Members, but I suppose this may be unnecessary. This is using the default Sitefinity provider. Anonymous users were not redirected at all and could still access anything under /MembersOnly.

    Here is the authentication snippet form the web.config:
    <authentication mode="Forms"
      <forms name=".ASPNET" loginUrl="~/sitefinity/login.aspx" protection="All" timeout="1440" path="/" /> 
    </authentication> 

    Both snippets are in the correct location/order in web.config, under <system.web>. The authentication section is unchanged from the install, as far as I know.

    I also tried restricting access via the page Properties, but while it "worked," it redirected all anonymous users to the /sitefinity/login.aspx page. This method could also be used but I'm not sure how to redirect users to another login page (/MemberLogin.aspx), while still redirecting anonymous access to /sitefinity, to /sitefinity/login.aspx.

    Any suggestions would be appreciated. We strongly prefer to do this without code-behind, using only the root web.config and/or page properties. Thanks!
  2. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    11 Nov 2009
    Link to this post
    Hi Will,

    By default forms attribute supports only one loginUrl. Sitefinity uses not physical pages which are located in any folder of your project. The pages are located in the database and this is why your anonymous requests are not redirected to the login page.

    You can try the following.

    1. Set Anonymous Access to false for each page you want to restrict ( Page Properties)
    2. Set loginUrl property to "~/sitefinity/login.aspx" pager where you should add a login control.

    By doing so all not authenticated users will be forced to use  ~/sitefinity/login.aspx for authentication.

    Generally the application does not know who is who when an user has not been authenticated, so you can check from where the request comes from and make redirection to another login page. For instance if someone tries to access a page called MembersOnly.aspx  you can add the following logic to ~/sitefinity/login.aspx.cs and redirect this request to MemberLogin.aspx

    string redirectUrl = Request.QueryString["ReturnUrl"];
           if (!string.IsNullOrEmpty(redirectUrl) && redirectUrl.StartsWith("/MembersOnly") && !redirectUrl.StartsWith("/sitefinity" )
           {
               Response.Redirect("~/MembersLogin.aspx?ReturnUrl=" + redirectUrl);
           }


    Greetings,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
    Answered
  3. Will
    Will avatar
    23 posts
    Registered:
    30 Jun 2009
    11 Nov 2009
    Link to this post
    Ivan,
    Thanks for the explanation, you saved me a lot of trial-and-error and messing with the web.config.

    I like your suggestion to detect the redirectURL and forward to the appropriate login page. I thought this might be an option... but didn't realize how easy it would be to implement. I greatly appreciate the sample code.
    Thank you!
    Will
  4. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    11 Nov 2009
    Link to this post
    Hi Will,

    Always glad to help!

    Best wishes,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
Register for webinar
4 posts, 1 answered