In a previous article I provided some samples to allow password protection of a folder in ASP.NET based on some settings in the root web.config file. Since that article I have had a few people ask if it was possible to secure multiple locations - each potentially with their own security requirements.
Well, the answer is yes, it is possible and it isn't even very hard. Below is a sample web.config file, that when placed in the web root will secure two different folders. One is /admin/ and the other is /protected/.
Access to the /admin/ folder is controlled in lines 13 through 19. One line 16 it is specified that the only people that can access this folder are people that have authenticated via ASP.NET. It does not matter who the person is, as long as they have provided a valid username and password (noted on lines 06 through 07).
Access to the /protected/ folder is more secure. The setting on line 24 specifies that the user "User1" is allowed access to this folder. This line alone is not good enough to trigger the security. It also needs to be specified to deny all users (other than "User1"), which is done by the code on line 25.
As you have probably noted by now, the authorization section will accept either a "deny" or an "allow" statement, so you can specifically control the type of access (or lack of access). You might have also noted that you can use various items for the "users" property. Using "*" means to deny (or allow) everyone; using "?" means to deny (or allow) any known users (users who have not yet authenticated); you can also specify an individual username for this property if you want to limit access to only certain users.
01: <configuration>
02: <system.web>
03: <authentication mode="Forms">
04: <forms name="TestAuthCookie" loginUrl="login.aspx" timeout="30">
05: <credentials passwordFormat="Clear">
06: <user name="user1" password="pass1"/>
07: <user name="user2" password="pass2"/>
08: </credentials>
09: </forms>
10: </authentication>
11: </system.web>
12:
13: <location path="admin">
14: <system.web>
15: <authorization>
16: <deny users="?" />
17: </authorization>
18: </system.web>
19: </location>
20:
21: <location path="protected">
22: <system.web>
23: <authorization>
24: <allow users="user1" />
25: <deny users="*" />
26: </authorization>
27: </system.web>
28: </location>
29: </configuration>
As you can see, the config.web file allows for some fairly complex security restrictions once you understand the required format. Wrapping all of these security configurations into the web.config file - as opposed to implementing them with IIS settings - allows a few benefits. The most obvious are: The developer can configure the security themselves without getting a server administrator involved; and deploying the application to multiple servers is easier since all of the settings are actually in the code and no system changes are needed.
by Brad Kingsley is Founder and President of ORCS Web, Inc. - a company that provides managed hosting services for clients who develop and deploy their applications on Microsoft Windows platforms.