0

I have an AdminController protected by an Authorize attribute like this

[Authorize(Roles = "Admin")]
public class AdminController :  BaseController
{
.....
}

And I have in my web.config this security location section

<location path="admin">
   <system.webServer>
       <security>
          <authorization>
            <remove users="*" roles="" verbs="" />
            <add accessType="Allow" roles="Admin" />
          </authorization>
       </security>
   </system.webServer>
</location>

If I remove the web config section, everything works perfectly and only Admin can access Admin actions With the section in, I am always redirected to my login page

However, I need the web.config section because I have some static files on the Admin folder that I want to be protected and accessed only by Admin role

What's wrong with my web.config Thanks

Improve this question
1
  • unless a new syntax came out and I'm unaware, the correct tag is <deny> instead of <remove>... Commented May 1, 2011 at 14:34

1 Answer 1

Reset to default
1

easiest way is to add a new web config file to the admin section

<?xml version="1.0"?>
<configuration>
    <system.web>     
        <authorization>
          <deny users="*" />
          <allow roles="Admin" />   
       </authorization>
    </system.web>
</configuration>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.