1

I am trying to protect a (sub)directory in my ASP.NET website that contains files (Videos, documents etc.) So I created a Web.config file:

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <deny users="?"/>
      <allow roles="Administrator"/>
      <allow roles="Author"/>
      <allow roles="Report"/>
    </authorization>
  </system.web>
</configuration>

These roles correspond with those defined in the asp.net roles table in my database.

I opened up IIS7 to check if the authorization rules were there and they were. But there were also 2 inherited rules that are set to "Allow all users". These rules seem to override my rules set in de Web.config. I can't delete these inherited rules.

Is there any way to disable these inherited authorization rules, only for my subfolder?

Thanks in advance!

Improve this question
2
  • I seem to get this working with the IIS authorization rules set from the IIS7 manager instead of using the ASP.NET authorization rules. Let me mess with it some more. Commented Jun 30, 2011 at 8:12
  • You've probably figured this out by now, but even if you have an inherited Allow rule, it can always be overridden with a Deny rule in a child directory. Check out my answer for details. Commented Mar 23, 2012 at 17:13

3 Answers 3

Reset to default
1

In web.config of your root directory try following

<location path=”MySite/SubDirectory” allowOverride=”false”>
    <system.web>
        <authorization>
            <allow users=”?” />
        </authorization>
    </system.web>
</location>
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for your response! But this isn't showing up in my IIS7 control panel or seem to work. I think this still doesn't override the inherited rights.
1

T

Yes, you may add these authorizations through the IIS Manager using the .NET Authorization Rules as you mentioned, or in the Web.Config file. However, keep in mind that you MUST add the "Allow" rules before the "Deny" rules, because Deny always overrides at the same folder level. The order of precedence is:

Local Deny - being top priority
Local Allow
Inherited Deny
Inherited Allow

If a Local Deny rule exists before any other Local Allow rules at the same folder level, none of the Allow rules will be applied. For example, if I have a parent directory of Sales with child folders Management, Customers, and SalesTeam and I define a Deny rule for Sales, then all users/roles must be explicitly allowed in the child directories. Say I also have roles matching each of these folders, I would define an Allow rule for each of them to their corresponding folders, giving them access to the contents/pages therein.

I hope you find this useful. I know it's an old question. Cheers ;)

Improve this answer

Comments

0

Try to remove them from ASP.NET Configuration. Open it with small icon in the right corner of the Solution Explorer (or Project\Website->ASP.NET Configuration).

In ASP.NET Configuration use Security -> Access Rules -> Manage Access Rules for the appropriate folder.

Improve this answer

3 Comments

Thanks for your response, the inherited rules do show up. And i can also add my own rule(s) but cant set the order. The inherited rules are always the last to be applied.
Put Deny All rule just before the default Allow All rule.
The Deny All before Allow All is the only route that worked for me. Even removing the rule from the top level site didn't take the inherited rule out.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.