I am working on an ASP.NET 3.5 application running on IIS7 (Server '08) using MS Forms authentication and SqlRolesProvider. (I used the aspnet_regsql tool to create tables).
We have three roles: SysAdmins, AppAdmins, and Users. All users are in Users, and the user can be in SysAdmins, AppAdmins, or both.
I can’t find the admin directory to block access to users, not SysAdmins and AppAdmins. Either it allows all registered users, or anyone.
Here are the relevant bits of my current configuration:
<configuration>
...
<system.web>
<authentication mode="Forms">
<forms loginUrl="/client/security/login.aspx" timeout="480" />
</authentication>
<authorization>
</authorization>
<roleManager defaultProvider="SqlRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName="EquityTouch.Roles" cookieProtection="All" cookieSlidingExpiration="true" cookieTimeout="60">
<providers>
<clear />
<add name="SqlRoleProvider" applicationName="EquityTouch" connectionStringName="SQLProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
</providers>
</roleManager>
...
</system.web>
<system.webServer>
<security>
<authorization>
<add accessType="Deny" users="?" />
</authorization>
</security>
...
</system.webServer>
<location path="admin">
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs=""/>
<add accessType="Allow" roles="SysAdmins,AppAdmins" />
</authorization>
</security>
</system.webServer>
<system.web>
<authorization>
<deny users="*"/>
<allow roles="SysAdmins,AppAdmins"/>
</authorization>
</system.web>
</location>
</configuration>
I believe that this configuration is currently blocking everyone. I made similar configurations that do not block anyone.
, system.web system.webserver. .
UPDATE
< system.webServer > <location> .aspx ! , .js - ... .js, . .