ASP.NET Forms Auth Allowing access to specific file in subdirectory when all others should be denied

Question

I am having problems allowing a specific Role access to a specific page in a subdirectory.

My ASP.NET application has a directory, ~/Forms/Administration that has li

Answer 1

Two things:

1. The location is relative to the web.config file, so if your web.config is already in /Forms/Administration it should be corrected to be:

   <location path="Default.aspx">
       <system.web>
           <authorization>
               <allow roles="Administrator, User, AdditionalUser" />
           </authorization>
       </system.web>
   </location>
   

2. To clarify about the order of Allow and Deny, authorization is going to apply based on the first match it finds, so order is very important. For instance:

   <deny users="*" />
   <allow users="Administrator" />
   

Administrator will be denied since it matched the first entry of deny... even though you specified to allow the Administrator user on the next line. So to only allow the Administrator, the correct syntax would be:

<allow users="Administrator" />
<deny users="*" />

In Summary

If I am reading what you want correctly, this is probably the final product you want:

<configuration>
  <system.web>
    <authorization>
        <allow roles="Administrator, User" />
        <deny users="*"/>
    </authorization>
  </system.web>

  <location path="Default.aspx">
    <system.web>
        <authorization>
            <allow roles="AdditionalUser" />
        </authorization>
    </system.web>
  </location>

</configuration>