Allowing anonymous access to default page

My ASP.NET Forms 4.0 site is running with forms authentication. By default unauthorized users are denied, and then I allow access to certain pages. I have a problem allowing access to the default url: http:/example.com. I have this entry in web.config that defines default page:

<defaultDocument>
    <files>
        <clear/>
        <add value="default.aspx" />
    </files>
</defaultDocument>

and I have this location override:

<location path="default.aspx">
    <system.web>
        <authorization>
            <allow users="?"/>
        开发者_如何学JAVA</authorization>
    </system.web>
</location>

It works OK when I go to the full url: http://example.com/default.aspx, but redirects to the login page if I go to http://example.com

Any ideas what am I doing wrong?

I just found answer in a response (by Dmitry) to a similar question here in SO: Forms Authentication Ignoring Default Document:

In Global.asax, method: Application_BeginRequest, place the following:

if (Request.AppRelativeCurrentExecutionFilePath == "~/")
    HttpContext.Current.RewritePath("default.aspx");

Worked like charm!

I've just figured out how to solve this without having to fudge a redirection.

If just happened to me after converting from .Net 2 to .Net 4 and I've never found my solution anywhere on the internet so here goes.

If like me your login page is also your default page you need to make sure you do the following two things in the web.config file

Add this to exempt to default.aspx from authentication (didn't need this in .Net 2)

<location path="default.aspx">
     <system.web>
         <authorization>
             <allow users="*" />
         </authorization>
     </system.web>
 </location>

And change the login url from this

<forms name="myform" loginUrl="~/default.aspx" timeout="240" defaultUrl="~/home.aspx"  slidingExpiration="true" protection="All" path="/" />

to this

<forms name="myform" loginUrl="~/" timeout="240" defaultUrl="~/home.aspx" slidingExpiration="true" protection="All" path="/" />

and you should fine it all work nows, just tried it out on two different sites and it did the trick for me

I didn't like making a code change for this issue, especially because my site was working fine on my Windows Server 2008 R2 machine, but not on my Windows 7 SP1 development machine.

It turns out that the root cause of this issue is an update in Service Pack 1 for Windows 7:

http://support.microsoft.com/kb/2526854

The solution appears to be to disable the new "ExtensionlessUrl" feature that was added in SP1:

<system.webServer>

  <handlers>
    <remove name="ExtensionlessUrl-ISAPI-4.0_32bit" />
    <remove name="ExtensionlessUrl-ISAPI-4.0_64bit" />
    <remove name="ExtensionlessUrl-Integrated-4.0" />
  </handlers>

  <validation validateIntegratedModeConfiguration="false" />

</system.webServer>

Obviously if you're using the ExtensionlessUrl feature this won't work for you, but I've documented it here for those migrating a legacy site and are wondering what has suddenly gone wrong.

This works for me in a test web app:

<location path="">
    <system.web>
        <authorization>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

<location path="Default.aspx">
    <system.web>
        <authorization>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

Now I can't get to either "/" or "/Default.aspx" - give that a try (but use allow instead).