ASP.NET Authorization inherits rules

I am trying to protect a (sub)directory in my ASP.NET website that contains files (Videos, documents etc.) So I created a Web.config file:

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <deny users="?"/>
      <allow roles="Administrator"/>
      <allow roles="Author"/>
      <allow roles="Report"/>
    </authorization>
  </system.web>
</configuration>

These roles correspond with those defined in the asp.net roles table in my database.

I opened up IIS7 to check if the authori开发者_开发百科zation rules were there and they were. But there were also 2 inherited rules that are set to "Allow all users". These rules seem to override my rules set in de Web.config. I can't delete these inherited rules.

Is there any way to disable these inherited authorization rules, only for my subfolder?

Thanks in advance!

In web.config of your root directory try following

<location path=”MySite/SubDirectory” allowOverride=”false”>
    <system.web>
        <authorization>
            <allow users=”?” />
        </authorization>
    </system.web>
</location>

T

Yes, you may add these authorizations through the IIS Manager using the .NET Authorization Rules as you mentioned, or in the Web.Config file. However, keep in mind that you MUST add the "Allow" rules before the "Deny" rules, because Deny always overrides at the same folder level. The order of precedence is:

Local Deny - being top priority
Local Allow
Inherited Deny
Inherited Allow

If a Local Deny rule exists before any other Local Allow rules at the same folder level, none of the Allow rules will be applied. For example, if I have a parent directory of Sales with child folders Management, Customers, and SalesTeam and I define a Deny rule for Sales, then all users/roles must be explicitly allowed in the child directories. Say I also have roles matching each of these folders, I would define an Allow rule for each of them to their corresponding folders, giving them access to the contents/pages therein.

I hope you find this useful. I know it's an old question. Cheers ;)

Try to remove them from ASP.NET Configuration. Open it with small icon in the right corner of the Solution Explorer (or Project\Website->ASP.NET Configuration).

In ASP.NET Configuration use Security -> Access Rules -> Manage Access Rules for the appropriate folder.