Question:
I would like to restrict access by requesting login to just one page in my application. In webconfig I put it like this, but obviously this way requires authentication on all application pages.
<authentication mode="Forms">
<forms loginUrl="~/Admin/Login.aspx" name=".ASPXFORMSAUTH">
</forms>
</authentication>
<authorization>
<deny users="?"/>
</authorization>
I could release the pages doing this, one by one:
<location path="Default.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
However, I would like to leave all pages free except one in the ~/Admin/ folder
Answer:
You can merge the two question codes and modify a little, as follows:
<authentication mode="Forms">
<forms loginUrl="~/Admin/Login.aspx" name=".ASPXFORMSAUTH">
</forms>
</authentication>
<authorization>
<allow users="*"/>
</authorization>
<location path="foo.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
So you release the entire site to everyone, but also deny only a specific page to the unauthenticated. On the "foo.aspx" page of the configuration above, the deny rule overrides the allow one, as it is more specific – but note that it denies access only to the unauthenticated.