Specify more than one directory in Web.Config's Location Path element

Question

In my ASP.NET's Web Config file I have the following location elements defined:

  <location path="">
    <system.web>
      <authorization>
        <deny users="?"/>
      </authorization>
    </system.web>
  </location>

  <location path="dir1">
    <system.web>
      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>
  </location>

  <location path="dir2">
    <system.web>
      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>
  </location>

The example above is specifying that all directories will be locked down to anonymous users except the two directories dir1 and dir2.

I'm curious if there is a syntax that I can use that will allow me to define more than one directory within one location element. For example, it would be convenient if we could do something like this...

  <location path="dir1,dir2,etc">
    <system.web>
      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>
  </location>

Looks like it used to be documented as allowing a comma separated list of paths, but they fixed the documentation rather than implementing the documented feature. http://connect.microsoft.com/VisualStudio/feedback/details/104010/location-path-attribute-in-web-config-doesnt-accept-multiple-paths — Triynko, Mar 30 '11 at 18:44
@Triynko https://connect.microsoft.com/VisualStudio/feedback/details/104010/location-path-attribute-in-web-config-doesnt-accept-multiple-paths not found — Kiquenet, Jul 06 '15 at 07:24

score 44 · Answer 1 · answered May 02 '13 at 19:37

You cannot specify multiple elements in the path attribute, but you can make use of the configSource attribute.

For example, the following original web.config file:

<?xml version="1.0"?>
<configuration>
  <location path="form1.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>
  <location path="form2.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>
  <location path="form3.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>
  <location path="form4.aspx">
    <system.web>
      <authorization>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
  <location path="form5.aspx">
    <system.web>
      <authorization>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
  <location path="form6.aspx">
    <system.web>
      <authorization>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
</configuration>

Can be replaced by the following equivalent web.config, allow.config, and deny.config files:

web.config

<?xml version="1.0"?>
<configuration>
  <location path="form1.aspx">
    <system.web>
      <authorization configSource="allow.config" />
    </system.web>
  </location>
  <location path="form2.aspx">
    <system.web>
      <authorization configSource="allow.config" />
    </system.web>
  </location>
  <location path="form3.aspx">
    <system.web>
      <authorization configSource="allow.config" />
    </system.web>
  </location>
  <location path="form4.aspx">
    <system.web>
      <authorization configSource="deny.config" />
    </system.web>
  </location>
  <location path="form5.aspx">
    <system.web>
      <authorization configSource="deny.config" />
    </system.web>
  </location>
  <location path="form6.aspx">
    <system.web>
      <authorization configSource="deny.config" />
    </system.web>
  </location>
</configuration>

allow.config

<?xml version="1.0"?>
<authorization>
  <allow users="*"/>
</authorization>

deny.config

<?xml version="1.0"?>
<authorization>
  <deny users="*"/>
</authorization>

The usefulness of this approach increases as the number of allow/deny rules in each section increases.

Would I be able to simplify even further and only have lines for location with the configSource set there? So it would basically be just a list of locations? — Ray, Apr 06 '15 at 21:02
@Ray: When I tried that, I got `Unrecognized attribute 'configSource'`. — Scott Weldon, Jul 06 '16 at 18:31

score 16 · Accepted Answer · answered Jan 05 '11 at 20:20

16

sorry, but path property doesn't allow to use "," so you must write tag for all path, Or you can create web.config in each directory.

answered Jan 05 '11 at 20:20

Andrei Andrushkevich

9,905
4
31
42

score 0 · Answer 3 · answered Jun 13 '18 at 09:55

it is possible to set path to a specific folder. For example we have some aspx pages:

/data/pages/form1.aspx
/data/pages/form2.aspx
/data/pages/form3.aspx

By creating this rule in web.config:

<location path="data/pages">
    <system.webServer>
        <httpProtocol>
            <customHeaders>
                <remove name="X-Frame-Options" />
                <add name="X-Frame-Options" value="SAMEORIGIN" />
            </customHeaders>
        </httpProtocol>
    </system.webServer>
</location>

All resources in data/pages will be affected.

Azum · Answer 4 · 2019-09-28T08:01:19.747

-1

I had a similar issue. so went with the normal way of creating separate tags, no other BETTER solution.

edited Sep 28 '19 at 08:01

answered Sep 28 '19 at 07:55

Azum

1
2

Specify more than one directory in Web.Config's Location Path element

4 Answers4

Linked