Allowing anonymous access to default page

Question

My ASP.NET Forms 4.0 site is running with forms authentication. By default unauthorized users are denied, and then I allow access to certain pages. I have a problem allowing access to the default url: http:/example.com. I have this entry in web.config that defines default page:

<defaultDocument>
    <files>
        <clear/>
        <add value="default.aspx" />
    </files>
</defaultDocument>

and I have this location override:

<location path="default.aspx">
    <system.web>
        <authorization>
            <allow users="?"/>
        </authorization>
    </system.web>
</location>

It works OK when I go to the full url: http://example.com/default.aspx, but redirects to the login page if I go to http://example.com

Any ideas what am I doing wrong?

I know what you're doing wrong - `path` matches the path that was requested and not the path it was redirected (on the server-side) to, so http://mysite.com does not match default.aspx. I can't help you fix it, though :( — Ry-, May 06 '11 at 20:39
Please see my answer regarding removing the ExtensionlessUrl modules [Forms Authentication Ignoring Default Document:](http://stackoverflow.com/questions/3824951/forms-authentication-ignoring-default-document) — Gregory Ostermayr, Jul 07 '11 at 13:26

score 11 · Accepted Answer · edited May 23 '17 at 12:00

11

I just found answer in a response (by Dmitry) to a similar question here in SO: Forms Authentication Ignoring Default Document:

In Global.asax, method: Application_BeginRequest, place the following:

if (Request.AppRelativeCurrentExecutionFilePath == "~/")
    HttpContext.Current.RewritePath("default.aspx");

Worked like charm!

edited May 23 '17 at 12:00

Community

1
1

answered May 06 '11 at 21:17

Andrey

20,487
26
108
176

You save Me a lot of headache... yes it's 2015 and I am still using web forms. Thank you! – Fabio Delarias Apr 01 '15 at 03:50

score 3 · Answer 2 · answered Jun 21 '11 at 14:03

I've just figured out how to solve this without having to fudge a redirection.

If just happened to me after converting from .Net 2 to .Net 4 and I've never found my solution anywhere on the internet so here goes.

If like me your login page is also your default page you need to make sure you do the following two things in the web.config file

Add this to exempt to default.aspx from authentication (didn't need this in .Net 2)

<location path="default.aspx">
     <system.web>
         <authorization>
             <allow users="*" />
         </authorization>
     </system.web>
 </location>

And change the login url from this

<forms name="myform" loginUrl="~/default.aspx" timeout="240" defaultUrl="~/home.aspx"  slidingExpiration="true" protection="All" path="/" />

to this

<forms name="myform" loginUrl="~/" timeout="240" defaultUrl="~/home.aspx" slidingExpiration="true" protection="All" path="/" />

and you should fine it all work nows, just tried it out on two different sites and it did the trick for me

Not really a solution. You just changed your authentication url (login.aspx) to your root. Might give you a solution now... but I highly advice against it. — Kees C. Bakker, Dec 09 '15 at 20:57

score 1 · Answer 3 · answered Jun 21 '13 at 21:56

I didn't like making a code change for this issue, especially because my site was working fine on my Windows Server 2008 R2 machine, but not on my Windows 7 SP1 development machine.

It turns out that the root cause of this issue is an update in Service Pack 1 for Windows 7:

http://support.microsoft.com/kb/2526854

The solution appears to be to disable the new "ExtensionlessUrl" feature that was added in SP1:

<system.webServer>

  <handlers>
    <remove name="ExtensionlessUrl-ISAPI-4.0_32bit" />
    <remove name="ExtensionlessUrl-ISAPI-4.0_64bit" />
    <remove name="ExtensionlessUrl-Integrated-4.0" />
  </handlers>

  <validation validateIntegratedModeConfiguration="false" />

</system.webServer>

Obviously if you're using the ExtensionlessUrl feature this won't work for you, but I've documented it here for those migrating a legacy site and are wondering what has suddenly gone wrong.

Josh M. · Answer 4 · 2011-05-06T21:25:36.313

-3

This works for me in a test web app:

<location path="">
    <system.web>
        <authorization>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

<location path="Default.aspx">
    <system.web>
        <authorization>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

Now I can't get to either "/" or "/Default.aspx" - give that a try (but use allow instead).

edited May 06 '11 at 21:25

answered May 06 '11 at 20:39

Josh M.

26,437
24
119
200

1

@Josh - can you delete your answer so it doesn't mislead others? I didn't want to downvote it :) – Andrey May 06 '11 at 21:00
That doesn't help - you still need to somehow allow anonymous access to the `/` route - I've already tried that :( – Andrey May 06 '11 at 21:15
Sorry for being so unhelpful - try my current answer. – Josh M. May 06 '11 at 21:25
This only throws an error if you have duplicate entries, or another entry that does not have the path attribute define. However, it also does not achieve the desired result of making the default page open to the public. – Jereme Nov 07 '18 at 20:01

Allowing anonymous access to default page

4 Answers4

Linked