59

How does one specify root location in web.config to allow unauthenticated users access it?

The root location is served by default.aspx, but users normally don't see default.aspx, they just see http://mysite.com/.

So I've added 

  <location path="~/default.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

Which works if user hits mysite.com/default.aspx, but if user hits mysite.com/ - he is still redirected to login page.

I've tried <location path="~"> (does not help) and also <location path="~/">, <location path=""> (site fails completely) and could not make it work.

Any ideas?

John Saunders
  • 160,644
  • 26
  • 247
  • 397
Michael Entin
  • 7,189
  • 3
  • 21
  • 26
  • can they access at least access the url: `http://mysite.com/default.aspx` ? – balexandre Feb 20 '12 at 09:00
  • why you are not using IIRF to redirect the user from default.aspx by writing a rewrite and redirect rule.? – CodeSpread Nov 29 '12 at 18:14
  • Can you post all of the authentication related web.config code? I am assuming there is more where you are denying users, where you define the location of the login. I'd like to see it all, and in the order that you have it specified in your web.config – Charles Wesley Dec 03 '12 at 17:30
  • Try `` in your web config – Sayan Dec 04 '12 at 09:02
  • 1
    Look for lulhuh answer below - it helped me in exact the same situation (mark as answer if it helped you too). – Michael Logutov Oct 21 '13 at 09:21
  • 1
    Answer by `lulhuh` should be the accepted answer http://stackoverflow.com/a/19154854/481207 – Matt Oct 05 '15 at 22:06

10 Answers10

47

Try this one:

<system.web>
    <urlMappings enabled="true">
        <add url="~/" mappedUrl="~/default.aspx" />
    </urlMappings>
    <authorization>
        <allow roles="admin"/>
        <deny users="*" />
    </authorization>
</system.web>
<location path="Default.aspx">
    <system.web>
        <authorization>
            <allow users="*" />
        </authorization>
    </system.web>
</location>
Alexey Smolyakov
  • 830
  • 7
  • 6
  • path can be a folder ? ~/subfolder ? – Kiquenet Dec 17 '20 at 15:45
  • I haven't bothered to actually log in to SO in years, but I reset my pw just so I could upvote this answer. I do not want to confess how much time I've burned trying to solve this problem, but urlMappings did the trick. The only distinction between my scenario and the OP's is that I am using routes, and sticking ~/MyRoute in the mappedUrl worked just fine. (I have also found that I require location authorizations for both the route and the target file.) – csj Apr 06 '22 at 21:44
9

only use 

<location path=".">
<system.web>
  <authorization>
    <allow users="*"/>
  </authorization>
</system.web>

or don't write path,because the default path is root(.)

mina morsali
  • 778
  • 1
  • 16
  • 29
  • 1
    You can't write with only dot ".", you get an error! :D – Bruno Casali Jul 23 '14 at 20:48
  • are you sure? this msdn resource say that default path is dot! http://msdn.microsoft.com/en-us/library/vstudio/ms178692(v=vs.100).aspx – mina morsali Jul 26 '14 at 05:02
  • 3
    I can confirm *dot* (and no path at all) is valid for pointing at root, but if anything you put under this location is specified elsewhere (outside the location) in the web config, it will throw an error for duplicate config sections. One would have to remove the "global" definition to make this work. – Ishmaeel Dec 22 '17 at 09:02
  • 3
    Oh, also important: Root in this case actually means "Root and everything below it" so this solution effectively means you have granted anonymous access to the **whole** site. – Ishmaeel Dec 22 '17 at 09:05
2

You can achieve by 2 method

Method 1:

You can set redirect path to http://mysite.com/default.aspx in IIS if any user directly comes to your site.in IIS7 you can do that by clicking on Default Document. Here i attached image for your reference

IIS7 setting to add your default page redirection

Method 2

You can go through this URL ASp.NET Membership to set your web config settings.

Let me know if you need more detail on this.

Chirag Babaria
  • 121
  • 9
2

The way we done it in the past was to create a folder for all functionality that requires login and set require auth for that folder. All aspx go to that folder. The root of the site stays open.

b0rg
  • 1,879
  • 12
  • 17
  • Well, our situation is the opposite, we only have a handful of pages that don't require authentication. It doesn't really makes sense to use your approach now. – Dyppl Dec 03 '12 at 06:19
2

You probably use a forms authentification no? 

<authentication mode="Forms">
   <forms loginUrl="~/Default.aspx" />
</authentication>

This will solve your problem. An alternative is:

  <location path="~/Default.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>
Demian Flavius
  • 785
  • 1
  • 10
  • 17
  • 2
    Authorization doesn't happen on the main page, I have a separate form for user login, so the first advice doesn't work in my case. I have the `location` directive similar to what you posted, but it doesn't help. http://example.com/MainPage.aspx works while just http://example.com/ doesn't. – Dyppl Dec 03 '12 at 06:18
1

If you only want to let unauthenticated users to access default.aspx you can use 

  <location path="Default.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

before <system.web> and set that page as default in your web server.
In Visual Studio you can select the page and "Set As Start Page".

If you want to allow access to all the files in the root you have to create folders where you put your pages which need to be accessed by authenticated users.

You can create a Secure folder where you can put all your protected pages and change your web.config this way:

  <location path="Secure">
    <system.web>
      <authorization>
        <deny users="?"/>
      </authorization>
    </system.web>
  </location>

removing 

    <authorization>
        <deny users="?"/>
    </authorization>
LeftyX
  • 35,328
  • 21
  • 132
  • 193
  • 6
    this is exact the configuration I've posted in the question, and as I indicated - it is not working. the request for root directory (mysite.com/) is treated different than request to mysite.com/default.aspx - the rule for default.aspx does not apply – Michael Entin Feb 29 '12 at 01:28
0

To specify root directory you have to set it outside the location block.

<configuration> 
  <system.web>
    <authorization>
      <allow users=“*“/>
    </authorization>
  </system.web>
</configuration>

and then secure your other folder using location block

<location path=“AccessDenied.aspx“>
    <system.web>
        <authorization>
            <deny users=“?“/>
        </authorization>
    </system.web>
</location>
Wasa
  • 21
  • 3
0

Use this :

<location path="Default.aspx">
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</location>
<location path="~">
  <system.web>
    <authorization>
      <allow users="*"/>
    </authorization>
  </system.web>
</location>

It works for me.

SeyoS
  • 661
  • 5
  • 22
0

Merk was right!

I used 

<location path="">
            <system.webServer>
                <httpRedirect enabled="true" destination="http://www.newpathdestination.com" exactDestination="true" httpResponseStatus="Permanent" />
            </system.webServer>
        </location>

on Windows netserver (don't ask), making sure to put nothing in between the quotes for location path. Redirects a request for the old home page to the new home page.

David P
  • 11
  • 3
-4

If you want to specify the root of the directory, use <location path="" >

merk
  • 1,721
  • 5
  • 23
  • 39