When using ASP.NET forms authentication it is easy to restrict users from accessing pages in certain folders. I usually add a Web.Config file containing the Authorization block to each folder. If we wanted to allow the Admin role in a folder and deny everything else, we could use the following:
<configuration> <system.web> <authorization> <allow roles="Admin" /> <deny users="*" /> <deny users="?" /> </authorization> </system.web> </configuration>
This is the entire Web.Config file for that folder. Providing you have a Web.Config in the root, you don’t need to repeat other elements here. Configuration files inherit elements from configuration files in parent folders.
Applying these settings on an entire folder may not always suit your needs. You can have the same control at a page level by using the Location element:
<configuration> <location path="AdminPage.aspx"> <system.web> <authorization> <allow roles="Admin" /> <deny users="*" /> <deny users="?" /> </authorization> </system.web> </location> </configuration>
If the folder contains several pages, only AdminPage.aspx is restricted.