ASP.NET WebForms Url授权和无限循环。 Web.config无法正常工作？

Question

I've created a website which uses ASP.NET Identity for user account functionality. I want to restrict access to all pages in a specific folder ("Account") except "Login" and "Register" in my application using standard url authorization. Not logged-in users should be able to open only "Account/Login" and "Account/Register" and those authenticated should be able to open everything else except those pages.

The root Web.config has no authorization rules and a Web.config which I put in the Account folder has that:

<?xml version="1.0"?>
<configuration>

  <system.web>
    <authorization>
      <deny users="?"/>
    </authorization>
  </system.web>

  <location path="Login.aspx">
    <system.web>
      <authorization>
        <allow users="?"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>

  <location path="Register.aspx">
    <system.web>
      <authorization>
        <allow users="?"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>

</configuration>

With those rules, however, there is a problem. Requesting any page in that folder, including "Login.aspx", causes a redirection to http://localhost:15284/Account/Login . As I said, even requesting the "Login" page redirects back to itself just like the user wasn't allowed so an infinite loop is created. That loop causes HTTP 404.15, because the query string exceeds its length limit ("?ReturnUrl=%2FAccount%2FLogin" is appended to the URL on every redirection).

Are my rules incorrect or this is something else? Perhaps the problem is somehow related to ASP.NET Identity? Or maybe this is happening because of url rewriting (enabled by default in VS 2013 WebForms template)?

Without that Web.config the website of course works but everyone has access to everything which is not really something I want.

Thanks in advance and sorry for my English! :)

Answer 1

Try

<location path="Login.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

This should allow access to unauthenticated users

Answer 2

Use the folder "account", or create another one in which may insert the pages that you want accessible from anonymous user, with its owner web.config that contain the following configuration:

<configuration>
    <system.web>
        <authorization>
            <allow users="?"/>
        </authorization>
    </system.web>
</configuration>

As you can see without using "location" tag

    <location path="Login.aspx">

whereas in the root web.config in which it remains this:

<authorization>
    <deny users="?"/>
</authorization> 

This is a workaround because as explained in this article: http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx "Rules contained in application-level configuration files take precedence over inherited rules. The system determines which rule takes precedence by constructing a merged list of all rules for a URL, with the most recent rules (those nearest in the hierarchy) at the head of the list"

Answer 3

A bit old thread, but I hope this helps, at least someone. The redirect to /Account/Login comes from Startup.cs, which by default is somewhat the following:

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
            LoginPath = new PathString("/Account/Login")
        });            
    }
}

So, replace the LoginPath = new PathString("/Account/Login") with your login path.

I struggled with the same problem for a while, but it works now..