Securing a folder in ASP.NET web directory is not working

Question

I have read and implemented this SO post on the subject but it is not working. It is Forms Based Authentication. Do I have to implement Membership/Roles? If so, how? The following is not working in the sense is that all users still can get to SavAdmin folder.

<location path="~/SavAdmin">
    <system.web>
      <authorization>
        <allow roles="Savitas Admin"/>
       <deny users="?" />
      </authorization>

What happened to the Web Site Administration Tool in Visual Studio 2013 to create Roles, etc?

Answer 1

You don't need to implement Membership/Roles - the authorization element was available in .NET 1.x before Membership/Roles was created. But using Membership will simplify authentication when using Forms Authentication, and using Roles will simplify authorization.

The following is not working

What do you mean by "not working"?

Perhaps you are missing a deny element, such as:

<deny users="?" />

to deny anonymous users.

UPDATE

What's not working is that I can still get to that subfolder and it's list of files

I'm not clear what you mean by "get to that subfolder".

If you mean you can browse the directory, you need to configure IIS to prevent this. See the following link for more info: http://technet.microsoft.com/en-us/library/cc725840(v=ws.10).aspx

If you mean you can access aspx pages in that folder, this is probably because you don't have a <deny> element to restrict access.

Answer 2

Yes. you have to implement Membership/Roles if you use the above configuration.

Depending on whether you're using Windows Authentication or Forms etc., you can implement various mechanisms to secure the folder. let us know your authentication and the error you get etc.