5.3. Restrict Unauthorized Access to Pages
Note: The Login controls are useful only if you restrict access to your pages in your site. Learn how to restrict user access to your ASP.NET application.
So far, you have seen how to add a new login page to your web site and how you can add users to your application. In order to ensure that users provide a valid login credential before they are allowed access to a specific part of your site, you need to configure ASP.NET to require that all users be authenticated before they are given access.
5.3.1. How do I do that?
In the earlier lab Section 5.1, you saw how to use the Login control to get a user's credentials. In this lab, you will learn how you can restrict access to certain pages based on the user's credentials. You will create a new folder in the existing project and then restrict access to this folder by modifying Web.config. When a page in the restricted folder is loaded, the login page will automatically be loaded to authenticate the user.
5.3.2. What about...
...using a single Web.config file to specify the access permission of the entire web application?
Besides adding a separate Web.config file to each folder in your web application to specify the access permission for each folder, you can also use the <location> element in the Web.config file in the root folder. The following entry in the Web.config file in the root of the web application is equivalent to Step 3:
... </system.web> <location path="Members"> <system.web> <authorization> <deny users="?" /> </authorization> </system.web> </location> </configuration>
Using this method will eradicate the need to have multiple Web.config files in your project. You can use multiple <location> elements to specify the permission for each folder.
5.3.3. Where can I learn more?
Check out the MSDN Help topic on the <location> element to learn more about the use of this element in Web.config files.