I have an application that uses http-calls to local webservices. While the whole application secured by ASP.NET forms authorization, I want a specific folder to be available to local-calls only.
How can I do that?
Thanks!
views:
158answers:
3
A:
In your web.config you can do something like:
<location path="~/blog/add">
<system.web>
<authorization>
<allow users="admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
leppie
2009-07-28 09:50:28
This is not working. maybe I should set a user named admin for that?
yn2
2009-07-28 10:44:23
+2
A:
I don't think there is anything native in forms authentication that will do that. You'll either have to;
- Extend forms authentication to cope with this (I think it is sealed in places though).
- Have all of the items in that folder inherit from a base class that checks the IP address of the caller.
- Use IIS to lock down that directory to local clients (in IIS7 this can be done in .config I believe).
- Add a HTTP handler to intercept calls to that directory and redirect them if not local (this might be easiest).
Hope that helps, a little vague but a starting point.
Ryan ONeill
2009-07-28 09:51:46
+1
A:
All of Ryan's suggestions are good. Here are two more (variations on his point # 2).
In the Global.asax, you can use the Application_BeginRequest to do something like this:
if (Request.UserHostAddress != "127.0.0.1" && !Request.UserHostAddress.StartsWith("172.16") && Request.Url.AbsolutePath.Contains("AdminFolderName"))
{
Response.Redirect("~/somenonproectedpageornoaccessmessagepage.aspx", true);
}
or use a MasterPage for each aspx page in that folder and put the following in the Page_Load
if (Request.UserHostAddress != "127.0.0.1" && !Request.UserHostAddress.StartsWith("172.16"))
{
Response.Redirect("http://www.kwiktrip.com", true);
}
David Stratton
2009-07-28 13:07:26