admin folder permissions.. not allow guests

Question

I have a membership web application. A user is either an administrator or a guest user (only 2 roles)

I have an admin folder and a guest folder in this application. I want administrators to access both folders and guest not to access Admin folder.

I am not using the .net member/role/profile framework. What's the easiest way to secure that admin folder?

I read something about changing location in webconfig... but dont kno where to put is??

any suggestions???

my web config

    <appSettings>
    <!--
  <add key="ChartImageHandler" value="storage=file;timeout=20;dir=c:\TempImageFiles\;" />
  -->
    <add key="ChartImageHandler" value="storage=memory;deleteAfterServicing=true;"/>
</appSettings>
<connectionStrings>
    <add name="abs" connectionString="Data Source=localhost\SQLEXPRESS;Initial Catalog=absDB;Integrated Security=True" providerName="System.Data.SqlClient"/>
</connectionStrings>


<system.web>
    <identity impersonate="true"/>
    <!-- 
        Set compilation debug="true" to insert debugging 
        symbols into the compiled page. Because this 
        affects performance, set this value to true only 
        during development.
    -->
<roleManager enabled="true" />
    <compilation debug="true">
        <assemblies>
            <add assembly="System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
            <add assembly="System.Data.DataSetExtensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
            <add assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
            <add assembly="System.Xml.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
            <add assembly="System.Web.DataVisualization, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
            <add assembly="System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
            <add assembly="System.Web.Extensions.Design, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
            <add assembly="System.Design, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
        </assemblies>
    </compilation>
    <!--
        The <authentication> section enables configuration 
        of the security authentication mode used by 
        ASP.NET to identify an incoming user. 
    -->
    <authentication mode="Forms">
        <forms loginUrl="Login.aspx" name="Cookie" timeout="120" path="/">
        </forms>
    </authentication>
    <authorization>
        <deny users="?"/>
        <allow users="*"/>
    </authorization>
    <sessionState mode="InProc" cookieless="false" timeout="122"/>
    <!--
        The <customErrors> section enables configuration 
        of what to do if/when an unhandled error occurs 
        during the execution of a request. Specifically, 
        it enables developers to configure html error pages 
        to be displayed in place of a error stack trace.

    <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
        <error statusCode="403" redirect="NoAccess.htm" />
        <error statusCode="404" redirect="FileNotFound.htm" />
    </customErrors>
    -->
    <pages>
        <controls>
            <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
            <add tagPrefix="asp" namespace="System.Web.UI.WebControls" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
            <add tagPrefix="asp" namespace="System.Web.UI.DataVisualization.Charting" assembly="System.Web.DataVisualization, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
        </controls>
    </pages>
    <httpHandlers>
        <remove verb="*" path="*.asmx"/>
        <add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        <add verb="*" path="*_AppService.axd" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        <add verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false"/>
    </httpHandlers>
    <httpModules>
        <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
    </httpModules>
</system.web>

Answer 1

Try this:

<configuration>

    <!-- ... all other elements ... -->

    <location path="Guests_Folder">
      <system.web>
         <authorization>
            <allow roles="Administrator, Guest"/>
            <deny  users="*"/>
         </authorization>
      </system.web>
    </location>
    <location path="Admin_Folder">
      <system.web>
         <authorization>
            <allow roles="Administrator"/>
            <deny  users="*"/>
         </authorization>
      </system.web>
    </location>
</configuration>

Place it inside your <configuration> tag

Answer 2

Does Guest have a login? If not, you can drop in a web config in the guest folder that has an for the web config.

The main thought is you can vary who gets access by adding a web config in each folder you want to control with the correct allow or deny elements for the roles you want to grant access. This works easiest if the guests are true guests. ie.not logged in. The fact that you have a config in each folder that varies from the root is the main thing you need to understand to get the authorization elements to work right.

You don't want to repeat the whole web.config, just the authorization part.