I currently have my access permissions in web.config:
<location path="Account">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
...
I don't like this for two reasons:
1) web.config becomes a mess as my website builds up
2) I'm not sure it's good security to keep the web page access rule so separated from the page itself. After all, I edit aspx/c# files most of the day and not web.config, so things tend to slip.
3) This is a very weird one... I just added ASP.NET4 routing, which changes the URLs. So, all of a sudden my web.config permissions are no longer valid! Similar to point #2 above.
I was thinking it would be better to just use PrincipalPermission as security attributes for the classes/c# files involved in each aspx. My question:
- Is this done by anyone, or is it a bad ideas?
- More importantly... My PrincipalPermission attribute generates an exception (good) but does not redirect users back to the logon page (bad). Can this be fixed?