ASP.MVC :Web.Config and Authorize attribute

Question

I have an AdminController protected by an Authorize attribute like this

[Authorize(Roles = "Admin")]
public class AdminController :  BaseController
{
.....
}

And I have in my web.config this security location section

<location path="admin">
   <system.webServer>
       <security>
          <authorization>
            <remove users="*" roles="" verbs="" />
            <add accessType="Allow" roles="Admin" />
          </authorization>
       </security>
   </system.webServer>
</location>

If I remove the web config section, everything works perfectly and only Admin can access Admin actions With the section in, I am always redirected to my login page

However, I need the web.config section because I have some static files on the Admin folder that I want to be protected and accessed only by Admin role

What's wrong with my web.config Thanks

Answer 1

easiest way is to add a new web config file to the admin section

<?xml version="1.0"?>
<configuration>
    <system.web>     
        <authorization>
          <deny users="*" />
          <allow roles="Admin" />   
       </authorization>
    </system.web>
</configuration>