ASP .Net: Authorization issue

Question

Guys,

I am having some trouble when I use ASP .Net 4's URL Routing feature while Authorization rules configured.

Global.asax

void Application_Start(object sender, EventArgs e) {
    RegisterRoutes(RouteTable.Routes);
}

private void RegisterRoutes(RouteCollection routes) {
    routes.MapPageRoute("dashboard", "", "~/Restricted/Default.aspx", true);
    routes.MapPageRoute("register", "register", "~/Register.aspx", true);
    routes.MapPageRoute("login", "login", "~/Login.aspx", true);
}

{Root}\Web.Config

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <authentication mode="Forms">
            <forms name="DevAuth" 
                   loginUrl="/login/" 
                   protection="All" 
                   path="/" 
                   timeout="15"
                   requireSSL="false" 
                   slidingExpiration="true" 
                   cookieless="AutoDetect" />
        </authentication>
    </system.web>
    <system.webServer>
        <security>
            <authentication>
                <basicAuthentication enabled="false" />
            </authentication>
        </security>
    </system.webServer>
</configuration>

{Root}\Restricted\Web.config

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <security>
            <authorization>
                <remove users="*" roles="" verbs="" />
                <add accessType="Allow" roles="Developer" />
                <add accessType="Deny" users="*" />
            </authorization>
        </security>
    </system.webServer>
</configuration>

The problem I am facing is:

• When I try to visit http://localhost/ -- because of my dashboard rule in Global.asax, instead of being redirected to http://localhost/login/?ReturnUrl=%2f, I am actually getting the content of http://localhost/Restricted/Default.aspx page.

• when I try to visit http://localhost/Restricted/ -- I do get redirected to http://localhost/login/?ReturnUrl=%2fRestricted -- which is a good sign!

Any idea about what's going on?

EDIT 1

The following change in the config file gives me Access is denied.

{Root}\Web.Config

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.web>
        <authentication mode="Forms">
            <forms name="DevAuth" 
                   loginUrl="/login/" 
                   protection="All" 
                   path="/" 
                   timeout="15"
                   requireSSL="false" 
                   slidingExpiration="true" 
                   cookieless="AutoDetect" />
        </authentication>
    </system.web>
    <system.webServer>
        <security>
            <authentication>
                <basicAuthentication enabled="false" />
            </authentication>
        </security>
    </system.webServer>
    <location path="login">
        <system.web>
            <authorization>
                <allow users="*"/>
            </authorization>
        </system.web>
    </location>
    <location path="register">
        <system.web>
            <authorization>
                <allow users="*"/>
            </authorization>
        </system.web>
    </location>
    <location path="">
        <system.web>
            <authorization>
                <deny users="*"/>
            </authorization>
        </system.web>
    </location>
</configuration>

Answer 1

Hummmm I think it comes around this :

<location path="">
    <system.web>
        <authorization>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

The problem I see here comes from this path="", because this information says to the UserAgent [Browser, like IE or FF or Chrome] to block this address : http://localhost:xxxxx

which in fact, points out to your default route : ~/Restricted/Default.aspx

You are denying access to this page by default to all users. Hopes it gives you a hint on how to do this.

Answer 2

You are actually not using URL Rewriting; you are using Routing. There's a significant difference between the two that is likely causing your trouble: With Routing, the URL you are requesting is never changed. So the authorization system is still doing its work based on the URLs typed in the address bar... it knows nothing at all about what the routing engine is doing after.

That explains your initial behavior perfectly; Requesting the root/default (empty string route value) is permitted according to your initial auth rules. The fact that Routing is causing ~/Restricted/Default.aspx to be the content loaded is immaterial - that is, it is ignored. Likewise, directly requesting /Restricted/ would, then, trigger the auth mechanism.

Routing and file/location-based Authorization are actually very tricky to use together, for just this reason.

On the other hand, if you were using Rewriting (where the actual URL being requested is changed), things would work as you expect them to.

Answer 3

As Andrew Barber writes your authentication rules will not come into play when you use Routing in this way.

You can read more about routing and authentication/authorization here: http://blogs.msdn.com/b/mikeormond/archive/2008/06/21/asp-net-routing-and-authorization.aspx..