asp.net Authorization: location and IPrincipal.IsInRole

Question

Scenario

I'm using a Custom IPrincipal and IIdentity to do asp.net authorization. I set the Principal and Identity during the PostAuthenticateRequest event using an IHttpModule.

The web.config looks approximately like the following:

<system.web>
  <authorization>
    <allow verbs="GET,POST" roles="domain\group"/>
    <deny verbs="*" users="*"/>
  </authorization>
</system.web>
<location path="~/admin/user_search.aspx">
  <system.web>
    <authorization>
      <allow verbs="GET,POST" roles="admin"/>
      <deny verbs="*" users="*"/>
    </authorization>
  </system.web>
</location>

The Problem

When making a request the IPrincipal.IsInRole method gets called once to check domain\group but doesn't get called again to check the admin role. What is causing this? Do I have the location syntax incorrect or is there a deeper issue?

Notes

I thought initially that the web.config in the admin directory was overriding the web.config in the root directory, but I've tried removing it altogether as well as using it for the location element. Neither have worked so far.

Answer 1

Don't use the tilde (~) at the start of paths for <location> elements, as they are not interpreted there. In your example, path="admin/user_search.aspx" should be correct.