Hi,
I'm trying to deny all users access to a page, but it wont work for some reason, the page is always accessible no matter what role the user account is in. The code below shows the authorization tags in my web.config:
<authentication mode="Forms" />
<authorization>
<deny users="?"/>
</authorization>
So the above code is in the <system.web> tags, outside those tags I have this:
<!-- Only administrators may access AdminTools.aspx -->
<location path="AdminTools.apsx">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
<!-- Allow access to App_Theme directory -->
<location path="App_Themes">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<!-- Allow access to Images directory -->
<location path="Images">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
I've set up roles and will add a <allow roles="Administrator" /> tag once this is working.
I've had a look in my global web.config file and found the following:
<authorization>
<allow users="*" />
</authorization>
This was in the <system.web> tag, not sure if that's having an effect, if I change it to deny, or just comment it out, it denies access and wont let me login (under any type of account). The target framework is 3.5, I checked the machine.config and there's nothing I can see in there that would affect this.
Does anyone here have any suggestions for anything else I can try?
Thanks in advance.
Ross