Here I will explain how to restrict users to access a particular page or directory.
In the real time, I want to restrict some pages and specific directory, now will see how we add location tag inside web.config file and restricting access.
<configuration>
<!-- inside the Configuration tag you can add location Tag as shown below:w
Location tag have two attributes "path" and "allowOverride" -->
Path is used to give a path of the specific page or physical directory. Using the location element with an allowOverride = "false" attributes locks the entire configuration, similarly you can lock individual elements and attributes (refer to Image 2).
In the allow tag having eight attributes is as shown below
Image 2
But mainly three attributes are used often.
users: A comma-separated list of user names that are allowed access to the resource. A question mark (?) indicates that anonymous users are granted access to the resource. An asterisk (*) indicates that all users are granted access to the resource.
roles: A comma-separated list of roles that are granted access to the resource.
verbs: A comma-separated list of HTTP transmission methods that are granted access to the resource. Verbs that are registered to ASP.NET are GET, HEAD, POST, and DEBUG.
Example 1:
I want to restrict particular page, it will be available only to specific users like user1 & user2
For the above scenario use the following snippet in the web.config
<configuration>
<!—In this path you can give either give Directory or specific page name -->
<location path="_layouts/abc/testpage.aspx" >
<system.web>
<authorization >
<!-- Added the users which you want to give a access -->
<allow users="user1,user2"/>
<!-- denies access to all users except user1 and user 2 -->
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
Result: testpage.aspx is able to access only by user1 & user2
You can restrict access based on roles; now we will see how to allow access based on roles.
Example 2:
The following code example demonstrates how to deny access to all user accounts and allows access to all members of the role Administrator.
<configuration>
<location path="_layouts/abc/testpage.aspx" >
<system.web>
<authorization >
<!—Add roles to give a access,you can add morethan one role with comma delimited -->
<allow roles="admininstrator"/>
<!-- denies to all users except those who role is "admininstrator"-->
<deny users="?"/>
</authorization>
</system.web>
</location>
</configuration>
Result: testpage.aspx is able to access only by those who role is "Administrator"
Need to know following things before we use in Authorization tag
allow users ="*" means access to everyone by Default
allow users ="?" means access only to unauthenticated (Anonymous) users
Similarly,
deny users ="*" means access is restricted to everyone
deny users ="?" means access is denied only for unauthenticated (Anonymous) users
Enjoy!!!