Chris, So you are running three separate apps on your site, with three separate bin directories, sessions, etc. As this is the case, I'd let them have their own web.config files. I think its more confusing to put all the config information in the root app's web.config, because it implies that the sub directories are merely sub directories and not apps in and of themselves.
I fully agree with you however that if they were true sub directories, it makes much more sense to keep all the config information centralized in the root config. That's where I would expect the entire application to be configured. Dean -----Original Message----- From: Chris Mohan [mailto:[EMAIL PROTECTED] Sent: Thursday, April 29, 2004 2:16 AM To: [EMAIL PROTECTED] Subject: [AspNetAnyQuestionIsOk] Re: Config of Windows & Forms Auth Hi Dean, Sorry, I just realized I left out some important details: In the scenario I was trying to describe the subdirectories "SecureArea1" and "SecureArea2" are configured as applications in IIS. So the dir structure would look something like this: |---\MainSite(Configured as An App in IIS) | +---Secure1(Configured as An App in IIS) | +---Secure2(Configured as An App in IIS) | +---MainSiteChild1 | +---MainSiteChild2 |web.Config(in mainSite's Root) What I think(hope) that this mix of settings acheives is the same thing as if those subdirectories had their own web.config files. While that method works fine I'm not in favor of having "maverick" config files in sub-directories. In the past I've inherited apps built by others who did not document thier work. SInce the sites were large I didn't happen to stumble upon the sub-dirs that had thier own web.configs for a good month and a half. The central web.config idea appeals to me because I like the notion of having the ability to look in the root level web.config and see how the whole appp is configured. Here's a good article about this exact topic but it uses the "maverick" web.configs in sub dirs approach: http://www.theserverside.net/articles/showarticle.tss? id=FormAuthentication --- In [EMAIL PROTECTED], "Dean Fiala" <[EMAIL PROTECTED]> wrote: > Chris, > Interesting. I've only created multiple authorization elements, never > multiple authentication elements. Not sure it actually works and reading the > docs, it shouldn't. > > A couple things... > 1) The windows authentication is allowing all users at the moment > > 2) You only can define the authentication element once, and it can only be > defined at the site level, not for sub folders. The authorization can be set > for sub folders. So you might want to change your code a bit... > > <system.web> > <authentication mode="Forms"> > <forms loginUrl="login.aspx" /> > </authentication> > </system.web> > > <location path="SecureArea1"> > <system.web> > <authorization> > <deny users="?" /> > </authorization> > </system.web> > </location> > > <location path="SecureArea2"> > <system.web> > <authorization> > <deny users="?" /> > </authorization> > </system.web> > </location> > > > > 3) you can still leverage windows security in your app, even if you are > using forms authentication. Just disable anonymous user access in IIS for > the directory you want to secure using Windows. This will force the user to > enter their domain credentials when trying to access a page in the > directory. > > HTH > > Dean Fiala > ----------------------------- > Very Practical Software, Inc. > http://www.vpsw.com/links.aspx > > > > > -----Original Message----- > From: Chris Mohan [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 28, 2004 2:51 PM > To: [EMAIL PROTECTED] > Subject: [AspNetAnyQuestionIsOk] Config of Windows & Forms Auth > > > Hi, I've configured a web app to use windows authentication and also > set up two separate subdirectories to use forms authentication. It > appears to work fine but I have never seen a sample that > demonstrates both in the same web.config (all the samples show a > snippet outside the context of the entire web.config) I don't like > assuming i've done this correctly and securely. > > Please take a look at the following from my web.config and let me > know what you think(what's below is stripped down to > the essentials w/ no attributes) Pretty basic, i just use a > location element for each sub-dir and then set the auth mode inside > of it. > > Thanks - C > > <?xml version="1.0" encoding="UTF-8" ?> > <configuration> > <system.web> > <authentication mode="Windows" /> > <authorization> > <allow users="*" /> > </authorization> > </system.web> > > <location path="SecureArea1"> > <system.web> > <authentication mode="Forms"> > <forms loginUrl="login.aspx" /> > </authentication> > <authorization> > <deny users="?" /> > </authorization> > </system.web> > </location> > > <location path="SecureArea2"> > <system.web> > <authentication mode="Forms"> > <forms loginUrl="login.aspx" /> > </authentication> > <authorization> > <deny users="?" /> > </authorization> > </system.web> > </location> > > > > > > Yahoo! Groups Links Yahoo! Groups Links Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/AspNetAnyQuestionIsOk/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
