web.config?

[andycharger]

Im having a problem with my web.config.

I have a web.config in my root application. This has security to stop people using files without being logged on.
I have a sub folder called "training" and this too has an identical web.config file.

What I want to do is take the security out of the root folder, which I have done successfully and just apply the security to files in the training folder.

However, it now does not work and gives the following error when I press the hyperlink to a file in the training folder.
Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: It is an error to use a section registered as allowDefinition=MachineToApplication beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.

Source Error: 


Line 23:           "Forms", "Passport" and "None"
Line 24:     -->
Line 25:       <authentication mode="Forms"> 
Line 26:     <forms
Line 27: loginUrl = "logon.aspx"
 

Source File: c:\inetpub\wwwroot\inet1\training\web.config    Line: 25

Has anyone got any ideas?

 

[JABE]

While you can have multiple web.config files, there are elements in the file w/c can only appear on the web.config file of the virtual root, one of w/c is the <authentication> element.

To deny unauthenticated users, add a deny element under the authorization element of the root web.config file:

<authorization>
<deny users="?" />
...
</authorization>

 

[andycharger]

That is fine, but....

The reason I ask is how do I specify what pages have the security and which dont?
I want the mainpage to be visible to all. You dont have to be logged in.
This is in the root directory.
The web.config file with the security is in this directory so it then wants the user to log in!

I then want the file in the training folder to redirect to the login page if a user is not logged in.

So how do I get some pages i nthe same directory to ignore the config file?

 

[hrabia]

You have to break your application into subdirectiories. Each of them can have its own web.config or you can specify security settings in main web.config file using <location> tag e.g.:

	<location path="admin">
		<system.web>
			<authorization>
				<deny users="?" />
			</authorization>
		</system.web>
	</location>

 

[andycharger]

Sorry but it still doesnt work

Ive now created 2 levels of authorisation in my root web.config file.
One has a location path to the folder "training"
When I run the application, I get the same message described in my original post.
Here is my code

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <location path="training">
		<system.web>
			 <authentication mode="Forms"> 
    <forms
loginUrl = "logon/logon.aspx"

 name = "FORMSAUTHCOOKIE"/> 
</authentication>
    
    <authorization>
     <deny users="?"/>
     <!--
        <allow users="*" /> Allow all users -->

            <!--  <allow     users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
                  <deny      users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
            -->
    </authorization>
		</system.web>
	</location>

  <system.web>

    <!--  DYNAMIC DEBUG COMPILATION
          Set compilation debug="true" to insert debugging symbols (.pdb information)
          into the compiled page. Because this creates a larger file that executes
          more slowly, you should set this value to true only when debugging and to
          false at all other times. For more information, refer to the documentation about
          debugging ASP.NET files.
    -->
    <compilation defaultLanguage="vb" debug="true" />

    <!--  CUSTOM ERROR MESSAGES
          Set customErrors mode="On" or "RemoteOnly" to enable custom error messages, "Off" to disable. 
          Add <error> tags for each of the errors you want to handle.
    -->
    <customErrors mode="RemoteOnly" />

    <!--  AUTHENTICATION 
          This section sets the authentication policies of the application. Possible modes are "Windows", 
          "Forms", "Passport" and "None"
    -->
     
    
    <authorization>
     
        <allow users="*" /> 

            <!--  <allow     users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
                  <deny      users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
            -->
    </authorization>

    <!--  APPLICATION-LEVEL TRACE LOGGING
          Application-level tracing enables trace log output for every page within an application. 
          Set trace enabled="true" to enable application trace logging.  If pageOutput="true", the
          trace information will be displayed at the bottom of each page.  Otherwise, you can view the 
          application trace log by browsing the "trace.axd" page from your web application
          root. 
    -->
    <trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />


    <!--  SESSION STATE SETTINGS
          By default ASP.NET uses cookies to identify which requests belong to a particular session. 
          If cookies are not available, a session can be tracked by adding a session identifier to the URL. 
          To disable cookies, set sessionState cookieless="true".
    -->
    <sessionState 
            mode="InProc"
            stateConnectionString="tcpip=127.0.0.1:42424"
            sqlConnectionString="data source=127.0.0.1;user id=sa;password="
            cookieless="false" 
            timeout="20" 
    />

    <!--  GLOBALIZATION
          This section sets the globalization settings of the application. 
    -->
    <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
   
  </system.web>

</configuration>

 

[hrabia]

You can NOT set <authentication mode="Forms"> in location path. This can be done only at main level. What you can do is to set <authorization> tag. That means, you are setting authentication mode for whole application but you can allow or deny users (or groups) at any level individually.

Ive copied your <authentication> tag back to root web.config (leaving authorization) and your file works fine.