Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / web / ASP.NET

Overriding FormsAuthentication for Some URLs

5.00/5 (1 vote)
30 Nov 2011CPOL2 min read 12.6K  
How to override FormsAuthentication for some URLs

Is This For You?

How often do you need your website to have both public and private pages? How often have you thought that creating virtual directories with specific web.config files was lame? If you feel the pain and want it to go away, read on! Also note that although I'll refer a lot to HttpHandlers on this post, everything here (except the route registration) is also true for common web pages.

Be Sure To Have a Look At This

A few days ago, I wrote about handling HttpHandlers with ASP.NET routing. I'll refer to those extension methods to register my test handler route, so have a look at that post before continuing.

Now what I need is a way to override the default FormsAuthentication configuration for a specific set of HttpHandlers.

Virtual Folder, web.config, and the ASHX Files

FormsAuthentication supports this out-of-the-box by simply putting the resources with special security concerns on a separate folder with its own web.config file.

So if you want a virtual directory to allow access to anonymous users, just add a web.config file with nothing but this in it:

XML
<configuration>
 <system.web>
  <authorization>
   <allow users="?">
  </authorization>
 </system.web>
</configuration>

This will work for any resource and can be accessed through a URL, but this isn't always the case with HttpHandlers.

FormsAuthentication and HttpHandlers without ASHX File

Using the extension methods I wrote on the said previous post, you can create an HttpHandler by simply creating a new class and implementing the IHttpHandler interface and pointing a route to it, just like this:

C#
RouteTable.Routes.MapHttpHandlerRoute("Test", 
  "Unsecured/Controllers/Test", 
  new MyApplication.UnsecuredHandlers.MyUnsecuredHandler());

This means that, whenever you call ht**://mydomain/Unsecured/Controllers/Test, the request will be routed to the MyUnsecuredHandler instance, not to a physical URI location as usual. Now have a look at the route. It begins with Unsecured right? Keep reading and you'll understand why.

But we're not there yet, what I really want is to say that some of my handlers allow anonymous requests, and for that, I'll edit my website web.config and add the following:

XML
<configuration>
 <location path="unsecured">
  <system.web>
   <authorization>
    <allow users="*">
   </authorization>
  </system.web>
 </location>  
</configuration>

Now it is done! Notice that on the location path, I only have unsecured. This will grant request permissions to all routes that begin with unsecured! This is great because now I don't have to bother about structuring the resources on virtual directories and possibly duplicating the code for different scenarios. Whenever I need a Page or and HttpHandler to be available to anonymous users, I just need to create a route to it that begins with unsecured.

If you don't like this approach (specially for pages where the URL is visible for users), you can always add as much location entries on the web.config as you like.

If you're not using Routing, you can still specify a location to your resources putting the URI of the Page or HttpHandler on the path attribute:

XML
<configuration>
 <location path="MyUnsecuredPage.aspx">
  <system.web>
   <authorization>
    <allow users="*">
   </authorization>
  </system.web>
 </location>  
</configuration>

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)