I just start to learn web programming using IIS 7.5 in windows 2008 R2, and ASP.Net 4.
I notice that both IIS and ASP.Net can define Authentication rules. In IIS, there is a form authentication setting where I can redirect user to specified page for authentication, like below:
And then, in ASP web.config file, I find similar settings:
<authentication mode="Forms">
<forms loginUrl="~/Account/Login.aspx" timeout="2880" />
</authentication>
When I finish both settings, I assume any page request will be redirect to the login.aspx page. But it didn't. So I am confused. How do the 2 sets of configs work together? And why page request is not redirected?
Thanks
Update
Finally I get it working and I think I understand it now. My website structure is like below:
It is about modifying Autherization rules. Deny all unauthorized users for root:
<authorization>
<deny users="?" />
</authorization>
CSS files should be allowed for all users, so I have Styles\web.config:
<authorization>
<allow users="*" />
</authorization>
and only allow unauthorized users to access register.aspx, so I have Account\web.config:
<location path="Register.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
Best Answer
There's another component you need to configure: authorization. If you don't, unauthorized users have access to all pages and will not be redirected to the login page. For example:
This specifies that all unauthenticated users are denied access to pages in your application. The
authorizationelement is part of thesystem.webconfiguration section.