How do I configure ASP.net forms authentication to deny only a specific URL

问题

I have a site where I have a admin.aspx page.

Once the user has logged into the Admin.aspx page successfully, they will then be redirected to the Report.aspx page. Note that the Report.aspx page cannot be accessed without first successfully logging into Admin.aspx page.

Keep in mind that there are other pages like index.aspx, etc which any user can view without logging in. I just need the authentication for JUST the Report.aspx page.

I have the following code but does not seem to work as it says problem with virtual directory. Am I doing something fundamentally wrong?

  <location path="Report.aspx">
    <system.web>
        <authentication mode="Forms">
            <forms loginUrl="Login.aspx" >
                <credentials passwordFormat="Clear">
                    <user name="John" password="pass@432"/>
                </credentials>
            </forms>
        </authentication>
        <authorization>
            <deny users="*" />
        </authorization>
    </system.web>
</location>

回答1:

First it seems you are not allowing your user John. You also might want to try pulling the authentication section of out of the locaiton specific parts of the config file:

<configuration>
  <system.web>
    <authentication mode="Forms">
      <forms loginUrl="Login.aspx" defaultUrl="Report.aspx">
        <credentials passwordFormat="Clear">
          <user name="John" password="pass@432"/>
        </credentials>
      </forms>
    </authentication>
  </system.web>

  <location path="Report.aspx">
    <system.web>
      <authorization>
        <allow users="John"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
</configuration>

回答2:

To redirect the user after a successful login, use the DestinationPageUrl property.

<%@ Page Language="C#" autoEventWireup="false" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<script runat="server">
        void PageLoad(Object sender, EventArgs e)
        {
            Login1.DestinationPageUrl = 
                String.Format("terms.aspx?{0}", Request.QueryString.ToString());
        }
</script>

<html xmlns="http://www.w3.org/1999/xhtml" >
    <head runat="server">
    <title>ASP.NET Example</title>
</head>
<body>
        <form id="form1" runat="server">
            <asp:Login id="Login1" runat="server" 
                DestinationPageUrl="terms.aspx">
            </asp:Login>
        </form>
    </body>
</html>

回答3:

In web.config file:

<location path="Default.aspx">
    <system.web>
        <authorization>
            <allow roles="Administrator, User, AdditionalUser" />
        </authorization>
    </system.web>
</location>

ASP.NET Forms Auth Allowing access to specific file in subdirectory when all others should be denied

http://weblogs.asp.net/gurusarkar/archive/2008/09/29/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config.aspx

来源：https://stackoverflow.com/questions/15882511/how-do-i-configure-asp-net-forms-authentication-to-deny-only-a-specific-url