我正在开发一个.NET的ASP.NET Web应用程序，我试图否认谁是访问我的申请，但允许他们只到登录页面，未授权的所有用户。

I am developing a .NET for ASP.NET Web Application and am trying to deny all users who are unauthorised from accessing my application but allowing them only to the login page.

下面的code这是在我的System.Web节的一个片段：

Below is a snippet of the code which is inside my system.web section:

<authentication mode="Forms">
   <forms loginUrl="Login.aspx" timeout="60" name="APPNAME" slidingExpiration="true" />
</authentication>
<authorization>
   <deny users="?" />
</authorization>

我也有这个之外，以允许访问登陆页面：

I also have this outside to allow access to the login page:

  <location path="Login.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

不过我仍然能够访问的时候，我没有登录的网页，我怎么能阻止这种情况的发生？

However I am still able to access pages when I am not logged in, how could I stop this from happening?

我甚至增加了一个web.config文件，其中存储了大多数的网站上的文件，其内容是主文件夹：

I have even added a Web.Config file to the Main folder which stores most of the website files which the contents of is:

<?xml version="1.0"?>
<configuration>
    <appSettings/>
    <connectionStrings/>
    <system.web>
        <authorization>
            <deny users="?" />
        </authorization>
    </system.web>
</configuration>

但是，这仍然没有任何效果。

But this is still not having any effect.

解决方案

我也遵循了asp.net（ HTTP提供一些优化建议：//万维网。codeproject.com / KB / ASPNET / 10ASPNetPerformance.aspx ），并删除了AnonymousIdentification HTTP模块，我真正需要的。

I had followed some optimisation tips for asp.net (http://www.codeproject.com/KB/aspnet/10ASPNetPerformance.aspx) and removed the AnonymousIdentification httpModule which I actually needed.

推荐答案

我想你会发现是，它更容易处理ASP.NET授权，如果你把不同的网页在不同的文件夹不同预期的作用。这不是一个要求。这只是更易于管理。

I think what you will find is that it is far easier to deal with ASP.NET authorization if you put different web pages with different intended roles in different folders. That's not a requirement. It's just easier to manage.

如果你是在VS 2010中（我不知道这是前preSS版）尝试使用ASP.NET配置工具在项目菜单的底部。

If you are in VS 2010 (I'm not sure this is in the express edition) try using the ASP.NET Configuration tool at the bottom of the Project menu.

我发现，这是简单易学的web.config文件中通过使用该工具在第一，作出一些改变，以安全，然后去看着它的所作所为是如何工作的。

I found that it was easy to learn how the web.config files worked by using that tool at first, making some changes to security, and then going and looking at what it did.

如果你刚开始在VS 2010中一个空白ASP.NET应用程序，你可以锁定一切，但在登录并通过使两个改变注册页面：

If you just start with a blank ASP.NET application in VS 2010, you can lock out everything but the login and register page by making two changes:

在根web.config

In the root web.config

 <system.web>
    <authorization>
      <deny users="?" />
    </authorization>

在账户中的子文件夹中的web.config

In the web.config in the Account subfolder

<?xml version="1.0"?>
<configuration>

  <location path="Register.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

  <system.web>
    <authorization>
      <allow users="?" />
    </authorization>
  </system.web>

</configuration>

您可以看到的是，用户会立即定向到登录页面，但他们仍然可以注册。

What you'll see is that the user is immediately directed to the login page, but they can still register.