Best practise to authorize all users for just one page

Question

What is the best way to authorize all users to one single page in a asp.net website.

For except the login page and one other page, I deny all users from viewing pages in the website.

How do you make this page accessible to all users?

Answer 1

I've been using forms authentication and creating the necessary GenericIdentity and CustomPrincipal objects that allows me to leverage the User.IsInRole type functions you typically only get with Windows authentication.

That way in my web.config file, I can do stuff like...

<location path="Login.aspx">
   <system.web>
      <authorization>
         <allow users ="*" />
      </authorization>
   </system.web>
</location>

<location path="ManagementFolder">
   <system.web>
      <authorization>
         <allow roles ="Administrator, Manager" />
      </authorization>
   </system.web>
</location>

Answer 2

I created a base "page" class that handles that sort of thing. All my pages can then be decorated with the RequiresLogin attribute if a login is required to view them. If the attribute is not present, the page is accessible to all.

Example:

<RequiresLogin()> _ 
<RequiresPermission("process")> _
Partial Class DesignReviewEditProgressPage
    Inherits MyPage 'which inherits System.Web.UI.Page and deal with logins itself

    ...
End Class

The MyPage class checks what attributes are being tagged to itself and if RequiresLogin is present, it forwards you to a login page.

I believe this could be adapted to fit your own problem.