Here are the structure of my web site:
Login.aspx in the root path
UserInfor.aspx and 1.txt in the sub-directory folder named 'Restricted'
Authenticate this website with form authentication configured in IIS, and does not allow anonymous to get into the Restricted folder with the web.config file.
I think it should work this way, if I manually access the 1.txt in the browser, I should be able to view the content, and if I go to the modules configuration for this applicaiton in IIS7, find the 'UrlAuthorization' module, and cancle the listbox for 'invoke for requests to asp.net ...', I should be directed to the loginurl setting in the root web.config file when I access the 1.txt file without logging, however, I still can see the content of 1.txt. Any suggestions?
View Complete Post