ASP.NET Deny Access to certain pages based on roles

I have the following in web.config, but s开发者_运维技巧till users without role MAnager or Admin can still access the pAccessData.aspx page. The page is stored in directory Users

<location path="Users"  >
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>

  <location path="~/Users/ChangePassword.aspx"  >
    <system.web>
      <authorization>
        <allow users="*"  />
      </authorization>
    </system.web>
  </location>

  <location path="~/Users/pAccessData.aspx"  >
    <system.web>
      <authorization>
        <allow roles="Manager,Admin"/>
        <deny users="*" />
      </authorization>
    </system.web>
  </location>

---

You did not add <deny users="?"/>, it should be like...

<location path="Users/pAccessData.aspx"  >
    <system.web>
      <authorization>
        <deny users="?"/>
        <allow roles="Manager,Admin"/>            
      </authorization>
    </system.web>
  </location>

Edit: you have specified <allow users="*" /> which means, it will allow access to all users, as you have not mentioned the roles for which a user can access the folder.

<location path="Users"  >
<system.web>
  <authorization>
    <allow users="*" />
  </authorization>
</system.web>