Securing Localization Admininistration on classic ASP.NET

By default the LocalizationAdmin folder that allows adding and editing of Resources is open access and available without security. There's no special built-in way to configure security for the API or the admin page as any sort of ASP.NET application (WebForms, MVC or any other frameowork) is supported and there's no dependency on any of these frameworks.

So in order to lock down the administration interface you can fall back to ASP.NET's native functionality available in web.config.

Setting Authorization in web.config

In classic ASP.NET Application (using System.Web) on Windows you can create a custom location inside of the web.config file and excude any unauthenticated users:

<configuration>
    <!-- overall security has to be set up at the application level -->
    <system.web>
        <authentication mode="Forms">
          <forms loginUrl="account/login" />
        </authentication>
    </system.web>
    
    
    <location path="LocalizationAdmin">
        <system.web>
            <authorization>
                <!-- don't allow unauthorized users -->
                <deny users ="?" />
            </authorization>
        </system.web>
    </location>
</configuration>

How you actually handle security depends on what you're doing internally to authorize. Most likely your app uses Forms Auth, but you can also set to Windows auth and it should prompt you to log in with Windows credentials. You can also further customize the access rules to specific roles or users that are allowed explicitly via the Authorization section.

For a good article that described ASP.NET based forms auth security:

• Setting authorization rules for a particular page or folder in web.config