nice class, but it's equivalent to the work I did. If anybody tries to access blog pages, asp.net redirect to the login.aspx page (using the selected theme master page).
I had to allow "themes", "js.axd" and "metaweblog.axd" since these resources are used from the login.aspx and master page themselves.
LoginView control templates let you customize very easily the master page for loggedin users or anonymous users.
What I really would like is the ability to use a NetworkCredential instance in the argotic library (they do support authentication to protected feeds) in order to read the feed.
This is actually not possible in BlogEngine since syndication.axd is virtual and AFAIK does not make any security check. In other words if I allow syndication.axd, every user will be able to read the content and no security check will be possible to avoid
Actually I partially solved the problem this way:
1. allowing access to syndacation.axd resource with the above asp.net location element tag
2. add to web.config the IIS7 specific system.webServer element tag:
<!-- In order to make this setting work, run this statement from a command prompt -->
<!-- appcmd.exe unlock config -section:system.webServer/security/ipSecurity -->
<add ipAddress="127.0.0.1" allowed="true" />
This further modification means that asp.net allow syndication.axd to everybody, while the IIS7 specific ipSecurity filter will allow access to syndication.axd only from 127.0.0.1.
I really don't like this solution. If I can express a wish for this beautiful piece of work called blogengine, I would say to split the project in multiple parts:
a. the engine itself without any knowledge of UI
b. syndacation protocol
c. metaweblog protocol
each of them should support authentication/authorization stuff. This would probably fit with the multiblog wish I read on past threads.
Anyway my problem is simpler and I want to congratulate with the authors.