ASP.NET 2.0: Best Way To Set Up Access Based On Roles

Discussion in 'ASP .Net Security' started by va, Feb 2, 2006.

  1. va

    va Guest

    Using the Web Site Administration Tool Security Tab, I wanted to:

    1) Deny access to certain web pages based on a user's logged in Role

    PROBLEM: But the Web Site Administration Tool Security Tab forces me to
    deny access only by directory not actual web page files. Should I just
    segregate the web page files into different directrories?

    2) Have SiteNavigation and SiteMapData properly correspond and only show
    allowable pages on the site based on role

    PROBLEM: No idea how to do this?


    Thanks
     
    va, Feb 2, 2006
    #1
    1. Advertising

  2. hi,

    start here:
    http://66.129.71.130/QuickStartv20/aspnet/doc/security/default.aspx

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Using the Web Site Administration Tool Security Tab, I wanted to:
    >
    > 1) Deny access to certain web pages based on a user's logged in Role
    >
    > PROBLEM: But the Web Site Administration Tool Security Tab forces me
    > to deny access only by directory not actual web page files. Should
    > I just segregate the web page files into different directrories?
    >
    > 2) Have SiteNavigation and SiteMapData properly correspond and only
    > show allowable pages on the site based on role
    >
    > PROBLEM: No idea how to do this?
    >
    > Thanks
    >
     
    Dominick Baier [DevelopMentor], Feb 2, 2006
    #2
    1. Advertising

  3. va

    MikeS Guest

    1.Set up your location tags in web config (or using the UI) to protect
    the pages themselves.

    path="mypage.aspx"
    allow roles="Admin"
    deny users="*"

    2. Set the securityTrimmingEnabled="true" attribute on your sitemap
    provider to exclude nodes that a role can't use.

    You can also add a roles attribute to your site map nodes but that just
    excludes them and does not protect them like 1 above, as far as I know.

    3. Profit
     
    MikeS, Feb 2, 2006
    #3
  4. va

    va Guest

    Mike,

    Thank you so much. I got caught up in the new stuff and forgot the told
    approaches!
     
    va, Feb 2, 2006
    #4
  5. va

    Yendi Guest

    Hi Mike,

    Is there a way to declare the url the user has to be redirected when
    he's not authorized to view certain page? Rigth now, I'm doing it
    exactly as you said, and is's redirecting to login.aspx... but I want
    it to go to... let's say... noAccess.aspx. Can I do that?

    Thanks.
     
    Yendi, Feb 3, 2006
    #5
  6. Hi,

    no - you will always redirect to the login page.

    You can however on the login page detect if the user is already logged in
    - if he is - then the redirect is most like a noacess problem - if he is
    not authenticated - then it seems to be a logon...

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi Mike,
    >
    > Is there a way to declare the url the user has to be redirected when
    > he's not authorized to view certain page? Rigth now, I'm doing it
    > exactly as you said, and is's redirecting to login.aspx... but I want
    > it to go to... let's say... noAccess.aspx. Can I do that?
    >
    > Thanks.
    >
     
    Dominick Baier [DevelopMentor], Feb 3, 2006
    #6
  7. va

    MikeS Guest

    Dominick has a good suggestions, and there are others.

    http://weblogs.asp.net/pwilson/archive/2004/05/11/129844.aspx

    Me, I just wouldn't show them a link they can't visit and if they visit
    it, it is OK to boot them.

    Otherwise, if you want to show the link as a tease for premium content
    maybe disable the link or change it's navurl based on whether the user
    has rights to the content., perhaps with a custom sitemap provider or
    web control.
     
    MikeS, Feb 4, 2006
    #7
  8. va

    MikeS Guest

    Short of all that, it looks like you can set your sitemap up to show
    different links to different user types.

    <siteMapNode url="default.aspx" title="Home" >
    <siteMapNode title="Premium" url="noaccess.aspx?wanted=premium"
    />
    <siteMapNode title="Premium" url="premium.aspx" />
    </siteMapNode>

    You have to have location tags in web.config restricting premium.aspx
    to the "premium" role and restricting noaccess.aspx to the "regular"
    role as well as securityTrimmingEnabled set on the provider. This makes
    for double sitemap entries for each premium offering (but I could not
    get a custom provider and/or SiteMapResolve to do this for me). Note
    that noaccess.aspx can be used repeatedly in the map if the querystring
    is changed to make the url unique, besides, you can use that to figure
    out why they got bounced. Also note that the user can only be in one
    role or the other.
     
    MikeS, Feb 5, 2006
    #8
  9. va

    MikeS Guest

    Moreover...

    If you want to do without the location tags in web.config you could set
    up the sitemap using the roles I described like so.

    <siteMapNode url="default.aspx" title="Home">
    <siteMapNode title="Premium" roles="premium">
    <siteMapNode title="Blog" url="blog.aspx" />
    <siteMapNode title="Email" url="email.aspx" />
    </siteMapNode>
    <siteMapNode title="Premium" roles="regular">
    <siteMapNode title="Blog" url="noaccess.aspx?what=blog" />
    <siteMapNode title="Email" url="noaccess.aspx?what=email" />
    </siteMapNode>
    </siteMapNode>
     
    MikeS, Feb 5, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. VSK
    Replies:
    0
    Views:
    358
  2. VSK
    Replies:
    3
    Views:
    476
    John Saunders
    Oct 23, 2003
  3. Andrew Banks

    Restricting access based on roles

    Andrew Banks, Feb 26, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    283
    Andrew Banks
    Feb 26, 2004
  4. Steven Cheng[MSFT]
    Replies:
    6
    Views:
    437
    Steven Cheng[MSFT]
    Jan 16, 2007
  5. Jéjé
    Replies:
    0
    Views:
    253
    Jéjé
    Sep 27, 2005
Loading...

Share This Page