ASP.NET Role Authorization Override

Discussion in 'ASP .Net Security' started by Mike, Jun 9, 2009.

  1. Mike

    Mike Guest

    Hello,

    I am having difficulty achieving a result I expected to be very easy with
    ASP.NET role authorization. I would like to set a site-wide authorization
    policy where only members of a certain role may access any page in the site,
    but I would like suspend this authorization policy for *one* single page in
    the site, so that any authenticated user may access the page, no matter which
    role they are assigned to or even if they have no roles.

    I have tried using a <location> element to turn off role authorization for
    the single page, but it doesn't seem to have any affect. Authenticated users
    without the proper role that try to access the unrestricted page are prompted
    over and over again to log in, which indicates that a role is still needed
    for the page. How can I override the site-wide role authorization requirement
    and turn it off for the one page?

    TIA,
    -Mike
     
    Mike, Jun 9, 2009
    #1
    1. Advertising

  2. Mike

    Joe Kaplan Guest

    Perhaps you could show the markup from the web.config? There may be an
    error in your location tag usage that is preventing it from giving you the
    desired results.

    An alternate approach would be to handle the "Authenticate" event in
    global.asax, check for a request for the specific excluded page and use the
    SkipAuthorization property on HttpContext to override the behavior of the
    UrlAuthorizationModule (the <allow><deny> tags in web.config). This
    approach is a bit dangerous because you need to do matching on the URL which
    can lead to security issues if you have any problems with your string
    matching and it may be harder to maintain, but sometimes you need the extra
    flexibility the code solution gives you.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "Mike" <> wrote in message
    news:...
    > Hello,
    >
    > I am having difficulty achieving a result I expected to be very easy with
    > ASP.NET role authorization. I would like to set a site-wide authorization
    > policy where only members of a certain role may access any page in the
    > site,
    > but I would like suspend this authorization policy for *one* single page
    > in
    > the site, so that any authenticated user may access the page, no matter
    > which
    > role they are assigned to or even if they have no roles.
    >
    > I have tried using a <location> element to turn off role authorization for
    > the single page, but it doesn't seem to have any affect. Authenticated
    > users
    > without the proper role that try to access the unrestricted page are
    > prompted
    > over and over again to log in, which indicates that a role is still needed
    > for the page. How can I override the site-wide role authorization
    > requirement
    > and turn it off for the one page?
    >
    > TIA,
    > -Mike
     
    Joe Kaplan, Jun 9, 2009
    #2
    1. Advertising

  3. Mike

    Mike Guest

    Joe,

    Thanks for the suggestion. The markup from the web.config file is as follows:

    <!-- site-wide authorization: only allow Administrators access -->
    <system.web>
    <authentication mode="Forms">
    <forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH"
    slidingExpiration="true" protection="All" />
    </authentication>
    <authorization>
    <allow roles="Administrators"/>
    <deny users="*"/>
    </authorization>
    </system.web>

    <!-- location override: let any authenticated user access the EditUser page
    -->
    <location path="Users/EditUser.aspx">
    <system.web>
    <authorization>
    <deny users="?"/>
    </authorization>
    </system.web>
    </location>

    As you can see, my approach was to limit access by role site-wide, but then
    for the page I wanted an exclusion for, simply restrict anonymous users from
    accessing it, which I thought would be logically equivalent to allowing any
    authenticated user, irrespective of role, access it. Perhaps this is not how
    ASP.NET interprets it, and this may be the disjuncture. Maybe the <location>
    element isn't viewed as an override on the <authorization> element, since it
    isn't explicitly specified. That being the case, how does one turn it off in
    a sub-directory?

    I'd like to establish this policy via configuration versus code, if
    possible. I'd be quite surprised if there wasn't a way to achieve what I'm
    trying to do, given how simple it seems: make every page in the site require
    Administrators membership except for 1 page, which would only require user
    authentication.

    Thanks again,
    -Mike

    "Joe Kaplan" wrote:

    > Perhaps you could show the markup from the web.config? There may be an
    > error in your location tag usage that is preventing it from giving you the
    > desired results.
    >
    > An alternate approach would be to handle the "Authenticate" event in
    > global.asax, check for a request for the specific excluded page and use the
    > SkipAuthorization property on HttpContext to override the behavior of the
    > UrlAuthorizationModule (the <allow><deny> tags in web.config). This
    > approach is a bit dangerous because you need to do matching on the URL which
    > can lead to security issues if you have any problems with your string
    > matching and it may be harder to maintain, but sometimes you need the extra
    > flexibility the code solution gives you.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > "Mike" <> wrote in message
    > news:...
    > > Hello,
    > >
    > > I am having difficulty achieving a result I expected to be very easy with
    > > ASP.NET role authorization. I would like to set a site-wide authorization
    > > policy where only members of a certain role may access any page in the
    > > site,
    > > but I would like suspend this authorization policy for *one* single page
    > > in
    > > the site, so that any authenticated user may access the page, no matter
    > > which
    > > role they are assigned to or even if they have no roles.
    > >
    > > I have tried using a <location> element to turn off role authorization for
    > > the single page, but it doesn't seem to have any affect. Authenticated
    > > users
    > > without the proper role that try to access the unrestricted page are
    > > prompted
    > > over and over again to log in, which indicates that a role is still needed
    > > for the page. How can I override the site-wide role authorization
    > > requirement
    > > and turn it off for the one page?
    > >
    > > TIA,
    > > -Mike

    >
    >
     
    Mike, Jun 9, 2009
    #3
  4. Hello Mike,

    Add a specific Allow users tag to the location specific rule, otherwise there's
    only deny rules in the whole set that applies to this location.

    Jesse

    > Joe,
    >
    > Thanks for the suggestion. The markup from the web.config file is as
    > follows:
    >
    > <!-- site-wide authorization: only allow Administrators access -->
    > <system.web>
    > <authentication mode="Forms">
    > <forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH"
    > slidingExpiration="true" protection="All" />
    > </authentication>
    > <authorization>
    > <allow roles="Administrators"/>
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > <!-- location override: let any authenticated user access the EditUser
    > page
    > -->
    > <location path="Users/EditUser.aspx">
    > <system.web>
    > <authorization>
    > <deny users="?"/>
    > </authorization>
    > </system.web>
    > </location>
    > As you can see, my approach was to limit access by role site-wide, but
    > then for the page I wanted an exclusion for, simply restrict anonymous
    > users from accessing it, which I thought would be logically equivalent
    > to allowing any authenticated user, irrespective of role, access it.
    > Perhaps this is not how ASP.NET interprets it, and this may be the
    > disjuncture. Maybe the <location> element isn't viewed as an override
    > on the <authorization> element, since it isn't explicitly specified.
    > That being the case, how does one turn it off in a sub-directory?
    >
    > I'd like to establish this policy via configuration versus code, if
    > possible. I'd be quite surprised if there wasn't a way to achieve what
    > I'm trying to do, given how simple it seems: make every page in the
    > site require Administrators membership except for 1 page, which would
    > only require user authentication.
    >
    > Thanks again,
    > -Mike
    > "Joe Kaplan" wrote:
    >
    >> Perhaps you could show the markup from the web.config? There may be
    >> an error in your location tag usage that is preventing it from giving
    >> you the desired results.
    >>
    >> An alternate approach would be to handle the "Authenticate" event in
    >> global.asax, check for a request for the specific excluded page and
    >> use the SkipAuthorization property on HttpContext to override the
    >> behavior of the UrlAuthorizationModule (the <allow><deny> tags in
    >> web.config). This approach is a bit dangerous because you need to do
    >> matching on the URL which can lead to security issues if you have any
    >> problems with your string matching and it may be harder to maintain,
    >> but sometimes you need the extra flexibility the code solution gives
    >> you.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> "Mike" <> wrote in message
    >> news:...
    >>> Hello,
    >>>
    >>> I am having difficulty achieving a result I expected to be very easy
    >>> with
    >>> ASP.NET role authorization. I would like to set a site-wide
    >>> authorization
    >>> policy where only members of a certain role may access any page in
    >>> the
    >>> site,
    >>> but I would like suspend this authorization policy for *one* single
    >>> page
    >>> in
    >>> the site, so that any authenticated user may access the page, no
    >>> matter
    >>> which
    >>> role they are assigned to or even if they have no roles.
    >>> I have tried using a <location> element to turn off role
    >>> authorization for
    >>> the single page, but it doesn't seem to have any affect.
    >>> Authenticated
    >>> users
    >>> without the proper role that try to access the unrestricted page are
    >>> prompted
    >>> over and over again to log in, which indicates that a role is still
    >>> needed
    >>> for the page. How can I override the site-wide role authorization
    >>> requirement
    >>> and turn it off for the one page?
    >>> TIA,
    >>> -Mike

    --
    Jesse Houwing
    jesse.houwing at sogeti.nl
     
    Jesse Houwing, Jun 9, 2009
    #4
  5. Mike

    Mike Guest

    Thanks Jesse, your advice seems to have gotten me past this hurdle. It's odd,
    because I could have sworn that I had tried this already. Below is the
    updated <location> element that appears to have done the trick:

    <location path="Users/EditUser.aspx">
    <system.web>
    <authorization>
    <deny users="?"/>
    <allow users="*"/> <!-- this resets the parent role auth, I
    guess? -->
    </authorization>
    </system.web>
    </location>

    Thanks once again to Jesse and Joe for their help.

    -Mike

    "Jesse Houwing" wrote:

    > Hello Mike,
    >
    > Add a specific Allow users tag to the location specific rule, otherwise there's
    > only deny rules in the whole set that applies to this location.
    >
    > Jesse
    >
    > > Joe,
    > >
    > > Thanks for the suggestion. The markup from the web.config file is as
    > > follows:
    > >
    > > <!-- site-wide authorization: only allow Administrators access -->
    > > <system.web>
    > > <authentication mode="Forms">
    > > <forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH"
    > > slidingExpiration="true" protection="All" />
    > > </authentication>
    > > <authorization>
    > > <allow roles="Administrators"/>
    > > <deny users="*"/>
    > > </authorization>
    > > </system.web>
    > > <!-- location override: let any authenticated user access the EditUser
    > > page
    > > -->
    > > <location path="Users/EditUser.aspx">
    > > <system.web>
    > > <authorization>
    > > <deny users="?"/>
    > > </authorization>
    > > </system.web>
    > > </location>
    > > As you can see, my approach was to limit access by role site-wide, but
    > > then for the page I wanted an exclusion for, simply restrict anonymous
    > > users from accessing it, which I thought would be logically equivalent
    > > to allowing any authenticated user, irrespective of role, access it.
    > > Perhaps this is not how ASP.NET interprets it, and this may be the
    > > disjuncture. Maybe the <location> element isn't viewed as an override
    > > on the <authorization> element, since it isn't explicitly specified.
    > > That being the case, how does one turn it off in a sub-directory?
    > >
    > > I'd like to establish this policy via configuration versus code, if
    > > possible. I'd be quite surprised if there wasn't a way to achieve what
    > > I'm trying to do, given how simple it seems: make every page in the
    > > site require Administrators membership except for 1 page, which would
    > > only require user authentication.
    > >
    > > Thanks again,
    > > -Mike
    > > "Joe Kaplan" wrote:
    > >
    > >> Perhaps you could show the markup from the web.config? There may be
    > >> an error in your location tag usage that is preventing it from giving
    > >> you the desired results.
    > >>
    > >> An alternate approach would be to handle the "Authenticate" event in
    > >> global.asax, check for a request for the specific excluded page and
    > >> use the SkipAuthorization property on HttpContext to override the
    > >> behavior of the UrlAuthorizationModule (the <allow><deny> tags in
    > >> web.config). This approach is a bit dangerous because you need to do
    > >> matching on the URL which can lead to security issues if you have any
    > >> problems with your string matching and it may be harder to maintain,
    > >> but sometimes you need the extra flexibility the code solution gives
    > >> you.
    > >>
    > >> --
    > >> Joe Kaplan-MS MVP Directory Services Programming
    > >> Co-author of "The .NET Developer's Guide to Directory Services
    > >> Programming"
    > >> http://www.directoryprogramming.net
    > >> "Mike" <> wrote in message
    > >> news:...
    > >>> Hello,
    > >>>
    > >>> I am having difficulty achieving a result I expected to be very easy
    > >>> with
    > >>> ASP.NET role authorization. I would like to set a site-wide
    > >>> authorization
    > >>> policy where only members of a certain role may access any page in
    > >>> the
    > >>> site,
    > >>> but I would like suspend this authorization policy for *one* single
    > >>> page
    > >>> in
    > >>> the site, so that any authenticated user may access the page, no
    > >>> matter
    > >>> which
    > >>> role they are assigned to or even if they have no roles.
    > >>> I have tried using a <location> element to turn off role
    > >>> authorization for
    > >>> the single page, but it doesn't seem to have any affect.
    > >>> Authenticated
    > >>> users
    > >>> without the proper role that try to access the unrestricted page are
    > >>> prompted
    > >>> over and over again to log in, which indicates that a role is still
    > >>> needed
    > >>> for the page. How can I override the site-wide role authorization
    > >>> requirement
    > >>> and turn it off for the one page?
    > >>> TIA,
    > >>> -Mike

    > --
    > Jesse Houwing
    > jesse.houwing at sogeti.nl
    >
    >
    >
     
    Mike, Jun 9, 2009
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?UFRC?=

    Role-Based Authorization

    =?Utf-8?B?UFRC?=, Apr 17, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    444
    Steve C. Orr [MVP, MCSD]
    Apr 17, 2004
  2. Snig
    Replies:
    5
    Views:
    2,274
    Steve C. Orr [MVP, MCSD]
    Apr 25, 2005
  3. Replies:
    3
    Views:
    435
    Joe Kaplan \(MVP - ADSI\)
    Mar 10, 2006
  4. SeanRW
    Replies:
    1
    Views:
    425
    Dominick Baier [DevelopMentor]
    May 25, 2006
  5. Kursat
    Replies:
    1
    Views:
    341
    Dominick Baier
    May 7, 2007
Loading...

Share This Page