BUG: Server.Execute ignores web.config <location> role permissions

Discussion in 'ASP .Net Security' started by Paul, Mar 11, 2005.

  1. Paul

    Paul Guest

    I have an intranet site that uses authentication mode="Windows" with
    identity impersonate="true". I recently implemented a site search
    feature that uses server.execute to retrieve dynamic content for the
    search. Unfortunately, Server.execute retrieves pages that the user
    can not access. The pages appear in the search results with the found
    terms highlighted in context. Rut-roh! So much for security. When the
    user clicks the link to see the page located by the search, they get
    the custom access denied page, but they've already seen some content
    that they were not authorized to see.

    The work arounds I have come up with are not elegant.
    Paul, Mar 11, 2005
    #1
    1. Advertising

  2. Paul

    Paul Guest

    As a workaround, before I call Server.Execute I now check to see if
    there is a location entry in web.config for the path/file. If there is,
    I call User.IsInRole against the listed roles in any allow or deny
    lists found.
    Paul, Mar 14, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dirk Meusel

    formsauthentication ignores web.config

    Dirk Meusel, Aug 29, 2003, in forum: ASP .Net
    Replies:
    4
    Views:
    2,306
    Jerry III
    Aug 29, 2003
  2. Rokas Valantinas

    CLR ignores <bindingRedirect> in Web.config.

    Rokas Valantinas, Nov 20, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    2,360
    Rokas Valantinas
    Nov 20, 2003
  3. Ralf Ziller

    IIS ignores web.config in subfolder

    Ralf Ziller, Nov 13, 2006, in forum: ASP .Net
    Replies:
    3
    Views:
    902
    Ralf Ziller
    Nov 13, 2006
  4. CSharpner
    Replies:
    0
    Views:
    999
    CSharpner
    Apr 9, 2007
  5. Ravi
    Replies:
    2
    Views:
    163
    Ravi Muthyala
    Feb 6, 2004
Loading...

Share This Page