check if user is the one specified in <location path="...

Discussion in 'ASP .Net Security' started by zino66, Mar 10, 2010.

  1. zino66

    zino66 Guest

    In an intranet asp.net application I have the following in the web config:

    <authentication mode="Windows" />

    <location path="AdministrationFolder">
    <system.web>
    <authorization>
    <allow users="John"/>
    <allow users="David"/>
    <allow users="Eric"/>
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>

    The "Default.aspx" page is accessible to everybody.
    I have a link <a href=Administration.aspx>Administration</a> on this page,
    which I need it to be visible only if the user is one of those specified in
    "<location path=....>" (If user = in (John, David, Eric) then, display the
    link.)



    How can I check if the logged user is one of the mentioned users above ?
     
    zino66, Mar 10, 2010
    #1
    1. Advertising

  2. zino66

    Joe Kaplan Guest

    The identity information that the UrlAuthorizationModule (the thing taht
    consumes that particular piece of XML web.config) examines the
    HttpContext.User property, specifically the .Identity.Name property and the
    ..IsInRole method to compare against user name and role membership, so you
    can do the same thing programmatically in your code to conditionally display
    specific markup.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "zino66" <> wrote in message
    news:...
    > In an intranet asp.net application I have the following in the web config:
    >
    > <authentication mode="Windows" />
    >
    > <location path="AdministrationFolder">
    > <system.web>
    > <authorization>
    > <allow users="John"/>
    > <allow users="David"/>
    > <allow users="Eric"/>
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    >
    > The "Default.aspx" page is accessible to everybody.
    > I have a link <a href=Administration.aspx>Administration</a> on this page,
    > which I need it to be visible only if the user is one of those specified
    > in
    > "<location path=....>" (If user = in (John, David, Eric) then, display
    > the
    > link.)
    >
    >
    >
    > How can I check if the logged user is one of the mentioned users above ?
    >
    >
     
    Joe Kaplan, Mar 10, 2010
    #2
    1. Advertising

  3. zino66

    zino66 Guest

    now I'm able to check the logged user name, but I need to compare it to the
    one stored in <location path=....
    <allow users='john'........

    so, in the "Default.aspx" page, which is available to anybody (not only
    'John',....),
    I wrote:
    Dim _as_ As Web.Configuration.AuthorizationSection =
    Web.Configuration.WebConfigurationManager.GetSection("system.web/authorization", "~/Administration")

    but I'm getting this error:
    "The attribute 'users' has been locked in a higher level configuration"

    I understand that accessing the config file in an already protected folder
    from an unprotected page sound non-sense, but is there a way to work around
    this ?

    thanks for help


    "Joe Kaplan" wrote:

    > The identity information that the UrlAuthorizationModule (the thing taht
    > consumes that particular piece of XML web.config) examines the
    > HttpContext.User property, specifically the .Identity.Name property and the
    > ..IsInRole method to compare against user name and role membership, so you
    > can do the same thing programmatically in your code to conditionally display
    > specific markup.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > "zino66" <> wrote in message
    > news:...
    > > In an intranet asp.net application I have the following in the web config:
    > >
    > > <authentication mode="Windows" />
    > >
    > > <location path="AdministrationFolder">
    > > <system.web>
    > > <authorization>
    > > <allow users="John"/>
    > > <allow users="David"/>
    > > <allow users="Eric"/>
    > > <deny users="*"/>
    > > </authorization>
    > > </system.web>
    > > </location>
    > >
    > > The "Default.aspx" page is accessible to everybody.
    > > I have a link <a href=Administration.aspx>Administration</a> on this page,
    > > which I need it to be visible only if the user is one of those specified
    > > in
    > > "<location path=....>" (If user = in (John, David, Eric) then, display
    > > the
    > > link.)
    > >
    > >
    > >
    > > How can I check if the logged user is one of the mentioned users above ?
    > >
    > >

    >
    > .
    >
     
    zino66, Mar 11, 2010
    #3
  4. zino66

    Joe Kaplan Guest

    If I were solving the problem, I'd approach it differently.

    I'd create a mechanism to put these users in a role called "Admin" or
    something like that and then hard code the configuration section and your
    security trimming UI code to just check that.

    To generate a role for a user on the fly, you can hook the authenticate
    event in global.asax (or something similar) and just issue an new
    GenericPrincipal for the authenticated user that add specific users to a
    role. You can create a custom configuration value of your own choosing to
    determine which users are in the admin role or not.

    I'm not sure what the recommended method to read the configuration file
    directly is but it seems that ASP.NET does not want you doing it the way you
    are trying right now. :)

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "zino66" <> wrote in message
    news:...
    > now I'm able to check the logged user name, but I need to compare it to
    > the
    > one stored in <location path=....
    > <allow users='john'........
    >
    > so, in the "Default.aspx" page, which is available to anybody (not only
    > 'John',....),
    > I wrote:
    > Dim _as_ As Web.Configuration.AuthorizationSection =
    > Web.Configuration.WebConfigurationManager.GetSection("system.web/authorization",
    > "~/Administration")
    >
    > but I'm getting this error:
    > "The attribute 'users' has been locked in a higher level configuration"
    >
    > I understand that accessing the config file in an already protected folder
    > from an unprotected page sound non-sense, but is there a way to work
    > around
    > this ?
    >
    > thanks for help
    >
    >
    > "Joe Kaplan" wrote:
    >
    >> The identity information that the UrlAuthorizationModule (the thing taht
    >> consumes that particular piece of XML web.config) examines the
    >> HttpContext.User property, specifically the .Identity.Name property and
    >> the
    >> ..IsInRole method to compare against user name and role membership, so
    >> you
    >> can do the same thing programmatically in your code to conditionally
    >> display
    >> specific markup.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> "zino66" <> wrote in message
    >> news:...
    >> > In an intranet asp.net application I have the following in the web
    >> > config:
    >> >
    >> > <authentication mode="Windows" />
    >> >
    >> > <location path="AdministrationFolder">
    >> > <system.web>
    >> > <authorization>
    >> > <allow users="John"/>
    >> > <allow users="David"/>
    >> > <allow users="Eric"/>
    >> > <deny users="*"/>
    >> > </authorization>
    >> > </system.web>
    >> > </location>
    >> >
    >> > The "Default.aspx" page is accessible to everybody.
    >> > I have a link <a href=Administration.aspx>Administration</a> on this
    >> > page,
    >> > which I need it to be visible only if the user is one of those
    >> > specified
    >> > in
    >> > "<location path=....>" (If user = in (John, David, Eric) then, display
    >> > the
    >> > link.)
    >> >
    >> >
    >> >
    >> > How can I check if the logged user is one of the mentioned users above
    >> > ?
    >> >
    >> >

    >>
    >> .
    >>
     
    Joe Kaplan, Mar 12, 2010
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kiki
    Replies:
    2
    Views:
    538
    kiki christie
    Jul 13, 2004
  2. Himanshu Singh Chauhan

    Reading specified Location

    Himanshu Singh Chauhan, Nov 30, 2003, in forum: C Programming
    Replies:
    3
    Views:
    393
    CBFalconer
    Nov 30, 2003
  3. Maciej Sobczak
    Replies:
    9
    Views:
    559
    Roger Binns
    Apr 25, 2004
  4. Samuel Shulman

    Link to a specified location within a page

    Samuel Shulman, Oct 31, 2006, in forum: ASP .Net
    Replies:
    2
    Views:
    280
    Samuel Shulman
    Oct 31, 2006
  5. Alessandro
    Replies:
    5
    Views:
    577
    Alessandro
    Sep 27, 2010
Loading...

Share This Page