Custom RoleProvider + <allow roles> not working

Discussion in 'ASP .Net Security' started by SJ, Feb 21, 2006.

  1. SJ

    SJ Guest

    I am trying to use a custom role provider (along with custom
    membership/profile providers) to secure some sections of our
    website.For testing purposes I have implemented a very basic role
    provider as shown in the code below. In the website I have test.aspx
    under secure folder and I use <location> element in web.config to
    restrict access to this page to only 'Admin' roles. When this page is
    accessed in the browser, login page shows up but after login all users
    are allowed to access this page irrespective of their roles.

    Any help on why this is happening is highly appreciated.

    Role Provider:
    ===========

    public class MyRoleProvider : RoleProvider
    {

    public override string[] GetRolesForUser(string username)
    {
    if (username == "")
    return new string[] { "Admin" };
    else
    return new string[] { "PowerUser" };
    }

    . . .
    }



    Web.Config Location Element:
    =======================
    <location path="Secure/test.aspx">
    <system.web>
    <authorization>
    <deny users="?"/>
    <allow roles="Admin"/>
    </authorization>
    </system.web>
    </location>

    Web.Config RoleProvider configuration
    =============================
    <roleManager defaultProvider="TestRoleProvider" enabled="true">
    <providers>
    <add name="TestRoleProvider" type="MyRoleProvider" description="Test
    role provider"/>
    </providers>
    </roleManager>

    ---------
    I notice GetRolesForUser being called after login and returning
    'PowerUser' for username that is not ''. But test.aspx
    gets displayed after that without any kind of access denied msg.

    Thanks in advance,
    Seetha
    SJ, Feb 21, 2006
    #1
    1. Advertising

  2. SJ

    MikeS Guest

    Here you are saying deny unathenticated users but if they logged in
    they are authenticated and so pass the test.

    <deny users="?"/>
    <allow roles="Admin"/>

    You want your allows before your denies because the first rule that
    matches wins so maybe try:

    <allow roles="Admin"/>
    <deny users="*"/>
    MikeS, Feb 22, 2006
    #2
    1. Advertising

  3. SJ

    SJ Guest

    Thank you very much. That fixed it.

    When the users are denied access they are taken back to the login page
    and I am unable to trap the 'Access Denied' error to display a custom
    error page. I tried trapping it on Application_Error and with
    <customErrors> in web.config and couldnt get it.

    Is there a way to trap this 'Access denied' error when the user is not
    in a specific role?

    Thanks
    Seetha
    SJ, Feb 22, 2006
    #3
  4. SJ

    MikeS Guest

    Perhaps not link to pages they are not allowed to see in the first
    place.
    Otherwise look around this group and the web for that topic.
    MikeS, Feb 22, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark Olbert
    Replies:
    0
    Views:
    626
    Mark Olbert
    Jan 10, 2006
  2. Burak Gunay

    Custom RoleProvider question -- saving roles

    Burak Gunay, Mar 21, 2006, in forum: ASP .Net Security
    Replies:
    0
    Views:
    123
    Burak Gunay
    Mar 21, 2006
  3. Burak Gunay

    Custom RoleProvider question -- saving roles

    Burak Gunay, Mar 21, 2006, in forum: ASP .Net Security
    Replies:
    8
    Views:
    325
    Dominick Baier [DevelopMentor]
    Mar 22, 2006
  4. Keith Patrick
    Replies:
    1
    Views:
    624
    Dominick Baier
    Aug 20, 2006
  5. Chuck P

    RoleProvider Roles cookieName reading/setting

    Chuck P, Sep 19, 2007, in forum: ASP .Net Security
    Replies:
    3
    Views:
    135
    Walter Wang [MSFT]
    Sep 21, 2007
Loading...

Share This Page