S
SJ
I am trying to use a custom role provider (along with custom
membership/profile providers) to secure some sections of our
website.For testing purposes I have implemented a very basic role
provider as shown in the code below. In the website I have test.aspx
under secure folder and I use <location> element in web.config to
restrict access to this page to only 'Admin' roles. When this page is
accessed in the browser, login page shows up but after login all users
are allowed to access this page irrespective of their roles.
Any help on why this is happening is highly appreciated.
Role Provider:
===========
public class MyRoleProvider : RoleProvider
{
public override string[] GetRolesForUser(string username)
{
if (username == "(e-mail address removed)")
return new string[] { "Admin" };
else
return new string[] { "PowerUser" };
}
. . .
}
Web.Config Location Element:
=======================
<location path="Secure/test.aspx">
<system.web>
<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>
Web.Config RoleProvider configuration
=============================
<roleManager defaultProvider="TestRoleProvider" enabled="true">
<providers>
<add name="TestRoleProvider" type="MyRoleProvider" description="Test
role provider"/>
</providers>
</roleManager>
---------
I notice GetRolesForUser being called after login and returning
'PowerUser' for username that is not '(e-mail address removed)'. But test.aspx
gets displayed after that without any kind of access denied msg.
Thanks in advance,
Seetha
membership/profile providers) to secure some sections of our
website.For testing purposes I have implemented a very basic role
provider as shown in the code below. In the website I have test.aspx
under secure folder and I use <location> element in web.config to
restrict access to this page to only 'Admin' roles. When this page is
accessed in the browser, login page shows up but after login all users
are allowed to access this page irrespective of their roles.
Any help on why this is happening is highly appreciated.
Role Provider:
===========
public class MyRoleProvider : RoleProvider
{
public override string[] GetRolesForUser(string username)
{
if (username == "(e-mail address removed)")
return new string[] { "Admin" };
else
return new string[] { "PowerUser" };
}
. . .
}
Web.Config Location Element:
=======================
<location path="Secure/test.aspx">
<system.web>
<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>
Web.Config RoleProvider configuration
=============================
<roleManager defaultProvider="TestRoleProvider" enabled="true">
<providers>
<add name="TestRoleProvider" type="MyRoleProvider" description="Test
role provider"/>
</providers>
</roleManager>
---------
I notice GetRolesForUser being called after login and returning
'PowerUser' for username that is not '(e-mail address removed)'. But test.aspx
gets displayed after that without any kind of access denied msg.
Thanks in advance,
Seetha