Regarding ASP.NET Web Application

Discussion in 'ASP .Net Security' started by anbaesivam, Feb 18, 2009.

  1. anbaesivam

    anbaesivam Guest

    I need to develop an ASP.NET web application. And application will be
    accessed by normal users and administrators. In the application, the normal
    users can only access a set of pages. If the normal user want to access an
    administrative page, then a login page needs to be displayed for
    aunthenticated and if authentication is succesfull, then the page will be is
    shown. For normal users page to displayed, there is no need for any
    authentication.

    To develop these type of application, what are configurations to made?.
    Kindly provide any tutorial or sample application of this kind.

    Thanks in advance.
     
    anbaesivam, Feb 18, 2009
    #1
    1. Advertising

  2. Hello Anbaesivam,

    I think Asp.Net Membership and Role Manager can achieve it as you wish.
    Please check the following reference:

    http://weblogs.asp.net/scottgu/archive/2006/05/07/ASP.NET-2.0-Membership-and
    -Roles-Tutorial-Series.aspx

    In following reference, you can get some helpful samples of it:
    http://www.dotnetjunkies.com/QuickStartv20/aspnet/doc/security/membership.as
    px

    The following link is about "Authorizing Access to a Page with Role
    Manager" that is what you need I think.
    http://www.dotnetjunkies.com/QuickStartv20/aspnet/doc/security/membership.as
    px#auth

    Furthermore, I will make a sample for you.

    For example, I created two roles("user" and "admin") and there are two
    folders(securedfolder and adminfolder) in the application.
    1. The anonymous users can't access any pages in "securedfolder" or
    "adminfolder" folder.
    2. The managed users with "user" role can only access the pages in
    "securedfolder" folder, but not for "adminfolder" folder.
    3. The managed users with "admin" role can access any pages in the
    application.

    After deploying Membership and the roles for users, we need configure the
    authorizing access to a folder in Web.Config.

    <configuration>
    <location path="securedfolder">
    <system.web>
    <authorization>
    <deny users="?"/> <!--deny any anonymous
    users-->
    <allow users="*"/> <!--allow any managed
    users-->
    </authorization>
    </system.web>
    </location>
    <location path="adminfolder">
    <system.web>
    <authorization>
    <allow roles="admin"/> <!--allow any users
    with "admin" role-->
    <deny users="*"/> <!--deny any
    anonymous/managed users-->
    </authorization>
    </system.web>
    </location>
    </configuration>

    To redirect to the login page if authentication is not successful, please
    deploy the following code in section "system.web" in Web.Config.

    <authentication mode="Forms">
    <forms name=".ASPXUSERDEMO" loginUrl="login.aspx"
    protection="All" timeout="60"/>
    </authentication>



    Sincerely,

    Vince Xu

    Microsoft Online Support

    £½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½

    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

    MSDN Managed Newsgroup support offering is for non-urgent issues where an
    initial response from the community or a Microsoft Support Engineer within
    2 business day is acceptable. Please note that each follow up response may
    take approximately 2 business days as the support professional working with
    you may need further investigation to reach the most efficient resolution.
    The offering is not appropriate for situations that require urgent,
    real-time or phone-based interactions. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx

    £½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½
     
    Vince Xu [MSFT], Feb 18, 2009
    #2
    1. Advertising

  3. anbaesivam

    anbaesivam Guest

    I am restatin my requirement once again

    Root
    |
    +-Public folder
    +-Admin folder

    Here the public folder can be accessed by any one including anonymous.
    When the anonymous/normal user tries to access "Admin folder", then the
    login page should be displayed for authentication.

    And the problem with ASP.NET is that <authentication mode="Forms"> in the
    root folder alone and in the sub-folder we can't specify it.

    Please help me how to do this requirement.


    "Vince Xu [MSFT]" wrote:

    > Hello Anbaesivam,
    >
    > I think Asp.Net Membership and Role Manager can achieve it as you wish.
    > Please check the following reference:
    >
    > http://weblogs.asp.net/scottgu/archive/2006/05/07/ASP.NET-2.0-Membership-and
    > -Roles-Tutorial-Series.aspx
    >
    > In following reference, you can get some helpful samples of it:
    > http://www.dotnetjunkies.com/QuickStartv20/aspnet/doc/security/membership.as
    > px
    >
    > The following link is about "Authorizing Access to a Page with Role
    > Manager" that is what you need I think.
    > http://www.dotnetjunkies.com/QuickStartv20/aspnet/doc/security/membership.as
    > px#auth
    >
    > Furthermore, I will make a sample for you.
    >
    > For example, I created two roles("user" and "admin") and there are two
    > folders(securedfolder and adminfolder) in the application.
    > 1. The anonymous users can't access any pages in "securedfolder" or
    > "adminfolder" folder.
    > 2. The managed users with "user" role can only access the pages in
    > "securedfolder" folder, but not for "adminfolder" folder.
    > 3. The managed users with "admin" role can access any pages in the
    > application.
    >
    > After deploying Membership and the roles for users, we need configure the
    > authorizing access to a folder in Web.Config.
    >
    > <configuration>
    > <location path="securedfolder">
    > <system.web>
    > <authorization>
    > <deny users="?"/> <!--deny any anonymous
    > users-->
    > <allow users="*"/> <!--allow any managed
    > users-->
    > </authorization>
    > </system.web>
    > </location>
    > <location path="adminfolder">
    > <system.web>
    > <authorization>
    > <allow roles="admin"/> <!--allow any users
    > with "admin" role-->
    > <deny users="*"/> <!--deny any
    > anonymous/managed users-->
    > </authorization>
    > </system.web>
    > </location>
    > </configuration>
    >
    > To redirect to the login page if authentication is not successful, please
    > deploy the following code in section "system.web" in Web.Config.
    >
    > <authentication mode="Forms">
    > <forms name=".ASPXUSERDEMO" loginUrl="login.aspx"
    > protection="All" timeout="60"/>
    > </authentication>
    >
    >
    >
    > Sincerely,
    >
    > Vince Xu
    >
    > Microsoft Online Support
    >
    > £½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½
    >
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
    >
    > MSDN Managed Newsgroup support offering is for non-urgent issues where an
    > initial response from the community or a Microsoft Support Engineer within
    > 2 business day is acceptable. Please note that each follow up response may
    > take approximately 2 business days as the support professional working with
    > you may need further investigation to reach the most efficient resolution.
    > The offering is not appropriate for situations that require urgent,
    > real-time or phone-based interactions. Issues of this nature are best
    > handled working with a dedicated Microsoft Support Engineer by contacting
    > Microsoft Customer Support Services (CSS) at
    > http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
    >
    > £½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½£½
    >
    >
     
    anbaesivam, Feb 18, 2009
    #3
  4. Hello Anbaesivam,

    Firstly, please create two role: "normal" and "admin"

    <configuration>
    <location path="Admin">
    <system.web>
    <authorization>
    <allow roles="admin"/>
    <deny users="?"/>
    <deny roles="normal"/> <!-- you can also use <deny users="*"/>
    to deny any
    anonymous/managed users -->
    </authorization>
    </system.web>
    </location>
    </configuration>

    For second question, based on my understanding, your login page is in some
    sub folder rather than root folder. If I have misunderstood you, please
    feel free to let me know.
    Actually, you can define the property "loginUrl" to locate the page
    wherever it is.

    <authentication mode="Forms">
    <forms name=".ASPXUSERDEMO"
    loginUrl="subfolder/login.aspx"
    protection="All" timeout="60"/>
    </authentication>


    Sincerely,

    Vince Xu

    Microsoft Online Support
     
    Vince Xu [MSFT], Feb 19, 2009
    #4
  5. anbaesivam

    anbaesivam Guest

    > <configuration>
    > <location path="Admin">
    > <system.web>
    > <authorization>
    > <allow roles="admin"/>
    > <deny users="?"/>
    > <deny roles="normal"/> <!-- you can also use <deny users="*"/>
    > to deny any
    > anonymous/managed users -->
    > </authorization>
    > </system.web>
    > </location>
    > </configuration>


    With the above configuration how can I redirect the page to Login.aspx, when
    a normal user access the path "Admin"?

    "Vince Xu [MSFT]" wrote:

    > Hello Anbaesivam,
    >
    > Firstly, please create two role: "normal" and "admin"
    >
    > <configuration>
    > <location path="Admin">
    > <system.web>
    > <authorization>
    > <allow roles="admin"/>
    > <deny users="?"/>
    > <deny roles="normal"/> <!-- you can also use <deny users="*"/>
    > to deny any
    > anonymous/managed users -->
    > </authorization>
    > </system.web>
    > </location>
    > </configuration>
    >
    > For second question, based on my understanding, your login page is in some
    > sub folder rather than root folder. If I have misunderstood you, please
    > feel free to let me know.
    > Actually, you can define the property "loginUrl" to locate the page
    > wherever it is.
    >
    > <authentication mode="Forms">
    > <forms name=".ASPXUSERDEMO"
    > loginUrl="subfolder/login.aspx"
    > protection="All" timeout="60"/>
    > </authentication>
    >
    >
    > Sincerely,
    >
    > Vince Xu
    >
    > Microsoft Online Support
    >
    >
     
    anbaesivam, Feb 19, 2009
    #5
  6. Hello Anbaesivam,

    To redirect to the login page if authentication is not successful, please
    deploy the following code in section "system.web" in Web.Config.

    <authentication mode="Forms">
    <forms name=".ASPXUSERDEMO"
    loginUrl="folder/login.aspx" protection="All" timeout="60"/>
    </authentication>

    Sincerely,

    Vince Xu

    Microsoft Online Support
     
    Vince Xu [MSFT], Feb 19, 2009
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Flare
    Replies:
    1
    Views:
    484
    William F. Robertson, Jr.
    Sep 21, 2004
  2. James Tsao
    Replies:
    1
    Views:
    356
    bruce barker
    Oct 29, 2004
  3. Ameen
    Replies:
    3
    Views:
    3,359
    Ameen
    Oct 18, 2005
  4. =?Utf-8?B?TVM=?=
    Replies:
    7
    Views:
    3,048
    Eliyahu Goldin
    Jan 22, 2006
  5. Replies:
    0
    Views:
    1,750
Loading...

Share This Page