Role-based authentication and Forms and System.UnauthorizedAccessException

Discussion in 'ASP .Net Security' started by wrecker, Aug 18, 2005.

  1. wrecker

    wrecker Guest

    Hi all,

    I'm trying to implement role-based authentication for the following directory structure in my
    ASP.NET app.

    login.aspx
    Admin/
    Members/

    The web.config in my Admin directory is as follows

    <configuration>
    <system.web>
    <authorization>
    <allow roles="Admin"/>
    <deny users="*"/>
    </authorization>
    </system.web>
    </configuration>

    When the user logs in using authentication mode set to Forms, they are authenticated against a SQL
    table and then assigned a role

    Dim roles() As String
    If CurrentUser.IsAdministrator Then
    roles = New String() {"Admin", "Member"}
    Else
    roles = New String() {"Member"}
    End If

    Where the roles string array is stored in the Session (although I've also tried storing it in the
    cache object as well to try and solve my problem)

    In Global.asax Application_AuthenticateRequest I have

    If (Not (HttpContext.Current.User Is Nothing)) Then
    If HttpContext.Current.User.Identity.AuthenticationType = "Forms" Then
    Dim id As System.Web.Security.FormsIdentity
    id = HttpContext.Current.User.Identity
    HttpContext.Current.User = New _
    System.Security.Principal.GenericPrincipal(id, roles)
    ' roles extracted from session
    End If
    End If

    My problem is that after a user having Administrator privelages logs in and they try to access a
    page in the Admin directory they get a System.UnauthorizedAccessException exception. I've debugged
    this and the roles array does indeed have "Admin" and "Members" in it, but the
    HttpContext.Current.User doesn't seem to contain this information, even after assigning it the new
    principal (I can't find it in any fields that are visible to the debugger) I've checked the
    permissions on the directory and the ASP machine account has access to this directory. I've been
    reading quite a few articles on role based security (expecially the ones from the Rolla guys) and
    they all seem to use this approach. Why is this not working???

    My test system is IIS5.1 on XP Pro using version 1.1 of the framework.

    Thanks
    wrecker, Aug 18, 2005
    #1
    1. Advertising

  2. Hello wrecker,

    i doubt your code is working fine. In AuthenticateRequest you don't have
    access to the Session as the SessionModule runs after this event....

    The common approach is to store the roles in the cookie. I have a sample
    on my blog for doing this:
    http://www.leastprivilege.com/DevWeek2005PostConference.aspx

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi all,
    >
    > I'm trying to implement role-based authentication for the following
    > directory structure in my ASP.NET app.
    >
    > login.aspx
    > Admin/
    > Members/
    > The web.config in my Admin directory is as follows
    >
    > <configuration>
    > <system.web>
    > <authorization>
    > <allow roles="Admin"/>
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </configuration>
    > When the user logs in using authentication mode set to Forms, they are
    > authenticated against a SQL table and then assigned a role
    >
    > Dim roles() As String
    > If CurrentUser.IsAdministrator Then
    > roles = New String() {"Admin", "Member"}
    > Else
    > roles = New String() {"Member"}
    > End If
    > Where the roles string array is stored in the Session (although I've
    > also tried storing it in the cache object as well to try and solve my
    > problem)
    >
    > In Global.asax Application_AuthenticateRequest I have
    >
    > If (Not (HttpContext.Current.User Is Nothing)) Then
    > If HttpContext.Current.User.Identity.AuthenticationType =
    > "Forms" Then
    > Dim id As System.Web.Security.FormsIdentity
    > id = HttpContext.Current.User.Identity
    > HttpContext.Current.User = New _
    >
    > System.Security.Principal.GenericPrincipal(id, roles)
    > ' roles extracted from session
    > End If
    > End If
    > My problem is that after a user having Administrator privelages logs
    > in and they try to access a page in the Admin directory they get a
    > System.UnauthorizedAccessException exception. I've debugged this and
    > the roles array does indeed have "Admin" and "Members" in it, but the
    > HttpContext.Current.User doesn't seem to contain this information,
    > even after assigning it the new principal (I can't find it in any
    > fields that are visible to the debugger) I've checked the permissions
    > on the directory and the ASP machine account has access to this
    > directory. I've been reading quite a few articles on role based
    > security (expecially the ones from the Rolla guys) and they all seem
    > to use this approach. Why is this not working???
    >
    > My test system is IIS5.1 on XP Pro using version 1.1 of the framework.
    >
    > Thanks
    >
    Dominick Baier [DevelopMentor], Aug 19, 2005
    #2
    1. Advertising

  3. wrecker

    wrecker Guest

    Hi Dominick,

    Thanks for you help. Now I'm wondering if there is anyway to access a users roles if they have
    cookies disabled? I suppose that I could pass roles on the query string and check them on page load
    but there must be a more elegant way. For now I'll follow your suggestion and store the roles in a
    cookie.

    Thanks again


    On Thu, 18 Aug 2005 23:43:45 -0700, Dominick Baier [DevelopMentor]
    <> wrote:

    >Hello wrecker,
    >
    >i doubt your code is working fine. In AuthenticateRequest you don't have
    >access to the Session as the SessionModule runs after this event....
    >
    >The common approach is to store the roles in the cookie. I have a sample
    >on my blog for doing this:
    >http://www.leastprivilege.com/DevWeek2005PostConference.aspx
    >
    >---------------------------------------
    >Dominick Baier - DevelopMentor
    >http://www.leastprivilege.com
    >
    >> Hi all,
    >>
    >> I'm trying to implement role-based authentication for the following
    >> directory structure in my ASP.NET app.
    >>
    >> login.aspx
    >> Admin/
    >> Members/
    >> The web.config in my Admin directory is as follows
    >>
    >> <configuration>
    >> <system.web>
    >> <authorization>
    >> <allow roles="Admin"/>
    >> <deny users="*"/>
    >> </authorization>
    >> </system.web>
    >> </configuration>
    >> When the user logs in using authentication mode set to Forms, they are
    >> authenticated against a SQL table and then assigned a role
    >>
    >> Dim roles() As String
    >> If CurrentUser.IsAdministrator Then
    >> roles = New String() {"Admin", "Member"}
    >> Else
    >> roles = New String() {"Member"}
    >> End If
    >> Where the roles string array is stored in the Session (although I've
    >> also tried storing it in the cache object as well to try and solve my
    >> problem)
    >>
    >> In Global.asax Application_AuthenticateRequest I have
    >>
    >> If (Not (HttpContext.Current.User Is Nothing)) Then
    >> If HttpContext.Current.User.Identity.AuthenticationType =
    >> "Forms" Then
    >> Dim id As System.Web.Security.FormsIdentity
    >> id = HttpContext.Current.User.Identity
    >> HttpContext.Current.User = New _
    >>
    >> System.Security.Principal.GenericPrincipal(id, roles)
    >> ' roles extracted from session
    >> End If
    >> End If
    >> My problem is that after a user having Administrator privelages logs
    >> in and they try to access a page in the Admin directory they get a
    >> System.UnauthorizedAccessException exception. I've debugged this and
    >> the roles array does indeed have "Admin" and "Members" in it, but the
    >> HttpContext.Current.User doesn't seem to contain this information,
    >> even after assigning it the new principal (I can't find it in any
    >> fields that are visible to the debugger) I've checked the permissions
    >> on the directory and the ASP machine account has access to this
    >> directory. I've been reading quite a few articles on role based
    >> security (expecially the ones from the Rolla guys) and they all seem
    >> to use this approach. Why is this not working???
    >>
    >> My test system is IIS5.1 on XP Pro using version 1.1 of the framework.
    >>
    >> Thanks
    >>

    >
    >
    wrecker, Aug 19, 2005
    #3
  4. Hello wrecker,

    in 1.1 - FormsAuth is totally dependent on cookies...

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi Dominick,
    >
    > Thanks for you help. Now I'm wondering if there is anyway to access a
    > users roles if they have cookies disabled? I suppose that I could
    > pass roles on the query string and check them on page load but there
    > must be a more elegant way. For now I'll follow your suggestion and
    > store the roles in a cookie.
    >
    > Thanks again
    >
    > On Thu, 18 Aug 2005 23:43:45 -0700, Dominick Baier [DevelopMentor]
    > <> wrote:
    >
    >> Hello wrecker,
    >>
    >> i doubt your code is working fine. In AuthenticateRequest you don't
    >> have access to the Session as the SessionModule runs after this
    >> event....
    >>
    >> The common approach is to store the roles in the cookie. I have a
    >> sample on my blog for doing this:
    >> http://www.leastprivilege.com/DevWeek2005PostConference.aspx
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Hi all,
    >>>
    >>> I'm trying to implement role-based authentication for the following
    >>> directory structure in my ASP.NET app.
    >>>
    >>> login.aspx
    >>> Admin/
    >>> Members/
    >>> The web.config in my Admin directory is as follows
    >>> <configuration>
    >>> <system.web>
    >>> <authorization>
    >>> <allow roles="Admin"/>
    >>> <deny users="*"/>
    >>> </authorization>
    >>> </system.web>
    >>> </configuration>
    >>> When the user logs in using authentication mode set to Forms, they
    >>> are
    >>> authenticated against a SQL table and then assigned a role
    >>> Dim roles() As String
    >>> If CurrentUser.IsAdministrator Then
    >>> roles = New String() {"Admin", "Member"}
    >>> Else
    >>> roles = New String() {"Member"}
    >>> End If
    >>> Where the roles string array is stored in the Session (although I've
    >>> also tried storing it in the cache object as well to try and solve
    >>> my
    >>> problem)
    >>> In Global.asax Application_AuthenticateRequest I have
    >>>
    >>> If (Not (HttpContext.Current.User Is Nothing)) Then
    >>> If HttpContext.Current.User.Identity.AuthenticationType =
    >>> "Forms" Then
    >>> Dim id As System.Web.Security.FormsIdentity
    >>> id = HttpContext.Current.User.Identity
    >>> HttpContext.Current.User = New _
    >>> System.Security.Principal.GenericPrincipal(id, roles)
    >>> ' roles extracted from session
    >>> End If
    >>> End If
    >>> My problem is that after a user having Administrator privelages logs
    >>> in and they try to access a page in the Admin directory they get a
    >>> System.UnauthorizedAccessException exception. I've debugged this
    >>> and
    >>> the roles array does indeed have "Admin" and "Members" in it, but
    >>> the
    >>> HttpContext.Current.User doesn't seem to contain this information,
    >>> even after assigning it the new principal (I can't find it in any
    >>> fields that are visible to the debugger) I've checked the
    >>> permissions
    >>> on the directory and the ASP machine account has access to this
    >>> directory. I've been reading quite a few articles on role based
    >>> security (expecially the ones from the Rolla guys) and they all seem
    >>> to use this approach. Why is this not working???
    >>> My test system is IIS5.1 on XP Pro using version 1.1 of the
    >>> framework.
    >>>
    >>> Thanks
    >>>
    Dominick Baier [DevelopMentor], Aug 20, 2005
    #4
  5. wrecker

    Pat Guest

    But as it changed in ASP.NET 2.0?

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello wrecker,
    >
    > in 1.1 - FormsAuth is totally dependent on cookies...
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Hi Dominick,
    > >
    > > Thanks for you help. Now I'm wondering if there is anyway to access a
    > > users roles if they have cookies disabled? I suppose that I could
    > > pass roles on the query string and check them on page load but there
    > > must be a more elegant way. For now I'll follow your suggestion and
    > > store the roles in a cookie.
    > >
    > > Thanks again
    > >
    > > On Thu, 18 Aug 2005 23:43:45 -0700, Dominick Baier [DevelopMentor]
    > > <> wrote:
    > >
    > >> Hello wrecker,
    > >>
    > >> i doubt your code is working fine. In AuthenticateRequest you don't
    > >> have access to the Session as the SessionModule runs after this
    > >> event....
    > >>
    > >> The common approach is to store the roles in the cookie. I have a
    > >> sample on my blog for doing this:
    > >> http://www.leastprivilege.com/DevWeek2005PostConference.aspx
    > >>
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
    > >>> Hi all,
    > >>>
    > >>> I'm trying to implement role-based authentication for the following
    > >>> directory structure in my ASP.NET app.
    > >>>
    > >>> login.aspx
    > >>> Admin/
    > >>> Members/
    > >>> The web.config in my Admin directory is as follows
    > >>> <configuration>
    > >>> <system.web>
    > >>> <authorization>
    > >>> <allow roles="Admin"/>
    > >>> <deny users="*"/>
    > >>> </authorization>
    > >>> </system.web>
    > >>> </configuration>
    > >>> When the user logs in using authentication mode set to Forms, they
    > >>> are
    > >>> authenticated against a SQL table and then assigned a role
    > >>> Dim roles() As String
    > >>> If CurrentUser.IsAdministrator Then
    > >>> roles = New String() {"Admin", "Member"}
    > >>> Else
    > >>> roles = New String() {"Member"}
    > >>> End If
    > >>> Where the roles string array is stored in the Session (although I've
    > >>> also tried storing it in the cache object as well to try and solve
    > >>> my
    > >>> problem)
    > >>> In Global.asax Application_AuthenticateRequest I have
    > >>>
    > >>> If (Not (HttpContext.Current.User Is Nothing)) Then
    > >>> If HttpContext.Current.User.Identity.AuthenticationType =
    > >>> "Forms" Then
    > >>> Dim id As System.Web.Security.FormsIdentity
    > >>> id = HttpContext.Current.User.Identity
    > >>> HttpContext.Current.User = New _
    > >>> System.Security.Principal.GenericPrincipal(id, roles)
    > >>> ' roles extracted from session
    > >>> End If
    > >>> End If
    > >>> My problem is that after a user having Administrator privelages logs
    > >>> in and they try to access a page in the Admin directory they get a
    > >>> System.UnauthorizedAccessException exception. I've debugged this
    > >>> and
    > >>> the roles array does indeed have "Admin" and "Members" in it, but
    > >>> the
    > >>> HttpContext.Current.User doesn't seem to contain this information,
    > >>> even after assigning it the new principal (I can't find it in any
    > >>> fields that are visible to the debugger) I've checked the
    > >>> permissions
    > >>> on the directory and the ASP machine account has access to this
    > >>> directory. I've been reading quite a few articles on role based
    > >>> security (expecially the ones from the Rolla guys) and they all seem
    > >>> to use this approach. Why is this not working???
    > >>> My test system is IIS5.1 on XP Pro using version 1.1 of the
    > >>> framework.
    > >>>
    > >>> Thanks
    > >>>

    >
    >
    >
    Pat, Aug 29, 2005
    #5
  6. Hello Pat,

    yes - you can now do cookieless forms authentication, similar to cookieless
    sessions, the authentication ticket gets mangled in the URL. Needless to
    say - i don't like that :)

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > But as it changed in ASP.NET 2.0?
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hello wrecker,
    >>
    >> in 1.1 - FormsAuth is totally dependent on cookies...
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Hi Dominick,
    >>>
    >>> Thanks for you help. Now I'm wondering if there is anyway to access
    >>> a users roles if they have cookies disabled? I suppose that I could
    >>> pass roles on the query string and check them on page load but there
    >>> must be a more elegant way. For now I'll follow your suggestion and
    >>> store the roles in a cookie.
    >>>
    >>> Thanks again
    >>>
    >>> On Thu, 18 Aug 2005 23:43:45 -0700, Dominick Baier [DevelopMentor]
    >>> <> wrote:
    >>>
    >>>> Hello wrecker,
    >>>>
    >>>> i doubt your code is working fine. In AuthenticateRequest you don't
    >>>> have access to the Session as the SessionModule runs after this
    >>>> event....
    >>>>
    >>>> The common approach is to store the roles in the cookie. I have a
    >>>> sample on my blog for doing this:
    >>>> http://www.leastprivilege.com/DevWeek2005PostConference.aspx
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> Hi all,
    >>>>>
    >>>>> I'm trying to implement role-based authentication for the
    >>>>> following directory structure in my ASP.NET app.
    >>>>>
    >>>>> login.aspx
    >>>>> Admin/
    >>>>> Members/
    >>>>> The web.config in my Admin directory is as follows
    >>>>> <configuration>
    >>>>> <system.web>
    >>>>> <authorization>
    >>>>> <allow roles="Admin"/>
    >>>>> <deny users="*"/>
    >>>>> </authorization>
    >>>>> </system.web>
    >>>>> </configuration>
    >>>>> When the user logs in using authentication mode set to Forms, they
    >>>>> are
    >>>>> authenticated against a SQL table and then assigned a role
    >>>>> Dim roles() As String
    >>>>> If CurrentUser.IsAdministrator Then
    >>>>> roles = New String() {"Admin", "Member"}
    >>>>> Else
    >>>>> roles = New String() {"Member"}
    >>>>> End If
    >>>>> Where the roles string array is stored in the Session (although
    >>>>> I've
    >>>>> also tried storing it in the cache object as well to try and solve
    >>>>> my
    >>>>> problem)
    >>>>> In Global.asax Application_AuthenticateRequest I have
    >>>>> If (Not (HttpContext.Current.User Is Nothing)) Then
    >>>>> If HttpContext.Current.User.Identity.AuthenticationType =
    >>>>> "Forms" Then
    >>>>> Dim id As System.Web.Security.FormsIdentity
    >>>>> id = HttpContext.Current.User.Identity
    >>>>> HttpContext.Current.User = New _
    >>>>> System.Security.Principal.GenericPrincipal(id, roles)
    >>>>> ' roles extracted from session
    >>>>> End If
    >>>>> End If
    >>>>> My problem is that after a user having Administrator privelages
    >>>>> logs
    >>>>> in and they try to access a page in the Admin directory they get a
    >>>>> System.UnauthorizedAccessException exception. I've debugged this
    >>>>> and
    >>>>> the roles array does indeed have "Admin" and "Members" in it, but
    >>>>> the
    >>>>> HttpContext.Current.User doesn't seem to contain this information,
    >>>>> even after assigning it the new principal (I can't find it in any
    >>>>> fields that are visible to the debugger) I've checked the
    >>>>> permissions
    >>>>> on the directory and the ASP machine account has access to this
    >>>>> directory. I've been reading quite a few articles on role based
    >>>>> security (expecially the ones from the Rolla guys) and they all
    >>>>> seem
    >>>>> to use this approach. Why is this not working???
    >>>>> My test system is IIS5.1 on XP Pro using version 1.1 of the
    >>>>> framework.
    >>>>> Thanks
    >>>>>
    Dominick Baier [DevelopMentor], Aug 30, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Liet Kynes
    Replies:
    0
    Views:
    491
    Liet Kynes
    Nov 26, 2003
  2. Cory  Lievers
    Replies:
    2
    Views:
    526
    Cory Lievers
    Feb 22, 2006
  3. Replies:
    1
    Views:
    413
  4. tafs7
    Replies:
    0
    Views:
    120
    tafs7
    Apr 30, 2004
  5. Kursat
    Replies:
    1
    Views:
    315
    Dominick Baier
    May 7, 2007
Loading...

Share This Page