role based security and

Discussion in 'ASP .Net' started by =?Utf-8?B?ZGF2aWQ=?=, Apr 15, 2005.

  1. I have the following questions to ask.

    For example, there are two roles, A and B to grant to users UA and UB
    respectively.
    UB in not in role A and UA is not in role B.
    A can access to Apage and B to Bpage by typing their passwords, resp..
    However, when A has accessed Apage and know the URL of Bpage, A can access
    to Bpage. Right now I hard-code it in codebehind functions to protect the
    system from this case.

    I would like to setup configuration file Web.config such that I do not need
    to add code to each of the codebehind function.

    I have added the following to Web.config, but it seems not working in this
    way. Anyone can give me a help? thanks

    David

    <location path="Apage.aspx">
    <system.web>
    <authorization>
    <allow roles="A" />
    <deny users="*" />
    </authorization>
    </system.web>
    </location>

    <location path="Bpage.aspx">
    <system.web>
    <authorization>
    <allow roles="B" />
    <deny users="*" />
    </authorization>
    </system.web>
    </location>
     
    =?Utf-8?B?ZGF2aWQ=?=, Apr 15, 2005
    #1
    1. Advertising

  2. =?Utf-8?B?ZGF2aWQ=?=

    Brock Allen Guest

    This should work. I'm wondering if your roles aren't being properly created
    upon each request. Are you doing this in Application_AuthenticateRequest
    in global.asax?

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen



    > I have the following questions to ask.
    >
    > For example, there are two roles, A and B to grant to users UA and UB
    > respectively.
    > UB in not in role A and UA is not in role B.
    > A can access to Apage and B to Bpage by typing their passwords, resp..
    > However, when A has accessed Apage and know the URL of Bpage, A can
    > access
    > to Bpage. Right now I hard-code it in codebehind functions to protect
    > the
    > system from this case.
    > I would like to setup configuration file Web.config such that I do not
    > need to add code to each of the codebehind function.
    >
    > I have added the following to Web.config, but it seems not working in
    > this way. Anyone can give me a help? thanks
    >
    > David
    >
    > <location path="Apage.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="A" />
    > <deny users="*" />
    > </authorization>
    > </system.web>
    > </location>
    > <location path="Bpage.aspx">
    > <system.web>
    > <authorization>
    > <allow roles="B" />
    > <deny users="*" />
    > </authorization>
    > </system.web>
    > </location>
     
    Brock Allen, Apr 15, 2005
    #2
    1. Advertising

  3. yes, I implement Application_AuthenticateRequest.
    I will try it once more.

    Another new problem raised.
    All forms located in Demo and secured by Web.config as
    <authentication mode="Forms">
    <forms name="AuthCookie" loginUrl="login.aspx" path="/" >
    </forms>

    </authentication>

    I also have an image subfolder in Demo for storing images. The problem is
    that I can access to all images in the image subfolder without asking
    user/password.
    What is the problem?



    "Brock Allen" wrote:

    > This should work. I'm wondering if your roles aren't being properly created
    > upon each request. Are you doing this in Application_AuthenticateRequest
    > in global.asax?
    >
    > -Brock
    > DevelopMentor
    > http://staff.develop.com/ballen
    >
    >
    >
    > > I have the following questions to ask.
    > >
    > > For example, there are two roles, A and B to grant to users UA and UB
    > > respectively.
    > > UB in not in role A and UA is not in role B.
    > > A can access to Apage and B to Bpage by typing their passwords, resp..
    > > However, when A has accessed Apage and know the URL of Bpage, A can
    > > access
    > > to Bpage. Right now I hard-code it in codebehind functions to protect
    > > the
    > > system from this case.
    > > I would like to setup configuration file Web.config such that I do not
    > > need to add code to each of the codebehind function.
    > >
    > > I have added the following to Web.config, but it seems not working in
    > > this way. Anyone can give me a help? thanks
    > >
    > > David
    > >
    > > <location path="Apage.aspx">
    > > <system.web>
    > > <authorization>
    > > <allow roles="A" />
    > > <deny users="*" />
    > > </authorization>
    > > </system.web>
    > > </location>
    > > <location path="Bpage.aspx">
    > > <system.web>
    > > <authorization>
    > > <allow roles="B" />
    > > <deny users="*" />
    > > </authorization>
    > > </system.web>
    > > </location>

    >
    >
    >
    >
     
    =?Utf-8?B?ZGF2aWQ=?=, Apr 15, 2005
    #3
  4. =?Utf-8?B?ZGF2aWQ=?=

    Brock Allen Guest

    > yes, I implement Application_AuthenticateRequest.
    > I will try it once more.


    Hmm, ok, then I don't see why it's not working for you. I'd build a new simple
    project that just does this little bit that you're trying to do and make
    it work there. Sometimes the baggage of the rest of your application can
    hide other problems.

    > I also have an image subfolder in Demo for storing images. The problem
    > is
    > that I can access to all images in the image subfolder without asking
    > user/password.
    > What is the problem?


    So add a <location path="image"> that denies user="?". This will not allow
    any anonymous users. Again, I'd test this in the sample app I mentioned above
    just so you know it works :)

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen
     
    Brock Allen, Apr 15, 2005
    #4
  5. Thanks

    "Brock Allen" wrote:

    > > yes, I implement Application_AuthenticateRequest.
    > > I will try it once more.

    >
    > Hmm, ok, then I don't see why it's not working for you. I'd build a new simple
    > project that just does this little bit that you're trying to do and make
    > it work there. Sometimes the baggage of the rest of your application can
    > hide other problems.
    >
    > > I also have an image subfolder in Demo for storing images. The problem
    > > is
    > > that I can access to all images in the image subfolder without asking
    > > user/password.
    > > What is the problem?

    >
    > So add a <location path="image"> that denies user="?". This will not allow
    > any anonymous users. Again, I'd test this in the sample app I mentioned above
    > just so you know it works :)
    >
    > -Brock
    > DevelopMentor
    > http://staff.develop.com/ballen
    >
    >
    >
    >
     
    =?Utf-8?B?ZGF2aWQ=?=, Apr 15, 2005
    #5
  6. It does not work. My configuration is:

    <authorization>

    <deny users="?" /> <!--deny anonymous users-->
    <allow users="*" /> <!-- Allow all users -->

    <!-- <allow users="[comma separated list of users]"
    roles="[comma separated list of roles]"/>
    <deny users="[comma separated list of users]"
    roles="[comma separated list of roles]"/>
    -->
    </authorization>

    <location path="images">
    <system.web>
    <authorization>

    <deny users="?" />
    </authorization>
    </system.web>
    </location>


    "Brock Allen" wrote:

    > > yes, I implement Application_AuthenticateRequest.
    > > I will try it once more.

    >
    > Hmm, ok, then I don't see why it's not working for you. I'd build a new simple
    > project that just does this little bit that you're trying to do and make
    > it work there. Sometimes the baggage of the rest of your application can
    > hide other problems.
    >
    > > I also have an image subfolder in Demo for storing images. The problem
    > > is
    > > that I can access to all images in the image subfolder without asking
    > > user/password.
    > > What is the problem?

    >
    > So add a <location path="image"> that denies user="?". This will not allow
    > any anonymous users. Again, I'd test this in the sample app I mentioned above
    > just so you know it works :)
    >
    > -Brock
    > DevelopMentor
    > http://staff.develop.com/ballen
    >
    >
    >
    >
     
    =?Utf-8?B?ZGF2aWQ=?=, Apr 15, 2005
    #6
  7. =?Utf-8?B?ZGF2aWQ=?=

    Brock Allen Guest

    The <location> is outside your <system.web>, right?

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen



    > It does not work. My configuration is:
    >
    > <authorization>
    >
    > <deny users="?" /> <!--deny anonymous users-->
    > <allow users="*" /> <!-- Allow all users -->
    > <!-- <allow users="[comma separated list of users]"
    > roles="[comma separated list of roles]"/>
    > <deny users="[comma separated list of users]"
    > roles="[comma separated list of roles]"/>
    > -->
    > </authorization>
    > <location path="images">
    > <system.web>
    > <authorization>
    > <deny users="?" />
    > </authorization>
    > </system.web>
    > </location>
    > "Brock Allen" wrote:
    >
    >>> yes, I implement Application_AuthenticateRequest.
    >>> I will try it once more.

    >> Hmm, ok, then I don't see why it's not working for you. I'd build a
    >> new simple project that just does this little bit that you're trying
    >> to do and make it work there. Sometimes the baggage of the rest of
    >> your application can hide other problems.
    >>
    >>> I also have an image subfolder in Demo for storing images. The
    >>> problem
    >>> is
    >>> that I can access to all images in the image subfolder without
    >>> asking
    >>> user/password.
    >>> What is the problem?

    >> So add a <location path="image"> that denies user="?". This will not
    >> allow any anonymous users. Again, I'd test this in the sample app I
    >> mentioned above just so you know it works :)
    >>
    >> -Brock
    >> DevelopMentor
    >> http://staff.develop.com/ballen
     
    Brock Allen, Apr 15, 2005
    #7
  8. Yes, <location> is outside <system.web>,

    "Brock Allen" wrote:

    > The <location> is outside your <system.web>, right?
    >
    > -Brock
    > DevelopMentor
    > http://staff.develop.com/ballen
    >
    >
    >
    > > It does not work. My configuration is:
    > >
    > > <authorization>
    > >
    > > <deny users="?" /> <!--deny anonymous users-->
    > > <allow users="*" /> <!-- Allow all users -->
    > > <!-- <allow users="[comma separated list of users]"
    > > roles="[comma separated list of roles]"/>
    > > <deny users="[comma separated list of users]"
    > > roles="[comma separated list of roles]"/>
    > > -->
    > > </authorization>
    > > <location path="images">
    > > <system.web>
    > > <authorization>
    > > <deny users="?" />
    > > </authorization>
    > > </system.web>
    > > </location>
    > > "Brock Allen" wrote:
    > >
    > >>> yes, I implement Application_AuthenticateRequest.
    > >>> I will try it once more.
    > >> Hmm, ok, then I don't see why it's not working for you. I'd build a
    > >> new simple project that just does this little bit that you're trying
    > >> to do and make it work there. Sometimes the baggage of the rest of
    > >> your application can hide other problems.
    > >>
    > >>> I also have an image subfolder in Demo for storing images. The
    > >>> problem
    > >>> is
    > >>> that I can access to all images in the image subfolder without
    > >>> asking
    > >>> user/password.
    > >>> What is the problem?
    > >> So add a <location path="image"> that denies user="?". This will not
    > >> allow any anonymous users. Again, I'd test this in the sample app I
    > >> mentioned above just so you know it works :)
    > >>
    > >> -Brock
    > >> DevelopMentor
    > >> http://staff.develop.com/ballen

    >
    >
    >
    >
     
    =?Utf-8?B?ZGF2aWQ=?=, Apr 15, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jesper Stocholm
    Replies:
    2
    Views:
    8,172
    John Saunders
    Aug 23, 2003
  2. Liet Kynes
    Replies:
    0
    Views:
    517
    Liet Kynes
    Nov 26, 2003
  3. SpaceMarine

    role-based security and ActiveDirectory

    SpaceMarine, May 28, 2009, in forum: ASP .Net
    Replies:
    18
    Views:
    2,072
    Joe Kaplan
    Jun 2, 2009
  4. JACK
    Replies:
    0
    Views:
    114
  5. Kursat
    Replies:
    1
    Views:
    331
    Dominick Baier
    May 7, 2007
Loading...

Share This Page