User.IsInRole with * wildcard, web.sitemap etc.

Discussion in 'ASP .Net Security' started by Tim Mackey, Jul 9, 2007.

  1. Tim Mackey

    Tim Mackey Guest

    hi,
    User.IsInRole method appears not to work with the web.sitemap * 'all roles'
    wildcard. is this by design? do i have to handle wildcards manually?
    ideally User.IsInRole("*") would return true if the user is in any role. an
    example is below to illustrate.

    i have a sitemap node like so:
    <siteMapNode title="Report xyz" description="etc" url="Reports.aspx?sp=XYZ"
    roles="*">

    since i'm using the querystring to specify a sproc, i make sure to verify
    that the user is allowed to access it, as defined in web.sitemap. so i have
    code in Reports.aspx that goes like:

    foreach (string role in siteMapNode.Roles)
    if (User.IsInRole(role))
    return; // OK

    thanks for any help
    tim
     
    Tim Mackey, Jul 9, 2007
    #1
    1. Advertising

  2. On Jul 9, 7:20 pm, "Tim Mackey" <> wrote:
    > hi,
    > User.IsInRole method appears not to work with the web.sitemap * 'all roles'
    > wildcard. is this by design? do i have to handle wildcards manually?
    > ideally User.IsInRole("*") would return true if the user is in any role. an
    > example is below to illustrate.
    >
    > i have a sitemap node like so:
    > <siteMapNode title="Report xyz" description="etc" url="Reports.aspx?sp=XYZ"
    > roles="*">
    >
    > since i'm using the querystring to specify a sproc, i make sure to verify
    > that the user is allowed to access it, as defined in web.sitemap. so i have
    > code in Reports.aspx that goes like:
    >
    > foreach (string role in siteMapNode.Roles)
    > if (User.IsInRole(role))
    > return; // OK
    >
    > thanks for any help
    > tim


    Tim, it makes no sense to worry about (*). If you have roles="*" then
    you don't need to check anything, because any role is ok.
     
    Alexey Smirnov, Jul 9, 2007
    #2
    1. Advertising

  3. You don't specify any authorization requirements in web.sitemap!!!

    You use the <authorization> element in web.config for that - the sitemap
    just uses this information - and the role attribute in the sitemap file allows
    to override the information found in the authorization element for visual
    presentation.


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > hi,
    > User.IsInRole method appears not to work with the web.sitemap * 'all
    > roles'
    > wildcard. is this by design? do i have to handle wildcards manually?
    > ideally User.IsInRole("*") would return true if the user is in any
    > role. an
    > example is below to illustrate.
    > i have a sitemap node like so:
    > <siteMapNode title="Report xyz" description="etc"
    > url="Reports.aspx?sp=XYZ"
    > roles="*">
    > since i'm using the querystring to specify a sproc, i make sure to
    > verify that the user is allowed to access it, as defined in
    > web.sitemap. so i have code in Reports.aspx that goes like:
    >
    > foreach (string role in siteMapNode.Roles)
    > if (User.IsInRole(role))
    > return; // OK
    > thanks for any help
    > ti
     
    Dominick Baier, Jul 9, 2007
    #3
  4. Tim Mackey

    Tim Mackey Guest

    alexey, dominick, thanks for the reply. perhaps i should clarify.
    authorization is already controlled via web.config in as much as possible.
    the 'reports.aspx' page is accessible to anyone, as defined in web.config,
    however since i am using querystring parameters to refer to stored
    procedures, i perform an additional security check to verify the user's
    access to the querystring supplied. Since i have fully specified the access
    rules in web.sitemap, i am using the roles defined here to decide if the
    user should be able to access a certain URL. the example below illustrates:

    <sitemapnode Url="reports.aspx?sp=PublicReport1" Roles="*" />
    <sitemapnode Url="reports.aspx?sp=PrivateReport1" Roles="Admins" />
    <sitemapnode Url="reports.aspx?sp=PrivateReport2" Roles="Admins" />

    reports.aspx currently enumerates the roles specified in web.sitemap to
    validate the request. i guess i will have to handle the * wildcard role
    manually. my scenario is fairly non-standard, i would accept that, although
    my reports page is invaluable: it dynamically generates UI controls to match
    parameters for any SP, and then binds the results to an enhanced GridView
    with built-in excel export etc. (or sends the parameters to a specified
    crystal report).

    thanks
    tim


    ----- Original Message -----
    From: "Dominick Baier" <dbaier@pleasepleasenospam_leastprivilege.com>
    Newsgroups: microsoft.public.dotnet.framework.aspnet.security
    Sent: Monday, July 09, 2007 9:21 PM
    Subject: Re: User.IsInRole with * wildcard, web.sitemap etc.


    > You don't specify any authorization requirements in web.sitemap!!!
    >
    > You use the <authorization> element in web.config for that - the sitemap
    > just uses this information - and the role attribute in the sitemap file
    > allows to override the information found in the authorization element for
    > visual presentation.
    >
    >
    > -----
    > Dominick Baier (http://www.leastprivilege.com)
    >
    > Developing More Secure Microsoft ASP.NET 2.0 Applications
    > (http://www.microsoft.com/mspress/books/9989.asp)
    >
    >> hi,
    >> User.IsInRole method appears not to work with the web.sitemap * 'all
    >> roles'
    >> wildcard. is this by design? do i have to handle wildcards manually?
    >> ideally User.IsInRole("*") would return true if the user is in any
    >> role. an
    >> example is below to illustrate.
    >> i have a sitemap node like so:
    >> <siteMapNode title="Report xyz" description="etc"
    >> url="Reports.aspx?sp=XYZ"
    >> roles="*">
    >> since i'm using the querystring to specify a sproc, i make sure to
    >> verify that the user is allowed to access it, as defined in
    >> web.sitemap. so i have code in Reports.aspx that goes like:
    >>
    >> foreach (string role in siteMapNode.Roles)
    >> if (User.IsInRole(role))
    >> return; // OK
    >> thanks for any help
    >> tim

    >
    >
     
    Tim Mackey, Jul 10, 2007
    #4
  5. On Jul 10, 12:51 pm, "Tim Mackey" <> wrote:
    > alexey, dominick, thanks for the reply. perhaps i should clarify.
    > authorization is already controlled via web.config in as much as possible.
    > the 'reports.aspx' page is accessible to anyone, as defined in web.config,
    > however since i am using querystring parameters to refer to stored
    > procedures, i perform an additional security check to verify the user's
    > access to the querystring supplied. Since i have fully specified the access
    > rules in web.sitemap, i am using the roles defined here to decide if the
    > user should be able to access a certain URL. the example below illustrates:
    >
    > <sitemapnode Url="reports.aspx?sp=PublicReport1" Roles="*" />
    > <sitemapnode Url="reports.aspx?sp=PrivateReport1" Roles="Admins" />
    > <sitemapnode Url="reports.aspx?sp=PrivateReport2" Roles="Admins" />
    >
    > reports.aspx currently enumerates the roles specified in web.sitemap to
    > validate the request. i guess i will have to handle the * wildcard role
    > manually. my scenario is fairly non-standard, i would accept that, although
    > my reports page is invaluable: it dynamically generates UI controls to match
    > parameters for any SP, and then binds the results to an enhanced GridView
    > with built-in excel export etc. (or sends the parameters to a specified
    > crystal report).
    >


    foreach (string role in siteMapNode.Roles)
    if (role == "*" || User.IsInRole(role))
    return; // OK
     
    Alexey Smirnov, Jul 10, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Somyos Jinkow

    user.isinrole in user control

    Somyos Jinkow, Jun 1, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    1,907
    =?Utf-8?B?cmFuZ2FuaA==?=
    Jun 1, 2004
  2. AmitKu
    Replies:
    1
    Views:
    812
    Cowboy \(Gregory A. Beamer\)
    Sep 27, 2006
  3. Kevin Walzer

    Re: PIL (etc etc etc) on OS X

    Kevin Walzer, Aug 1, 2008, in forum: Python
    Replies:
    4
    Views:
    411
    Fredrik Lundh
    Aug 13, 2008
  4. Replies:
    7
    Views:
    842
  5. Learner
    Replies:
    5
    Views:
    278
    Dominick Baier [DevelopMentor]
    May 7, 2006
Loading...

Share This Page