ASP.NET Role Authorization Override

Discussion in 'ASP .Net Security' started by Mike, Jun 9, 2009.

  1. Mike

    Mike Guest

    Hello,

    I am having difficulty achieving a result I expected to be very easy with
    ASP.NET role authorization. I would like to set a site-wide authorization
    policy where only members of a certain role may access any page in the site,
    but I would like suspend this authorization policy for *one* single page in
    the site, so that any authenticated user may access the page, no matter which
    role they are assigned to or even if they have no roles.

    I have tried using a <location> element to turn off role authorization for
    the single page, but it doesn't seem to have any affect. Authenticated users
    without the proper role that try to access the unrestricted page are prompted
    over and over again to log in, which indicates that a role is still needed
    for the page. How can I override the site-wide role authorization requirement
    and turn it off for the one page?

    TIA,
    -Mike
     
    Mike, Jun 9, 2009
    #1
    1. Advertisements

  2. Mike

    Joe Kaplan Guest

    Perhaps you could show the markup from the web.config? There may be an
    error in your location tag usage that is preventing it from giving you the
    desired results.

    An alternate approach would be to handle the "Authenticate" event in
    global.asax, check for a request for the specific excluded page and use the
    SkipAuthorization property on HttpContext to override the behavior of the
    UrlAuthorizationModule (the <allow><deny> tags in web.config). This
    approach is a bit dangerous because you need to do matching on the URL which
    can lead to security issues if you have any problems with your string
    matching and it may be harder to maintain, but sometimes you need the extra
    flexibility the code solution gives you.
     
    Joe Kaplan, Jun 9, 2009
    #2
    1. Advertisements

  3. Mike

    Mike Guest

    Joe,

    Thanks for the suggestion. The markup from the web.config file is as follows:

    <!-- site-wide authorization: only allow Administrators access -->
    <system.web>
    <authentication mode="Forms">
    <forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH"
    slidingExpiration="true" protection="All" />
    </authentication>
    <authorization>
    <allow roles="Administrators"/>
    <deny users="*"/>
    </authorization>
    </system.web>

    <!-- location override: let any authenticated user access the EditUser page
    -->
    <location path="Users/EditUser.aspx">
    <system.web>
    <authorization>
    <deny users="?"/>
    </authorization>
    </system.web>
    </location>

    As you can see, my approach was to limit access by role site-wide, but then
    for the page I wanted an exclusion for, simply restrict anonymous users from
    accessing it, which I thought would be logically equivalent to allowing any
    authenticated user, irrespective of role, access it. Perhaps this is not how
    ASP.NET interprets it, and this may be the disjuncture. Maybe the <location>
    element isn't viewed as an override on the <authorization> element, since it
    isn't explicitly specified. That being the case, how does one turn it off in
    a sub-directory?

    I'd like to establish this policy via configuration versus code, if
    possible. I'd be quite surprised if there wasn't a way to achieve what I'm
    trying to do, given how simple it seems: make every page in the site require
    Administrators membership except for 1 page, which would only require user
    authentication.

    Thanks again,
    -Mike
     
    Mike, Jun 9, 2009
    #3
  4. Hello Mike,

    Add a specific Allow users tag to the location specific rule, otherwise there's
    only deny rules in the whole set that applies to this location.

    Jesse
     
    Jesse Houwing, Jun 9, 2009
    #4
  5. Mike

    Mike Guest

    Thanks Jesse, your advice seems to have gotten me past this hurdle. It's odd,
    because I could have sworn that I had tried this already. Below is the
    updated <location> element that appears to have done the trick:

    <location path="Users/EditUser.aspx">
    <system.web>
    <authorization>
    <deny users="?"/>
    <allow users="*"/> <!-- this resets the parent role auth, I
    guess? -->
    </authorization>
    </system.web>
    </location>

    Thanks once again to Jesse and Joe for their help.

    -Mike
     
    Mike, Jun 9, 2009
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.