Blocking Direct URL Access through web config

C

Chase Kang #52

I have a web application using custom authentication and role
management, which seems to work properly. I also have a web config
file with the following:

<location path="systems">
<system.web>
<authorization>
<allow roles="Administrator,Reader" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="applications">
<system.web>
<authorization>
<allow roles="Administrator,Reader" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="certification">
<system.web>
<authorization>
<allow roles="Administrator,Reader" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="admin">
<system.web>
<authorization>
<allow roles="Administrator" />
<deny users="*" />
</authorization>
</system.web>
</location>

When I run the application, everything works fine. Clicking on my
menu links, I cannot access the pages for which I'm not assigned to an
allowed role. The problem is when I paste the direct URL into the
browser, I'm still able to pull up the pages I'm not supposed to have
access to. For example, when I log in as a reader (which I've
verified the role), I can click on the "Admin" link from the menu and
I get an "Access Denied" 401.2 error. However, when I copy the URL to
the browser, I can gain access to that page.

Anyone have any ideas? Any help is appreciated. Thank you.
 
J

Joe Fawcett

Chase Kang #52 said:
I have a web application using custom authentication and role
management, which seems to work properly. I also have a web config
file with the following:

<location path="systems">
<system.web>
<authorization>
<allow roles="Administrator,Reader" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="applications">
<system.web>
<authorization>
<allow roles="Administrator,Reader" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="certification">
<system.web>
<authorization>
<allow roles="Administrator,Reader" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="admin">
<system.web>
<authorization>
<allow roles="Administrator" />
<deny users="*" />
</authorization>
</system.web>
</location>

When I run the application, everything works fine. Clicking on my
menu links, I cannot access the pages for which I'm not assigned to an
allowed role. The problem is when I paste the direct URL into the
browser, I'm still able to pull up the pages I'm not supposed to have
access to. For example, when I log in as a reader (which I've
verified the role), I can click on the "Admin" link from the menu and
I get an "Access Denied" 401.2 error. However, when I copy the URL to
the browser, I can gain access to that page.

Anyone have any ideas? Any help is appreciated. Thank you.
Click to expand...
Are these aspx pages you are trying to access?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Role authorization, if denied access, how NOT to kick back to login? 7
Web Config forms authentication 0
asp.net 2.0 roles not working when deploying to web server 5
location element in web.config 1
web.sitemap in web config 3
Deny acces to users that are not in any role 2
Help me with Login and user roles please. 2
i loose my authentication ticket, but i am still able to access other pages 1

Members online

No members online now.
Total: 32 (members: 0, guests: 32)
Robots: 244

Forum statistics

Threads
473,756
Messages
2,569,535
Members
45,008
Latest member
obedient dusk

Latest Threads

Top