check if user is the one specified in <location path="...

Discussion in 'ASP .Net Security' started by zino66, Mar 10, 2010.

  1. zino66

    zino66 Guest

    In an intranet asp.net application I have the following in the web config:

    <authentication mode="Windows" />

    <location path="AdministrationFolder">
    <system.web>
    <authorization>
    <allow users="John"/>
    <allow users="David"/>
    <allow users="Eric"/>
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>

    The "Default.aspx" page is accessible to everybody.
    I have a link <a href=Administration.aspx>Administration</a> on this page,
    which I need it to be visible only if the user is one of those specified in
    "<location path=....>" (If user = in (John, David, Eric) then, display the
    link.)



    How can I check if the logged user is one of the mentioned users above ?
     
    zino66, Mar 10, 2010
    #1
    1. Advertisements

  2. zino66

    Joe Kaplan Guest

    The identity information that the UrlAuthorizationModule (the thing taht
    consumes that particular piece of XML web.config) examines the
    HttpContext.User property, specifically the .Identity.Name property and the
    ..IsInRole method to compare against user name and role membership, so you
    can do the same thing programmatically in your code to conditionally display
    specific markup.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "zino66" <> wrote in message
    news:...
    > In an intranet asp.net application I have the following in the web config:
    >
    > <authentication mode="Windows" />
    >
    > <location path="AdministrationFolder">
    > <system.web>
    > <authorization>
    > <allow users="John"/>
    > <allow users="David"/>
    > <allow users="Eric"/>
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    >
    > The "Default.aspx" page is accessible to everybody.
    > I have a link <a href=Administration.aspx>Administration</a> on this page,
    > which I need it to be visible only if the user is one of those specified
    > in
    > "<location path=....>" (If user = in (John, David, Eric) then, display
    > the
    > link.)
    >
    >
    >
    > How can I check if the logged user is one of the mentioned users above ?
    >
    >
     
    Joe Kaplan, Mar 10, 2010
    #2
    1. Advertisements

  3. zino66

    zino66 Guest

    now I'm able to check the logged user name, but I need to compare it to the
    one stored in <location path=....
    <allow users='john'........

    so, in the "Default.aspx" page, which is available to anybody (not only
    'John',....),
    I wrote:
    Dim _as_ As Web.Configuration.AuthorizationSection =
    Web.Configuration.WebConfigurationManager.GetSection("system.web/authorization", "~/Administration")

    but I'm getting this error:
    "The attribute 'users' has been locked in a higher level configuration"

    I understand that accessing the config file in an already protected folder
    from an unprotected page sound non-sense, but is there a way to work around
    this ?

    thanks for help


    "Joe Kaplan" wrote:

    > The identity information that the UrlAuthorizationModule (the thing taht
    > consumes that particular piece of XML web.config) examines the
    > HttpContext.User property, specifically the .Identity.Name property and the
    > ..IsInRole method to compare against user name and role membership, so you
    > can do the same thing programmatically in your code to conditionally display
    > specific markup.
    >
    > --
    > Joe Kaplan-MS MVP Directory Services Programming
    > Co-author of "The .NET Developer's Guide to Directory Services Programming"
    > http://www.directoryprogramming.net
    > "zino66" <> wrote in message
    > news:...
    > > In an intranet asp.net application I have the following in the web config:
    > >
    > > <authentication mode="Windows" />
    > >
    > > <location path="AdministrationFolder">
    > > <system.web>
    > > <authorization>
    > > <allow users="John"/>
    > > <allow users="David"/>
    > > <allow users="Eric"/>
    > > <deny users="*"/>
    > > </authorization>
    > > </system.web>
    > > </location>
    > >
    > > The "Default.aspx" page is accessible to everybody.
    > > I have a link <a href=Administration.aspx>Administration</a> on this page,
    > > which I need it to be visible only if the user is one of those specified
    > > in
    > > "<location path=....>" (If user = in (John, David, Eric) then, display
    > > the
    > > link.)
    > >
    > >
    > >
    > > How can I check if the logged user is one of the mentioned users above ?
    > >
    > >

    >
    > .
    >
     
    zino66, Mar 11, 2010
    #3
  4. zino66

    Joe Kaplan Guest

    If I were solving the problem, I'd approach it differently.

    I'd create a mechanism to put these users in a role called "Admin" or
    something like that and then hard code the configuration section and your
    security trimming UI code to just check that.

    To generate a role for a user on the fly, you can hook the authenticate
    event in global.asax (or something similar) and just issue an new
    GenericPrincipal for the authenticated user that add specific users to a
    role. You can create a custom configuration value of your own choosing to
    determine which users are in the admin role or not.

    I'm not sure what the recommended method to read the configuration file
    directly is but it seems that ASP.NET does not want you doing it the way you
    are trying right now. :)

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    "zino66" <> wrote in message
    news:...
    > now I'm able to check the logged user name, but I need to compare it to
    > the
    > one stored in <location path=....
    > <allow users='john'........
    >
    > so, in the "Default.aspx" page, which is available to anybody (not only
    > 'John',....),
    > I wrote:
    > Dim _as_ As Web.Configuration.AuthorizationSection =
    > Web.Configuration.WebConfigurationManager.GetSection("system.web/authorization",
    > "~/Administration")
    >
    > but I'm getting this error:
    > "The attribute 'users' has been locked in a higher level configuration"
    >
    > I understand that accessing the config file in an already protected folder
    > from an unprotected page sound non-sense, but is there a way to work
    > around
    > this ?
    >
    > thanks for help
    >
    >
    > "Joe Kaplan" wrote:
    >
    >> The identity information that the UrlAuthorizationModule (the thing taht
    >> consumes that particular piece of XML web.config) examines the
    >> HttpContext.User property, specifically the .Identity.Name property and
    >> the
    >> ..IsInRole method to compare against user name and role membership, so
    >> you
    >> can do the same thing programmatically in your code to conditionally
    >> display
    >> specific markup.
    >>
    >> --
    >> Joe Kaplan-MS MVP Directory Services Programming
    >> Co-author of "The .NET Developer's Guide to Directory Services
    >> Programming"
    >> http://www.directoryprogramming.net
    >> "zino66" <> wrote in message
    >> news:...
    >> > In an intranet asp.net application I have the following in the web
    >> > config:
    >> >
    >> > <authentication mode="Windows" />
    >> >
    >> > <location path="AdministrationFolder">
    >> > <system.web>
    >> > <authorization>
    >> > <allow users="John"/>
    >> > <allow users="David"/>
    >> > <allow users="Eric"/>
    >> > <deny users="*"/>
    >> > </authorization>
    >> > </system.web>
    >> > </location>
    >> >
    >> > The "Default.aspx" page is accessible to everybody.
    >> > I have a link <a href=Administration.aspx>Administration</a> on this
    >> > page,
    >> > which I need it to be visible only if the user is one of those
    >> > specified
    >> > in
    >> > "<location path=....>" (If user = in (John, David, Eric) then, display
    >> > the
    >> > link.)
    >> >
    >> >
    >> >
    >> > How can I check if the logged user is one of the mentioned users above
    >> > ?
    >> >
    >> >

    >>
    >> .
    >>
     
    Joe Kaplan, Mar 12, 2010
    #4
    1. Advertisements

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads
  1. mit
    Replies:
    1
    Views:
    1,100
    Ramu Pulipati
    Jan 25, 2006
  2. Kiki
    Replies:
    2
    Views:
    706
    kiki christie
    Jul 13, 2004
  3. Himanshu Singh Chauhan

    Reading specified Location

    Himanshu Singh Chauhan, Nov 30, 2003, in forum: C Programming
    Replies:
    3
    Views:
    655
    CBFalconer
    Nov 30, 2003
  4. Thomas Guettler
    Replies:
    3
    Views:
    1,111
    Andrei
    Oct 27, 2003
  5. Maciej Sobczak
    Replies:
    9
    Views:
    928
    Roger Binns
    Apr 25, 2004
  6. Replies:
    10
    Views:
    1,153
    Mark Rae
    Dec 5, 2006
  7. Alessandro
    Replies:
    5
    Views:
    821
    Alessandro
    Sep 27, 2010
  8. Radhey Krishna
    Replies:
    1
    Views:
    256
    Thomas 'PointedEars' Lahn
    Jan 27, 2008
Loading...