check if user is the one specified in <location path="...

Discussion in 'ASP .Net Security' started by zino66, Mar 10, 2010.

  1. zino66

    zino66 Guest

    In an intranet asp.net application I have the following in the web config:

    <authentication mode="Windows" />

    <location path="AdministrationFolder">
    <system.web>
    <authorization>
    <allow users="John"/>
    <allow users="David"/>
    <allow users="Eric"/>
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>

    The "Default.aspx" page is accessible to everybody.
    I have a link <a href=Administration.aspx>Administration</a> on this page,
    which I need it to be visible only if the user is one of those specified in
    "<location path=....>" (If user = in (John, David, Eric) then, display the
    link.)



    How can I check if the logged user is one of the mentioned users above ?
     
    zino66, Mar 10, 2010
    #1
    1. Advertisements

  2. zino66

    Joe Kaplan Guest

    The identity information that the UrlAuthorizationModule (the thing taht
    consumes that particular piece of XML web.config) examines the
    HttpContext.User property, specifically the .Identity.Name property and the
    ..IsInRole method to compare against user name and role membership, so you
    can do the same thing programmatically in your code to conditionally display
    specific markup.
     
    Joe Kaplan, Mar 10, 2010
    #2
    1. Advertisements

  3. zino66

    zino66 Guest

    now I'm able to check the logged user name, but I need to compare it to the
    one stored in <location path=....
    <allow users='john'........

    so, in the "Default.aspx" page, which is available to anybody (not only
    'John',....),
    I wrote:
    Dim _as_ As Web.Configuration.AuthorizationSection =
    Web.Configuration.WebConfigurationManager.GetSection("system.web/authorization", "~/Administration")

    but I'm getting this error:
    "The attribute 'users' has been locked in a higher level configuration"

    I understand that accessing the config file in an already protected folder
    from an unprotected page sound non-sense, but is there a way to work around
    this ?

    thanks for help
     
    zino66, Mar 11, 2010
    #3
  4. zino66

    Joe Kaplan Guest

    If I were solving the problem, I'd approach it differently.

    I'd create a mechanism to put these users in a role called "Admin" or
    something like that and then hard code the configuration section and your
    security trimming UI code to just check that.

    To generate a role for a user on the fly, you can hook the authenticate
    event in global.asax (or something similar) and just issue an new
    GenericPrincipal for the authenticated user that add specific users to a
    role. You can create a custom configuration value of your own choosing to
    determine which users are in the admin role or not.

    I'm not sure what the recommended method to read the configuration file
    directly is but it seems that ASP.NET does not want you doing it the way you
    are trying right now. :)
     
    Joe Kaplan, Mar 12, 2010
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.