Custom RoleProvider + <allow roles> not working

S

SJ

I am trying to use a custom role provider (along with custom
membership/profile providers) to secure some sections of our
website.For testing purposes I have implemented a very basic role
provider as shown in the code below. In the website I have test.aspx
under secure folder and I use <location> element in web.config to
restrict access to this page to only 'Admin' roles. When this page is
accessed in the browser, login page shows up but after login all users
are allowed to access this page irrespective of their roles.

Any help on why this is happening is highly appreciated.

Role Provider:
===========

public class MyRoleProvider : RoleProvider
{

public override string[] GetRolesForUser(string username)
{
if (username == "(e-mail address removed)")
return new string[] { "Admin" };
else
return new string[] { "PowerUser" };
}

. . .
}



Web.Config Location Element:
=======================
<location path="Secure/test.aspx">
<system.web>
<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>

Web.Config RoleProvider configuration
=============================
<roleManager defaultProvider="TestRoleProvider" enabled="true">
<providers>
<add name="TestRoleProvider" type="MyRoleProvider" description="Test
role provider"/>
</providers>
</roleManager>

---------
I notice GetRolesForUser being called after login and returning
'PowerUser' for username that is not '(e-mail address removed)'. But test.aspx
gets displayed after that without any kind of access denied msg.

Thanks in advance,
Seetha
 
M

MikeS

Here you are saying deny unathenticated users but if they logged in
they are authenticated and so pass the test.

<deny users="?"/>
<allow roles="Admin"/>

You want your allows before your denies because the first rule that
matches wins so maybe try:

<allow roles="Admin"/>
<deny users="*"/>
 
S

SJ

Thank you very much. That fixed it.

When the users are denied access they are taken back to the login page
and I am unable to trap the 'Access Denied' error to display a custom
error page. I tried trapping it on Application_Error and with
<customErrors> in web.config and couldnt get it.

Is there a way to trap this 'Access denied' error when the user is not
in a specific role?

Thanks
Seetha
 
M

MikeS

Perhaps not link to pages they are not allowed to see in the first
place.
Otherwise look around this group and the web for that topic.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Custom RoleProvider question -- saving roles 8
Custom RoleProvider question -- saving roles 0
Problems with the RoleProvider 0
Forms Auth/Membership & Roles Providers/Secured Directory 1
Forms Auth (roles being ignored) 0
Roles Custom and Forms Authentication... doubts 0
Session vs. RoleProvider 1
Enabling Roles Using a Custom Membership Provider 3

Members online

No members online now.
Total: 34 (members: 2, guests: 32)
Robots: 444

Forum statistics

Threads
473,769
Messages
2,569,580
Members
45,054
Latest member
TrimKetoBoost

Latest Threads

Top