Custom RoleProvider + <allow roles> not working

Discussion in 'ASP .Net Security' started by SJ, Feb 21, 2006.

  1. SJ

    SJ Guest

    I am trying to use a custom role provider (along with custom
    membership/profile providers) to secure some sections of our
    website.For testing purposes I have implemented a very basic role
    provider as shown in the code below. In the website I have test.aspx
    under secure folder and I use <location> element in web.config to
    restrict access to this page to only 'Admin' roles. When this page is
    accessed in the browser, login page shows up but after login all users
    are allowed to access this page irrespective of their roles.

    Any help on why this is happening is highly appreciated.

    Role Provider:

    public class MyRoleProvider : RoleProvider

    public override string[] GetRolesForUser(string username)
    if (username == "")
    return new string[] { "Admin" };
    return new string[] { "PowerUser" };

    . . .

    Web.Config Location Element:
    <location path="Secure/test.aspx">
    <deny users="?"/>
    <allow roles="Admin"/>

    Web.Config RoleProvider configuration
    <roleManager defaultProvider="TestRoleProvider" enabled="true">
    <add name="TestRoleProvider" type="MyRoleProvider" description="Test
    role provider"/>

    I notice GetRolesForUser being called after login and returning
    'PowerUser' for username that is not ''. But test.aspx
    gets displayed after that without any kind of access denied msg.

    Thanks in advance,
    SJ, Feb 21, 2006
    1. Advertisements

  2. SJ

    MikeS Guest

    Here you are saying deny unathenticated users but if they logged in
    they are authenticated and so pass the test.

    <deny users="?"/>
    <allow roles="Admin"/>

    You want your allows before your denies because the first rule that
    matches wins so maybe try:

    <allow roles="Admin"/>
    <deny users="*"/>
    MikeS, Feb 22, 2006
    1. Advertisements

  3. SJ

    SJ Guest

    Thank you very much. That fixed it.

    When the users are denied access they are taken back to the login page
    and I am unable to trap the 'Access Denied' error to display a custom
    error page. I tried trapping it on Application_Error and with
    <customErrors> in web.config and couldnt get it.

    Is there a way to trap this 'Access denied' error when the user is not
    in a specific role?

    SJ, Feb 22, 2006
  4. SJ

    MikeS Guest

    Perhaps not link to pages they are not allowed to see in the first
    Otherwise look around this group and the web for that topic.
    MikeS, Feb 22, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.