Role-based authentication and Forms and System.UnauthorizedAccessException

wrecker · Aug 18, 2005

Hi all,

I'm trying to implement role-based authentication for the following directory structure in my
ASP.NET app.

login.aspx
Admin/
Members/

The web.config in my Admin directory is as follows

<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>

When the user logs in using authentication mode set to Forms, they are authenticated against a SQL
table and then assigned a role

Dim roles() As String
If CurrentUser.IsAdministrator Then
roles = New String() {"Admin", "Member"}
Else
roles = New String() {"Member"}
End If

Where the roles string array is stored in the Session (although I've also tried storing it in the
cache object as well to try and solve my problem)

In Global.asax Application_AuthenticateRequest I have

If (Not (HttpContext.Current.User Is Nothing)) Then
If HttpContext.Current.User.Identity.AuthenticationType = "Forms" Then
Dim id As System.Web.Security.FormsIdentity
id = HttpContext.Current.User.Identity
HttpContext.Current.User = New _
System.Security.Principal.GenericPrincipal(id, roles)
' roles extracted from session
End If
End If

My problem is that after a user having Administrator privelages logs in and they try to access a
page in the Admin directory they get a System.UnauthorizedAccessException exception. I've debugged
this and the roles array does indeed have "Admin" and "Members" in it, but the
HttpContext.Current.User doesn't seem to contain this information, even after assigning it the new
principal (I can't find it in any fields that are visible to the debugger) I've checked the
permissions on the directory and the ASP machine account has access to this directory. I've been
reading quite a few articles on role based security (expecially the ones from the Rolla guys) and
they all seem to use this approach. Why is this not working???

My test system is IIS5.1 on XP Pro using version 1.1 of the framework.

Thanks

Dominick Baier [DevelopMentor] · Aug 19, 2005

Hello wrecker,

i doubt your code is working fine. In AuthenticateRequest you don't have
access to the Session as the SessionModule runs after this event....

The common approach is to store the roles in the cookie. I have a sample
on my blog for doing this:
http://www.leastprivilege.com/DevWeek2005PostConference.aspx

wrecker · Aug 19, 2005

Hi Dominick,

Thanks for you help. Now I'm wondering if there is anyway to access a users roles if they have
cookies disabled? I suppose that I could pass roles on the query string and check them on page load
but there must be a more elegant way. For now I'll follow your suggestion and store the roles in a
cookie.

Thanks again

Dominick Baier [DevelopMentor] · Aug 20, 2005

Hello wrecker,

in 1.1 - FormsAuth is totally dependent on cookies...

Pat · Aug 29, 2005

But as it changed in ASP.NET 2.0?

Dominick Baier said:
Hello wrecker,

in 1.1 - FormsAuth is totally dependent on cookies...

Dominick Baier [DevelopMentor] · Aug 30, 2005

Hello Pat,

yes - you can now do cookieless forms authentication, similar to cookieless
sessions, the authentication ticket gets mangled in the URL. Needless to
say - i don't like that

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

But as it changed in ASP.NET 2.0?

Hello wrecker,

in 1.1 - FormsAuth is totally dependent on cookies...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi Dominick,

Thanks for you help. Now I'm wondering if there is anyway to access
a users roles if they have cookies disabled? I suppose that I could
pass roles on the query string and check them on page load but there
must be a more elegant way. For now I'll follow your suggestion and
store the roles in a cookie.

Thanks again

On Thu, 18 Aug 2005 23:43:45 -0700, Dominick Baier [DevelopMentor]

Hello wrecker,

i doubt your code is working fine. In AuthenticateRequest you don't
have access to the Session as the SessionModule runs after this
event....

The common approach is to store the roles in the cookie. I have a
sample on my blog for doing this:
http://www.leastprivilege.com/DevWeek2005PostConference.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi all,

I'm trying to implement role-based authentication for the
following directory structure in my ASP.NET app.

login.aspx
Admin/
Members/
The web.config in my Admin directory is as follows
<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
When the user logs in using authentication mode set to Forms, they
are
authenticated against a SQL table and then assigned a role
Dim roles() As String
If CurrentUser.IsAdministrator Then
roles = New String() {"Admin", "Member"}
Else
roles = New String() {"Member"}
End If
Where the roles string array is stored in the Session (although
I've
also tried storing it in the cache object as well to try and solve
my
problem)
In Global.asax Application_AuthenticateRequest I have
If (Not (HttpContext.Current.User Is Nothing)) Then
If HttpContext.Current.User.Identity.AuthenticationType =
"Forms" Then
Dim id As System.Web.Security.FormsIdentity
id = HttpContext.Current.User.Identity
HttpContext.Current.User = New _
System.Security.Principal.GenericPrincipal(id, roles)
' roles extracted from session
End If
End If
My problem is that after a user having Administrator privelages
logs
in and they try to access a page in the Admin directory they get a
System.UnauthorizedAccessException exception. I've debugged this
and
the roles array does indeed have "Admin" and "Members" in it, but
the
HttpContext.Current.User doesn't seem to contain this information,
even after assigning it the new principal (I can't find it in any
fields that are visible to the debugger) I've checked the
permissions
on the directory and the ASP machine account has access to this
directory. I've been reading quite a few articles on role based
security (expecially the ones from the Rolla guys) and they all
seem
to use this approach. Why is this not working???
My test system is IIS5.1 on XP Pro using version 1.1 of the
framework.
Thanks

Click to expand...

Click to expand...

Role based Forms Authentication	0	Oct 13, 2004
Role base security and RedirectUrl	3	Oct 6, 2008
Sitemap trimming with Forms auth (Active Directory)	4	May 9, 2007
Forms Authentication / Role based security	1	Aug 9, 2007
Roles and Forms Authentication problems	1	Aug 24, 2005
Strange Role-Based authentication problem!	5	Apr 23, 2005
securing directories with role-based forms authentication	0	Apr 30, 2004
Forms Based Authentication and AD and Roles and Security Trimming!	0	Nov 1, 2006

Role-based authentication and Forms and System.UnauthorizedAccessException

wrecker

Dominick Baier [DevelopMentor]

wrecker

Dominick Baier [DevelopMentor]

Pat

Dominick Baier [DevelopMentor]

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads