web.config roles

[Guest]

Hi,

I have a default.aspx which allows the user to choose between module Admin
and module B. When the user clicks either one, he will be redirected to a
FormsAuthentication login page. The problem I have is that currently, users
of one module are able to access the other since I have only 1 login page.
How do I prevent this ?

I am not sure how to go about configuring the web.config file for having 2
modules that have a separate set of users for each. The files are all in the
same directory.

I've written the code for the login using the genericprincipal class etc.
However, I got the error at "Thread was aborted" on my Login.aspx. I can't
figure out why. The debugger jumps to the exception at the
"Response.Redirect" (last) line:

FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
(string)Session["UserLoginName"], DateTime.Now, DateTime.Now.AddMinutes(30),
false, (string)Session["UserDomain"]);
// Encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket as data
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection
Response.Cookies.Add(authCookie);
Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUserName.Text, true));

Am I on the right path ? Any help appreaciated.
regards,
andrew

 

[Patrick.O.Ige]

You can use location path like below.
You can even add for example admin.aspx page to the location path.
then deny users or allow users

<configuration>

<appSettings/>
<connectionStrings/>

<location path="Admin">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>

<location path="Users">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>



<system.web>

<compilation debug="true" />

<authentication mode="Forms">
<forms loginUrl ="Login.aspx" timeout ="10">
</forms>
</authentication>


</system.web>

</configuration

Patrick

 

[Guest]

hi,
thanks for your reply.

what i have tried is to use a role based authorization.
I have 3 web.config files, one in the main folder n one each in the 2
subfolders.
My main web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/" loginUrl="UserLogin.aspx?Action=login"
protection="All" timeout="60" />
</authentication>

<authorization>
<deny users="?" />
</authorization>

<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

my subfolder web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/"
loginUrl="../UserLogin.aspx?Action=login" protection="All" timeout="20" />
</authentication>

<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>

<location path="Admin">
<system.web>
<authorization>
<deny users="*"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>

Any help appreciated. Am I on the right track ?
regards,
andrew

You can use location path like below.
You can even add for example admin.aspx page to the location path.
then deny users or allow users

<configuration>

<appSettings/>
<connectionStrings/>

<location path="Admin">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>

<location path="Users">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>



<system.web>

<compilation debug="true" />

<authentication mode="Forms">
<forms loginUrl ="Login.aspx" timeout ="10">
</forms>
</authentication>


</system.web>

</configuration

Patrick

Hi,

I have a default.aspx which allows the user to choose between module Admin
and module B. When the user clicks either one, he will be redirected to a
FormsAuthentication login page. The problem I have is that currently,
users
of one module are able to access the other since I have only 1 login page.
How do I prevent this ?

I am not sure how to go about configuring the web.config file for having 2
modules that have a separate set of users for each. The files are all in
the
same directory.

I've written the code for the login using the genericprincipal class etc.
However, I got the error at "Thread was aborted" on my Login.aspx. I can't
figure out why. The debugger jumps to the exception at the
"Response.Redirect" (last) line:

FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
(string)Session["UserLoginName"], DateTime.Now,
DateTime.Now.AddMinutes(30),
false, (string)Session["UserDomain"]);
// Encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket as data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection
Response.Cookies.Add(authCookie);
Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUserName.Text,
true));

Am I on the right path ? Any help appreaciated.
regards,
andrew

 

[Guest]

i forgot to add that it is not working.
my login page keeps getting redirected back to itself. the url is:
http://localhost/MainFolder/UserLogin.aspx?Action=login&ReturnUrl=/MainFolder/FolderA/xxx.aspx

Note: xxx.aspx is located within FolderA of the MainFolder.

hi,
thanks for your reply.

what i have tried is to use a role based authorization.
I have 3 web.config files, one in the main folder n one each in the 2
subfolders.
My main web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/" loginUrl="UserLogin.aspx?Action=login"
protection="All" timeout="60" />
</authentication>

<authorization>
<deny users="?" />
</authorization>

<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

my subfolder web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/"
loginUrl="../UserLogin.aspx?Action=login" protection="All" timeout="20" />
</authentication>

<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>

<location path="Admin">
<system.web>
<authorization>
<deny users="*"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>

Any help appreciated. Am I on the right track ?
regards,
andrew

You can use location path like below.
You can even add for example admin.aspx page to the location path.
then deny users or allow users

<configuration>

<appSettings/>
<connectionStrings/>

<location path="Admin">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>

<location path="Users">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>



<system.web>

<compilation debug="true" />

<authentication mode="Forms">
<forms loginUrl ="Login.aspx" timeout ="10">
</forms>
</authentication>


</system.web>

</configuration

Patrick

Hi,

I have a default.aspx which allows the user to choose between module Admin
and module B. When the user clicks either one, he will be redirected to a
FormsAuthentication login page. The problem I have is that currently,
users
of one module are able to access the other since I have only 1 login page.
How do I prevent this ?

I am not sure how to go about configuring the web.config file for having 2
modules that have a separate set of users for each. The files are all in
the
same directory.

I've written the code for the login using the genericprincipal class etc.
However, I got the error at "Thread was aborted" on my Login.aspx. I can't
figure out why. The debugger jumps to the exception at the
"Response.Redirect" (last) line:

FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
(string)Session["UserLoginName"], DateTime.Now,
DateTime.Now.AddMinutes(30),
false, (string)Session["UserDomain"]);
// Encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket as data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection
Response.Cookies.Add(authCookie);
Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUserName.Text,
true));

Am I on the right path ? Any help appreaciated.
regards,
andrew

 

[Guest]

Andrew,
Yeah, your on right track and I have divined that you've used the asp.net
configuration tool security tab because you have a web.config file in your
sub folder.

Proplem:
deny users="?" reads deny users that aren't authenticated to asp.net once
logged in they could go to the admin folder.

Solution: deny users="*" wild card to exclude everyone.

The authorization works top to bottom your in or your out. There is no
middle ground logical processing so you have to allow admin first then deny
everyone.

Your new web.config for the admin folder.
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authorization>
<allow roles="Admin"/> /*admin is allowed */
<deny users="*"/> /* man nobody gets by the wildcard */
</authorization>
</system.web>
</configuration>

Try it watch how asp.net adds a query string "ReturnUrL" to redirect after
login. Cool stuff it will pick up the location of the login page from the
root web.config and automatically redirect there if it needs to, once you log
in asp.net will automatically redirect you back to the page that needs
authentication like any page in the admin folder.

Good Luck
DWS

hi,
thanks for your reply.

what i have tried is to use a role based authorization.
I have 3 web.config files, one in the main folder n one each in the 2
subfolders.
My main web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/" loginUrl="UserLogin.aspx?Action=login"
protection="All" timeout="60" />
</authentication>

<authorization>
<deny users="?" />
</authorization>

<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

my subfolder web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/"
loginUrl="../UserLogin.aspx?Action=login" protection="All" timeout="20" />
</authentication>

<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>

<location path="Admin">
<system.web>
<authorization>
<deny users="*"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>

Any help appreciated. Am I on the right track ?
regards,
andrew

You can use location path like below.
You can even add for example admin.aspx page to the location path.
then deny users or allow users

<configuration>

<appSettings/>
<connectionStrings/>

<location path="Admin">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>

<location path="Users">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>



<system.web>

<compilation debug="true" />

<authentication mode="Forms">
<forms loginUrl ="Login.aspx" timeout ="10">
</forms>
</authentication>


</system.web>

</configuration

Patrick

Hi,

I have a default.aspx which allows the user to choose between module Admin
and module B. When the user clicks either one, he will be redirected to a
FormsAuthentication login page. The problem I have is that currently,
users
of one module are able to access the other since I have only 1 login page.
How do I prevent this ?

I am not sure how to go about configuring the web.config file for having 2
modules that have a separate set of users for each. The files are all in
the
same directory.

I've written the code for the login using the genericprincipal class etc.
However, I got the error at "Thread was aborted" on my Login.aspx. I can't
figure out why. The debugger jumps to the exception at the
"Response.Redirect" (last) line:

FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
(string)Session["UserLoginName"], DateTime.Now,
DateTime.Now.AddMinutes(30),
false, (string)Session["UserDomain"]);
// Encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket as data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection
Response.Cookies.Add(authCookie);
Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUserName.Text,
true));

Am I on the right path ? Any help appreaciated.
regards,
andrew

 

[Guest]

Hi,

I should have said that I am still using aspnet1.0.
I did as u suggested n i got an error saying that "Threat is being aborted"
when it hits the "Response.Redirect" line in my UserLogin.aspx page, it then
jumps to my catch(Exception ex) error handler. I put here an excerpt of my
login page:

string returnUrl = Request.QueryString["ReturnUrl"];
if (returnUrl == null) returnUrl = "UserLogin.aspx";
lblMessage.Text = returnUrl;
Response.Redirect(returnUrl);

When using the debugger I could see that the returnURL value is:
/MainFolder/FolderA/AdminMenu.aspx
which is correct.
Dun know why.. Help ??

regards,
andrew

Andrew,
Yeah, your on right track and I have divined that you've used the asp.net
configuration tool security tab because you have a web.config file in your
sub folder.

Proplem:
deny users="?" reads deny users that aren't authenticated to asp.net once
logged in they could go to the admin folder.

Solution: deny users="*" wild card to exclude everyone.

The authorization works top to bottom your in or your out. There is no
middle ground logical processing so you have to allow admin first then deny
everyone.

Your new web.config for the admin folder.
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authorization>
<allow roles="Admin"/> /*admin is allowed */
<deny users="*"/> /* man nobody gets by the wildcard */
</authorization>
</system.web>
</configuration>

Try it watch how asp.net adds a query string "ReturnUrL" to redirect after
login. Cool stuff it will pick up the location of the login page from the
root web.config and automatically redirect there if it needs to, once you log
in asp.net will automatically redirect you back to the page that needs
authentication like any page in the admin folder.

Good Luck
DWS

hi,
thanks for your reply.

what i have tried is to use a role based authorization.
I have 3 web.config files, one in the main folder n one each in the 2
subfolders.
My main web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/" loginUrl="UserLogin.aspx?Action=login"
protection="All" timeout="60" />
</authentication>

<authorization>
<deny users="?" />
</authorization>

<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

my subfolder web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/"
loginUrl="../UserLogin.aspx?Action=login" protection="All" timeout="20" />
</authentication>

<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>

<location path="Admin">
<system.web>
<authorization>
<deny users="*"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>

Any help appreciated. Am I on the right track ?
regards,
andrew

You can use location path like below.
You can even add for example admin.aspx page to the location path.
then deny users or allow users

<configuration>

<appSettings/>
<connectionStrings/>

<location path="Admin">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>

<location path="Users">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>



<system.web>

<compilation debug="true" />

<authentication mode="Forms">
<forms loginUrl ="Login.aspx" timeout ="10">
</forms>
</authentication>


</system.web>

</configuration

Patrick
Hi,

I have a default.aspx which allows the user to choose between module Admin
and module B. When the user clicks either one, he will be redirected to a
FormsAuthentication login page. The problem I have is that currently,
users
of one module are able to access the other since I have only 1 login page.
How do I prevent this ?

I am not sure how to go about configuring the web.config file for having 2
modules that have a separate set of users for each. The files are all in
the
same directory.

I've written the code for the login using the genericprincipal class etc.
However, I got the error at "Thread was aborted" on my Login.aspx. I can't
figure out why. The debugger jumps to the exception at the
"Response.Redirect" (last) line:

FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
(string)Session["UserLoginName"], DateTime.Now,
DateTime.Now.AddMinutes(30),
false, (string)Session["UserDomain"]);
// Encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket as data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection
Response.Cookies.Add(authCookie);
Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUserName.Text,
true));

Am I on the right path ? Any help appreaciated.
regards,
andrew