Securing non-aspx files with forms authentication / location files.
Posted on 2004-08-10
I've recently written a little app that uses roles and forms authentication so that only users with a certain role type can get access to a specific section of the site. The problem I have is this - There are non aspx files in the site (asp, xls, pdf, doc files) that you can still get access to provided that you know the url (You don't need to login). Is there any way around this?
I have the following addition in my web.config file:
<location path="admin" >
<deny users="?" />
<allow roles="Administrator" />
And the code I'm using to handle roles is something like this:
Dim intUserId As Integer = -1
Dim strUserAlias As String = txtUserAlias.Text
If WebSecurity.IsValidUser(strUserAlias, Me.txtUserPassword.Text, intUserId) Then
Dim strRoles(1) As String
strRoles(0) = WebSecurity.GetUserRole(strUserAlias)
'Add the roles to the User Principal
HttpContext.Current.User = New GenericPrincipal(User.Identity, strRoles)
Dim context As System.Web.HttpContext = System.Web.HttpContext.Current
context.Session("intUserID") = intUserId
If strRoles(0) = "Administrator" Then
'Do something else
Is what I'm trying to achieve here possible? I'm thinking of impersonating a user with appropriate permissions on admin login, but I'm not sure if doing that forces the aspnet account to impersonate that user or if it swaps over the anonymous IIS user to the impersonated user.
There must be some way of doing this. It seems a little half assed as a security method as it is!
Thanks in advance.