• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 303
  • Last Modified:

Restricitng access to one .aspx file in a ASP.NET 2.0 Application

Hi,

I am writing a website and I am trying to restrict access to 1 file, viewreports.aspx, to one user group.   People log into the site using there Windows Domain username and password.  In Wrox Professional ASP.NET 2.0 they say I can do this by using the method outlined in my we.config below :-

<?xml version="1.0"?>
<!--
    Note: As an alternative to hand editing this file you can use the
    web admin tool to configure settings for your application. Use
    the Website->Asp.Net Configuration option in Visual Studio.
    A full list of settings and comments can be found in
    machine.config.comments usually located in
    \Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
      <appSettings>
      <add key="net.textanywhere.ws.TA_SMS" value="http://ws.textanywhere.net/TA_SMS.asmx"/>
      </appSettings>
      <connectionStrings>
            <add name="dt_databaseV1ConnectionString" connectionString="Data Source=WILDFIRE;Initial Catalog=dt_databaseV1;Integrated Security=True" providerName="System.Data.SqlClient"/>
      </connectionStrings>
      <system.web>
            <!--
            Set compilation debug="true" to insert debugging
            symbols into the compiled page. Because this
            affects performance, set this value to true only
            during development.
        -->
            <compilation debug="true"/>
            <!--
            The <authentication> section enables configuration
            of the security authentication mode used by
            ASP.NET to identify an incoming user.
        -->
            <authentication mode="none"/>
            <!--
            The <customErrors> section enables configuration
            of what to do if/when an unhandled error occurs
            during the execution of a request. Specifically,
            it enables developers to configure html error pages
            to be displayed in place of a error stack trace.

        <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
            <error statusCode="403" redirect="NoAccess.htm" />
            <error statusCode="404" redi
            rect="FileNotFound.htm" />
        </customErrors>
        -->
            <customErrors mode="Off"/>
            <httpRuntime maxRequestLength="102400"/>
   
      </system.web>
      <system.net>

    <defaultProxy>
      <proxy
         usesystemdefault = "false"
         proxyaddress="http://redmidget:8080"
         bypassonlocal="true"
         />
    </defaultProxy>
   
    <mailSettings>
      <smtp from="">
        <network defaultCredentials="true" host="postpod" password="" userName=""/>
      </smtp>
    </mailSettings>
      
  </system.net>

  <location path="ViewReports.aspx">
    <system.web>
      <authentication mode="Windows"/>
      <authorization>
        <deny users="gooutdoors.local\traininginfo" />
      </authorization>
    </system.web>
  </location>
</configuration>


However when I try and run this I get the error message that seems to plaguing lots of people

"...It is an error to use a section registered as allowDefinition='MachineToApplication' beyond
application level.  This error can be caused by a virtual directory not being configured as
 an application in IIS..."

What does this mean?  If I remove the <location> bit and my project compiles fine.  If this is not the correct way, how else can I restrict access to this .aspx file?

Any help greatly appreciated.

mike
0
hydev
Asked:
hydev
  • 4
  • 3
1 Solution
 
TornadoVCommented:
Try this, location section has to be inside <system.web></system.web> section:

<?xml version="1.0"?>
<!--
    Note: As an alternative to hand editing this file you can use the
    web admin tool to configure settings for your application. Use
    the Website->Asp.Net Configuration option in Visual Studio.
    A full list of settings and comments can be found in
    machine.config.comments usually located in
    \Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
     <appSettings>
     <add key="net.textanywhere.ws.TA_SMS" value="http://ws.textanywhere.net/TA_SMS.asmx"/>
     </appSettings>
     <connectionStrings>
          <add name="dt_databaseV1ConnectionString" connectionString="Data Source=WILDFIRE;Initial Catalog=dt_databaseV1;Integrated Security=True" providerName="System.Data.SqlClient"/>
     </connectionStrings>
     <system.web>
          <!--
            Set compilation debug="true" to insert debugging
            symbols into the compiled page. Because this
            affects performance, set this value to true only
            during development.
        -->
          <compilation debug="true"/>
          <!--
            The <authentication> section enables configuration
            of the security authentication mode used by
            ASP.NET to identify an incoming user.
        -->
          <authentication mode="none"/>
          <!--
            The <customErrors> section enables configuration
            of what to do if/when an unhandled error occurs
            during the execution of a request. Specifically,
            it enables developers to configure html error pages
            to be displayed in place of a error stack trace.

        <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
            <error statusCode="403" redirect="NoAccess.htm" />
            <error statusCode="404" redi
            rect="FileNotFound.htm" />
        </customErrors>
        -->
          <customErrors mode="Off"/>
          <httpRuntime maxRequestLength="102400"/>

  <location path="ViewReports.aspx">
    <system.web>
      <authentication mode="Windows"/>
      <authorization>
        <deny users="gooutdoors.local\traininginfo" />
      </authorization>
    </system.web>
  </location>
</configuration>
   
     </system.web>
     <system.net>

    <defaultProxy>
      <proxy
         usesystemdefault = "false"
         proxyaddress="http://redmidget:8080"
         bypassonlocal="true"
         />
    </defaultProxy>
   
    <mailSettings>
      <smtp from="">
        <network defaultCredentials="true" host="postpod" password="" userName=""/>
      </smtp>
    </mailSettings>
     
  </system.net>

0
 
TornadoVCommented:
Sorry, put </configuration> at the end, I copied and pasted it in by mistake, your config should look like this:

<?xml version="1.0"?>
<!--
    Note: As an alternative to hand editing this file you can use the
    web admin tool to configure settings for your application. Use
    the Website->Asp.Net Configuration option in Visual Studio.
    A full list of settings and comments can be found in
    machine.config.comments usually located in
    \Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
     <appSettings>
     <add key="net.textanywhere.ws.TA_SMS" value="http://ws.textanywhere.net/TA_SMS.asmx"/>
     </appSettings>
     <connectionStrings>
          <add name="dt_databaseV1ConnectionString" connectionString="Data Source=WILDFIRE;Initial Catalog=dt_databaseV1;Integrated Security=True" providerName="System.Data.SqlClient"/>
     </connectionStrings>
     <system.web>
          <!--
            Set compilation debug="true" to insert debugging
            symbols into the compiled page. Because this
            affects performance, set this value to true only
            during development.
        -->
          <compilation debug="true"/>
          <!--
            The <authentication> section enables configuration
            of the security authentication mode used by
            ASP.NET to identify an incoming user.
        -->
          <authentication mode="none"/>
          <!--
            The <customErrors> section enables configuration
            of what to do if/when an unhandled error occurs
            during the execution of a request. Specifically,
            it enables developers to configure html error pages
            to be displayed in place of a error stack trace.

        <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
            <error statusCode="403" redirect="NoAccess.htm" />
            <error statusCode="404" redi
            rect="FileNotFound.htm" />
        </customErrors>
        -->
          <customErrors mode="Off"/>
          <httpRuntime maxRequestLength="102400"/>

  <location path="ViewReports.aspx">
    <system.web>
      <authentication mode="Windows"/>
      <authorization>
        <deny users="gooutdoors.local\traininginfo" />
      </authorization>
    </system.web>
  </location>
   
     </system.web>
     <system.net>

    <defaultProxy>
      <proxy
         usesystemdefault = "false"
         proxyaddress="http://redmidget:8080"
         bypassonlocal="true"
         />
    </defaultProxy>
   
    <mailSettings>
      <smtp from="">
        <network defaultCredentials="true" host="postpod" password="" userName=""/>
      </smtp>
    </mailSettings>
     
  </system.net>

</configuration>
0
 
hydevAuthor Commented:
Hi,

Thanks for the input, however I think you have missed something as Visual Studio declares that:
 
Error      1 Expecting end tag </system.web>
Error      2 Tag was not closed.      
Error      3 Did not expect '</system.web>'.      
Error      4 XML document cannot contain multiple root level elements.

I just copied and pasted what you had written above.

Thanks for your help so far! :-)

mike
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
TornadoVCommented:
Here it is, it should work now, I didn't see </system.web> sneaking up on me:)

<?xml version="1.0"?>
<!--
    Note: As an alternative to hand editing this file you can use the
    web admin tool to configure settings for your application. Use
    the Website->Asp.Net Configuration option in Visual Studio.
    A full list of settings and comments can be found in
    machine.config.comments usually located in
    \Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
  <appSettings>
    <add key="net.textanywhere.ws.TA_SMS" value="http://ws.textanywhere.net/TA_SMS.asmx"/>
  </appSettings>
  <connectionStrings>
    <add name="dt_databaseV1ConnectionString" connectionString="Data Source=WILDFIRE;Initial Catalog=dt_databaseV1;Integrated Security=True" providerName="System.Data.SqlClient"/>
  </connectionStrings>
  <system.web>
    <!--
            Set compilation debug="true" to insert debugging
            symbols into the compiled page. Because this
            affects performance, set this value to true only
            during development.
        -->
    <compilation debug="true"/>
    <!--
            The <authentication> section enables configuration
            of the security authentication mode used by
            ASP.NET to identify an incoming user.
        -->
    <authentication mode="none"/>
    <!--
            The <customErrors> section enables configuration
            of what to do if/when an unhandled error occurs
            during the execution of a request. Specifically,
            it enables developers to configure html error pages
            to be displayed in place of a error stack trace.

        <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
            <error statusCode="403" redirect="NoAccess.htm" />
            <error statusCode="404" redi
            rect="FileNotFound.htm" />
        </customErrors>
        -->
    <customErrors mode="Off"/>
    <httpRuntime maxRequestLength="102400"/>

  </system.web>

  <location path="ViewReports.aspx">
    <system.web>
      <authentication mode="Windows"/>
      <authorization>
        <deny users="gooutdoors.local\traininginfo" />
      </authorization>
    </system.web>
  </location>

  <system.net>

    <defaultProxy>
      <proxy
         usesystemdefault = "false"
         proxyaddress="http://redmidget:8080"
         bypassonlocal="true"
         />
    </defaultProxy>

    <mailSettings>
      <smtp from="">
        <network defaultCredentials="true" host="postpod" password="" userName=""/>
      </smtp>
    </mailSettings>

  </system.net>

</configuration>
0
 
hydevAuthor Commented:
Hi thanks for the input TornadoV however I'm still getting the error message:

 "It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level.  This error can be caused by a virtual directory not being configured as an application in IIS."      

when I copy and paste your code in.  If I'm honest I dont understand the error message as it is a virtual directory in IIS.  I think I will have to look on Google for the answers. I will await your comments and then award you the points for your effort!

mike
0
 
TornadoVCommented:
Here is the problem: <deny users="gooutdoors.local\traininginfo" /> unless you previously created a role called "gooutdoors.local\traininginfo".

check out this article: http://www.odetocode.com/Articles/428.aspx

You can create a new role, call it "traininginfo" for example, add users to that role and then you can deny all users who are members of this role:

<deny roles="traininginfo"/>

0
 
hydevAuthor Commented:
Thank you for that, you have me helped me alot.

mike
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now