?
Solved

Restricitng access to one .aspx file in a ASP.NET 2.0 Application

Posted on 2006-05-18
7
Medium Priority
?
281 Views
Last Modified: 2012-08-14
Hi,

I am writing a website and I am trying to restrict access to 1 file, viewreports.aspx, to one user group.   People log into the site using there Windows Domain username and password.  In Wrox Professional ASP.NET 2.0 they say I can do this by using the method outlined in my we.config below :-

<?xml version="1.0"?>
<!--
    Note: As an alternative to hand editing this file you can use the
    web admin tool to configure settings for your application. Use
    the Website->Asp.Net Configuration option in Visual Studio.
    A full list of settings and comments can be found in
    machine.config.comments usually located in
    \Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
      <appSettings>
      <add key="net.textanywhere.ws.TA_SMS" value="http://ws.textanywhere.net/TA_SMS.asmx"/>
      </appSettings>
      <connectionStrings>
            <add name="dt_databaseV1ConnectionString" connectionString="Data Source=WILDFIRE;Initial Catalog=dt_databaseV1;Integrated Security=True" providerName="System.Data.SqlClient"/>
      </connectionStrings>
      <system.web>
            <!--
            Set compilation debug="true" to insert debugging
            symbols into the compiled page. Because this
            affects performance, set this value to true only
            during development.
        -->
            <compilation debug="true"/>
            <!--
            The <authentication> section enables configuration
            of the security authentication mode used by
            ASP.NET to identify an incoming user.
        -->
            <authentication mode="none"/>
            <!--
            The <customErrors> section enables configuration
            of what to do if/when an unhandled error occurs
            during the execution of a request. Specifically,
            it enables developers to configure html error pages
            to be displayed in place of a error stack trace.

        <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
            <error statusCode="403" redirect="NoAccess.htm" />
            <error statusCode="404" redi
            rect="FileNotFound.htm" />
        </customErrors>
        -->
            <customErrors mode="Off"/>
            <httpRuntime maxRequestLength="102400"/>
   
      </system.web>
      <system.net>

    <defaultProxy>
      <proxy
         usesystemdefault = "false"
         proxyaddress="http://redmidget:8080"
         bypassonlocal="true"
         />
    </defaultProxy>
   
    <mailSettings>
      <smtp from="">
        <network defaultCredentials="true" host="postpod" password="" userName=""/>
      </smtp>
    </mailSettings>
      
  </system.net>

  <location path="ViewReports.aspx">
    <system.web>
      <authentication mode="Windows"/>
      <authorization>
        <deny users="gooutdoors.local\traininginfo" />
      </authorization>
    </system.web>
  </location>
</configuration>


However when I try and run this I get the error message that seems to plaguing lots of people

"...It is an error to use a section registered as allowDefinition='MachineToApplication' beyond
application level.  This error can be caused by a virtual directory not being configured as
 an application in IIS..."

What does this mean?  If I remove the <location> bit and my project compiles fine.  If this is not the correct way, how else can I restrict access to this .aspx file?

Any help greatly appreciated.

mike
0
Comment
Question by:hydev
  • 4
  • 3
7 Comments
 
LVL 11

Expert Comment

by:TornadoV
ID: 16710043
Try this, location section has to be inside <system.web></system.web> section:

<?xml version="1.0"?>
<!--
    Note: As an alternative to hand editing this file you can use the
    web admin tool to configure settings for your application. Use
    the Website->Asp.Net Configuration option in Visual Studio.
    A full list of settings and comments can be found in
    machine.config.comments usually located in
    \Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
     <appSettings>
     <add key="net.textanywhere.ws.TA_SMS" value="http://ws.textanywhere.net/TA_SMS.asmx"/>
     </appSettings>
     <connectionStrings>
          <add name="dt_databaseV1ConnectionString" connectionString="Data Source=WILDFIRE;Initial Catalog=dt_databaseV1;Integrated Security=True" providerName="System.Data.SqlClient"/>
     </connectionStrings>
     <system.web>
          <!--
            Set compilation debug="true" to insert debugging
            symbols into the compiled page. Because this
            affects performance, set this value to true only
            during development.
        -->
          <compilation debug="true"/>
          <!--
            The <authentication> section enables configuration
            of the security authentication mode used by
            ASP.NET to identify an incoming user.
        -->
          <authentication mode="none"/>
          <!--
            The <customErrors> section enables configuration
            of what to do if/when an unhandled error occurs
            during the execution of a request. Specifically,
            it enables developers to configure html error pages
            to be displayed in place of a error stack trace.

        <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
            <error statusCode="403" redirect="NoAccess.htm" />
            <error statusCode="404" redi
            rect="FileNotFound.htm" />
        </customErrors>
        -->
          <customErrors mode="Off"/>
          <httpRuntime maxRequestLength="102400"/>

  <location path="ViewReports.aspx">
    <system.web>
      <authentication mode="Windows"/>
      <authorization>
        <deny users="gooutdoors.local\traininginfo" />
      </authorization>
    </system.web>
  </location>
</configuration>
   
     </system.web>
     <system.net>

    <defaultProxy>
      <proxy
         usesystemdefault = "false"
         proxyaddress="http://redmidget:8080"
         bypassonlocal="true"
         />
    </defaultProxy>
   
    <mailSettings>
      <smtp from="">
        <network defaultCredentials="true" host="postpod" password="" userName=""/>
      </smtp>
    </mailSettings>
     
  </system.net>

0
 
LVL 11

Expert Comment

by:TornadoV
ID: 16710067
Sorry, put </configuration> at the end, I copied and pasted it in by mistake, your config should look like this:

<?xml version="1.0"?>
<!--
    Note: As an alternative to hand editing this file you can use the
    web admin tool to configure settings for your application. Use
    the Website->Asp.Net Configuration option in Visual Studio.
    A full list of settings and comments can be found in
    machine.config.comments usually located in
    \Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
     <appSettings>
     <add key="net.textanywhere.ws.TA_SMS" value="http://ws.textanywhere.net/TA_SMS.asmx"/>
     </appSettings>
     <connectionStrings>
          <add name="dt_databaseV1ConnectionString" connectionString="Data Source=WILDFIRE;Initial Catalog=dt_databaseV1;Integrated Security=True" providerName="System.Data.SqlClient"/>
     </connectionStrings>
     <system.web>
          <!--
            Set compilation debug="true" to insert debugging
            symbols into the compiled page. Because this
            affects performance, set this value to true only
            during development.
        -->
          <compilation debug="true"/>
          <!--
            The <authentication> section enables configuration
            of the security authentication mode used by
            ASP.NET to identify an incoming user.
        -->
          <authentication mode="none"/>
          <!--
            The <customErrors> section enables configuration
            of what to do if/when an unhandled error occurs
            during the execution of a request. Specifically,
            it enables developers to configure html error pages
            to be displayed in place of a error stack trace.

        <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
            <error statusCode="403" redirect="NoAccess.htm" />
            <error statusCode="404" redi
            rect="FileNotFound.htm" />
        </customErrors>
        -->
          <customErrors mode="Off"/>
          <httpRuntime maxRequestLength="102400"/>

  <location path="ViewReports.aspx">
    <system.web>
      <authentication mode="Windows"/>
      <authorization>
        <deny users="gooutdoors.local\traininginfo" />
      </authorization>
    </system.web>
  </location>
   
     </system.web>
     <system.net>

    <defaultProxy>
      <proxy
         usesystemdefault = "false"
         proxyaddress="http://redmidget:8080"
         bypassonlocal="true"
         />
    </defaultProxy>
   
    <mailSettings>
      <smtp from="">
        <network defaultCredentials="true" host="postpod" password="" userName=""/>
      </smtp>
    </mailSettings>
     
  </system.net>

</configuration>
0
 

Author Comment

by:hydev
ID: 16742658
Hi,

Thanks for the input, however I think you have missed something as Visual Studio declares that:
 
Error      1 Expecting end tag </system.web>
Error      2 Tag was not closed.      
Error      3 Did not expect '</system.web>'.      
Error      4 XML document cannot contain multiple root level elements.

I just copied and pasted what you had written above.

Thanks for your help so far! :-)

mike
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 11

Expert Comment

by:TornadoV
ID: 16742725
Here it is, it should work now, I didn't see </system.web> sneaking up on me:)

<?xml version="1.0"?>
<!--
    Note: As an alternative to hand editing this file you can use the
    web admin tool to configure settings for your application. Use
    the Website->Asp.Net Configuration option in Visual Studio.
    A full list of settings and comments can be found in
    machine.config.comments usually located in
    \Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
  <appSettings>
    <add key="net.textanywhere.ws.TA_SMS" value="http://ws.textanywhere.net/TA_SMS.asmx"/>
  </appSettings>
  <connectionStrings>
    <add name="dt_databaseV1ConnectionString" connectionString="Data Source=WILDFIRE;Initial Catalog=dt_databaseV1;Integrated Security=True" providerName="System.Data.SqlClient"/>
  </connectionStrings>
  <system.web>
    <!--
            Set compilation debug="true" to insert debugging
            symbols into the compiled page. Because this
            affects performance, set this value to true only
            during development.
        -->
    <compilation debug="true"/>
    <!--
            The <authentication> section enables configuration
            of the security authentication mode used by
            ASP.NET to identify an incoming user.
        -->
    <authentication mode="none"/>
    <!--
            The <customErrors> section enables configuration
            of what to do if/when an unhandled error occurs
            during the execution of a request. Specifically,
            it enables developers to configure html error pages
            to be displayed in place of a error stack trace.

        <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
            <error statusCode="403" redirect="NoAccess.htm" />
            <error statusCode="404" redi
            rect="FileNotFound.htm" />
        </customErrors>
        -->
    <customErrors mode="Off"/>
    <httpRuntime maxRequestLength="102400"/>

  </system.web>

  <location path="ViewReports.aspx">
    <system.web>
      <authentication mode="Windows"/>
      <authorization>
        <deny users="gooutdoors.local\traininginfo" />
      </authorization>
    </system.web>
  </location>

  <system.net>

    <defaultProxy>
      <proxy
         usesystemdefault = "false"
         proxyaddress="http://redmidget:8080"
         bypassonlocal="true"
         />
    </defaultProxy>

    <mailSettings>
      <smtp from="">
        <network defaultCredentials="true" host="postpod" password="" userName=""/>
      </smtp>
    </mailSettings>

  </system.net>

</configuration>
0
 

Author Comment

by:hydev
ID: 16749279
Hi thanks for the input TornadoV however I'm still getting the error message:

 "It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level.  This error can be caused by a virtual directory not being configured as an application in IIS."      

when I copy and paste your code in.  If I'm honest I dont understand the error message as it is a virtual directory in IIS.  I think I will have to look on Google for the answers. I will await your comments and then award you the points for your effort!

mike
0
 
LVL 11

Accepted Solution

by:
TornadoV earned 2000 total points
ID: 16750835
Here is the problem: <deny users="gooutdoors.local\traininginfo" /> unless you previously created a role called "gooutdoors.local\traininginfo".

check out this article: http://www.odetocode.com/Articles/428.aspx

You can create a new role, call it "traininginfo" for example, add users to that role and then you can deny all users who are members of this role:

<deny roles="traininginfo"/>

0
 

Author Comment

by:hydev
ID: 16752833
Thank you for that, you have me helped me alot.

mike
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lots of people ask this question on how to extend the “MembershipProvider” to make use of custom authentication like using existing database or make use of some other way of authentication. Many blogs show you how to extend the membership provider c…
One of the pain points with developing AJAX, JavaScript, JQuery, and other client-side behaviors is that JavaScript doesn’t allow for cross domain request for pulling content. For example, JavaScript code on www.johnchapman.name could not pull conte…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question