andieje
asked on
Big help needed - role based authorization not working
Hi
I have set up roles authorization on my asp.net 2.0 website and its not working properly. The web.config is set up so that only users in the admin role can see the pages. However anyone can see the pages.
If i use Roles.IsUserInRole to see if the logged in user is in admin or not I get the correct answer of true/false as i would expect. It's the settings in the web.config that dont seem to be working.
Here is the web.config
<authentication mode="Forms">
<forms name=".retrofit"
loginUrl="login.aspx"
protection="All"
timeout="30"
path="/"/>
</authentication>
<authorization>
<deny users="?" />
<allow roles="Admin" /> <------it makes no difference what i put here, anyone role can see all pages
</authorization>
<roleManager enabled="true" defaultProvider="SqlRolePr ovider">
<providers >
<clear/>
<add name="SqlRoleProvider"
connectionStringName="dbCo nn"
applicationName="/"
type="System.Web.Security. SqlRolePro vider" />
</providers>
</roleManager>
Any help is much appreciated. I need to get this working and I have no idea what's wrong
thanks a lot
andrea
I have set up roles authorization on my asp.net 2.0 website and its not working properly. The web.config is set up so that only users in the admin role can see the pages. However anyone can see the pages.
If i use Roles.IsUserInRole to see if the logged in user is in admin or not I get the correct answer of true/false as i would expect. It's the settings in the web.config that dont seem to be working.
Here is the web.config
<authentication mode="Forms">
<forms name=".retrofit"
loginUrl="login.aspx"
protection="All"
timeout="30"
path="/"/>
</authentication>
<authorization>
<deny users="?" />
<allow roles="Admin" /> <------it makes no difference what i put here, anyone role can see all pages
</authorization>
<roleManager enabled="true" defaultProvider="SqlRolePr
<providers >
<clear/>
<add name="SqlRoleProvider"
connectionStringName="dbCo
applicationName="/"
type="System.Web.Security.
</providers>
</roleManager>
Any help is much appreciated. I need to get this working and I have no idea what's wrong
thanks a lot
andrea
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here is a possibility, using an HttpModule to handle the requests based on roles:
Extending ASP.NET 2.0 security
http://codeproject.com/aspnet/aspnet2security.asp
Bob
Extending ASP.NET 2.0 security
http://codeproject.com/aspnet/aspnet2security.asp
Bob
ASKER
Hi Bob
That's an interesting post. I like that it helps you to avoid duplicating role info in the web.sitemap and the web.config.
However, I don't know why i cant get it to work in the web.config file :(
Surely this should be simple?
That's an interesting post. I like that it helps you to avoid duplicating role info in the web.sitemap and the web.config.
However, I don't know why i cant get it to work in the web.config file :(
Surely this should be simple?
With the web.config file settings, are you getting all pages? Are you trying to control access to the 'default.aspx' page for only admins?
Bob
Bob
ASKER
Hi
I want to make sure that only admin can access the pages in the directory but it doesnt work. If i try to open the default page the user is redirected to a login. ok so far. but then they go back to the default page is they are admin or not.
I did get this to work:
<location path="default.aspx">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*" />
</authorization>
</system.web>
</location>
I read that i had to do this in asp.net 2.0 cookbook but i dont really understand. The method i used in my question is what I have always used on asp.net 1.1. Perhaps there are some changes i don't fully understand.
Natrually i would rather not set up the roles for each page in the directory; i would rather do it just once
thanks
andrea
I want to make sure that only admin can access the pages in the directory but it doesnt work. If i try to open the default page the user is redirected to a login. ok so far. but then they go back to the default page is they are admin or not.
I did get this to work:
<location path="default.aspx">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*" />
</authorization>
</system.web>
</location>
I read that i had to do this in asp.net 2.0 cookbook but i dont really understand. The method i used in my question is what I have always used on asp.net 1.1. Perhaps there are some changes i don't fully understand.
Natrually i would rather not set up the roles for each page in the directory; i would rather do it just once
thanks
andrea
Andrea,
Usually, if you want to control certain pages, put them in a folder, and specify the folder path for the location path attribute:
<location path="Admin_Pages">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*" />
</authorization>
Bob
Usually, if you want to control certain pages, put them in a folder, and specify the folder path for the location path attribute:
<location path="Admin_Pages">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*" />
</authorization>
Bob
ASKER
Hi
I didnt want to restrict access to certain pages - that was just the only way i could get it to work :(
I didnt want to restrict access to certain pages - that was just the only way i could get it to work :(
ASKER
Hi
It turns out that sammy's solution was right! I thought i had tried that but i didnt realise it made all the difference in the world to put the roles before the users. I never understood the order in which rules were applied!
thanks for your help everyone
It turns out that sammy's solution was right! I thought i had tried that but i didnt realise it made all the difference in the world to put the roles before the users. I never understood the order in which rules were applied!
thanks for your help everyone
ASKER
I've already tried that :(
I've also tried *,? too