Solved

Big help needed - role based authorization not working

Posted on 2006-07-18
9
242 Views
Last Modified: 2009-12-16
Hi

I have set up roles authorization on my asp.net 2.0 website and its not working properly. The web.config is set up so that only users in the admin role can see the pages. However anyone can see the pages.

If i use Roles.IsUserInRole to see if the logged in user is in admin or not I get the correct answer of true/false as i would expect.  It's the settings in the web.config that dont seem to be working.

Here is the web.config
<authentication mode="Forms">
      <forms name=".retrofit"
             loginUrl="login.aspx"
             protection="All"
             timeout="30"
             path="/"/>
    </authentication>
   
    <authorization>
      <deny users="?" />

      <allow roles="Admin" />  <------it makes no difference what i put here, anyone role can see all pages
    </authorization>

 <roleManager enabled="true" defaultProvider="SqlRoleProvider">
      <providers >
        <clear/>
        <add name="SqlRoleProvider"
            connectionStringName="dbConn"
            applicationName="/"
            type="System.Web.Security.SqlRoleProvider" />
        </providers>

    </roleManager>

Any help is much appreciated. I need to get this working and I have no idea what's wrong

thanks a lot
andrea
0
Comment
Question by:andieje
  • 5
  • 3
9 Comments
 
LVL 27

Accepted Solution

by:
Sammy earned 500 total points
ID: 17135481
change these lines
<authorization>
      <deny users="?" />

      <allow roles="Admin" />  <------it makes no difference what i put here, anyone role can see all pages
    </authorization>

To these lines
 <authorization>

    <allow roles="Admin"/>

    <deny users="*"/>

  </authorization>

Note the deny users * and ?

HTH
0
 

Author Comment

by:andieje
ID: 17136669
Hi

I've already tried that :(

I've also tried *,? too
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17138667
Here is a possibility, using an HttpModule to handle the requests based on roles:

Extending ASP.NET 2.0 security
http://codeproject.com/aspnet/aspnet2security.asp

Bob
0
 

Author Comment

by:andieje
ID: 17138980
Hi Bob

That's an interesting post. I like that it helps you to avoid duplicating role info in the web.sitemap and the web.config.

However, I don't know why i cant get it to work in the web.config file :(

Surely this should be simple?
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 96

Expert Comment

by:Bob Learned
ID: 17139031
With the web.config file settings, are you getting all pages?  Are you trying to control access to the 'default.aspx' page for only admins?

Bob
0
 

Author Comment

by:andieje
ID: 17139629
Hi

I want to make sure that only admin can access the pages in the directory but it doesnt work. If i try to open the default page the user is redirected to a login. ok so far. but then they go back to the default page is they are admin or not.

I did get this to work:

  <location path="default.aspx">
    <system.web>
      <authorization>
        <allow roles="Admin"/>
        <deny users="*" />
      </authorization>

    </system.web>
  </location>

I read that i had to do this in asp.net 2.0 cookbook but i dont really understand. The method i used in my question is what I have always used on asp.net 1.1. Perhaps there are some changes i don't fully understand.

Natrually i would rather not set up the roles for each page in the directory; i would rather do it just once

thanks
andrea
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17139934
Andrea,

Usually, if you want to control certain pages, put them in a folder, and specify the folder path for the location path attribute:

 <location path="Admin_Pages">
    <system.web>
      <authorization>
        <allow roles="Admin"/>
        <deny users="*" />
      </authorization>

Bob
0
 

Author Comment

by:andieje
ID: 17140350
Hi

I didnt want to restrict access to certain pages - that was just the only way i could get it to work :(
0
 

Author Comment

by:andieje
ID: 17140374
Hi

It turns out that sammy's solution was right! I thought i had tried that but i didnt realise it made all the difference in the world to put the roles before the users. I never understood the order in which rules were applied!

thanks for your help everyone
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Javascript in a user control not working 17 65
RegularExpression for Numbers with no decimal points in ASP.net text control 11 56
Achieve json result 2 65
Runtime Error 2 28
Sometimes in DotNetNuke module development you want to swap controls within the same module definition.  In doing this DNN (somewhat annoyingly) swaps the Skin and Container definitions to the default admin selections.  To get around this you need t…
A quick way to get a menu to work on our website, is using the Menu control and assign it to a web.sitemap using SiteMapDataSource. Example of web.sitemap file: (CODE) Sample code to add to the page menu: (CODE) Running the application, we wi…
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now