Can security trimming be used to detect authenticated users with no roles?

It is entirely possible for a user to be a member of no roles, yet to authenticate successfully. In fact, this condition occurred recently on a web app where the admin added a user and didn't assign any roles. Some resources failed because they expected a role, and I think there's a use for this scenario (authentication + no roles) that should be supported. However, despite documentation stating that in the authorization section, one can use "?" and "*" for both roles and users, the fact is using either with roles fails with an error:

Authorization rule names cannot contain the '?' character.

So the question: is there some way, using security trimming, to accomplish denial to authenticated users without any roles? I am NOT looking for solutions based on coding - I already know how to do that.

Any thoughts?

Thanks!
rbermanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Bob LearnedCommented:
That is a great question, which will require some thought, since I haven't addressed it before.  Authentication and authorization are two separate concepts in ASP.NET.  Authentication is determining the user's identity, and role-based security is authorizing a user to use resources, not for authentication.  If security is configured properly, and a user is authenticated, yet has no roles, they in effect don't have any access to any of the resources, and shouldn't be able to do anything.  I recognize, also, the need for reducing the surface area for your application, to reduce the security risks.

When you use Windows Authentication, the roles are retrieved for you by the system, but with Forms Authentication, you need to write code to populate an identity principal with the roles.

-- What version of ASP.NET are you using?

-- What authentication mode are you using?
rbermanAuthor Commented:
I'm using ASP.NET 3.5, forms-based authentication. I don't have any questions about how to use the .NET authentication classes - this isn't about that. My question is whether there's any way to configure the web.config and use security trimming. I can think of any number of programmatic solutions, so that's not where to head this.

Thoughts?
Bob LearnedCommented:
Security trimming is about configuring a menu or a SiteMap to control what is displayed and accessible.  Your question is about authentication, and how someone could be authenticated without roles assigned.  I was trying to point out that authentication and authorization are separate concepts, and I don't see how security trimming can help here.
Learn SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

rbermanAuthor Commented:
LearnedOne - seriously, I do know why my own question was about, and your statement is simply incorrect.

My question is how to use web.config (such as at the sub-directory) in an ASP.NET application so as to deny access to the resources should the user be logged in (authenticated) but not a member of ANY role.

That's the simplest statement of the question.
Bob LearnedCommented:
1) "Can security trimming be used to detect authenticated users with no roles?"
No, I don't believe so.

2) With a little thought, you might be able to combine a "deny" rule for everyone, except those in a specific role, like this:

<location path="Admin">
 <system.web>
  <authorization>
   <allow roles="Admin"/>
   <deny users="*"/>
  </authorization>
 </system.web>
</location>

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rbermanAuthor Commented:
Yeah - I already had a rule almost identical to that. The point of course being that it requires that I list all the roles that are allowed. The problem is that my admin can create new roles which are then not listed and those users may end up disallowed if they don't also belong to one of the already-listed roles. Thus the reason I want to disallow specifically any no-roles user.

Let's see if any other ideas come up.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Applications

From novice to tech pro — start learning today.