Solved

webconfig location path

Posted on 2013-02-07
4
347 Views
Last Modified: 2013-03-07
Hi,

I am storing roles in sqlserver , and i given permissions as below in web.config



<roleManager enabled="true" defaultProvider="AspNetSqlRoleProvider">
      <providers>
        <clear/>
        <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />      
      </providers>
    </roleManager>
    </system.web>


  <location path="~/Admin/abc.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
        <deny users="jack"/>      
      </authorization>      
    </system.web>    
  </location>

Here i am deny  jack  not to access the abc.aspx file, but it is allowing him to

 access that file

can you please guide me what are the steps i need to do more.
0
Comment
Question by:praveen1981
4 Comments
 
LVL 12

Assisted Solution

by:jitendra patil
jitendra patil earned 167 total points
ID: 38863509
please follow the guidesline in given below link.

Setting authorization rules for a particular page or folder in web.config

hope this helps.
0
 
LVL 26

Assisted Solution

by:Alan Warren
Alan Warren earned 166 total points
ID: 38866020
Hi Praveen,
I prefer to restrict access by role, so if jack is not in one of the permitted roles, then Jack don't get in, The following config would be in the web.config file in the Admin folder:
  <system.web>
    <authorization>
      <allow roles="Administrator" />
      <deny users="*" />
    </authorization>
  </system.web>

Open in new window

In the Mods folder something like this:
<system.web>
    <authorization>
      <allow roles="Administrator,Moderator" />
      <deny users="*" />
    </authorization>
  </system.web>

Open in new window

And in the Eds folder something like this:
<system.web>
    <authorization>
      <allow roles="Administrator,Moderator,PageEditor" />
      <deny users="*" />
    </authorization>
  </system.web>

Open in new window

Another thing to bear in mind is that the asp .net membership server will only protect asp .net file types, so if Jack or anyone in this world were to navigate to your protected admin folder, specifying an existing filename that is not a .net file type (e.g. ~/admin/top-sectet.pdf, IIS will serve it up to all and sundry without authentication. Maybe Jack is requesting a file that falls into this category?

Alan
0
 
LVL 41

Accepted Solution

by:
guru_sami earned 167 total points
ID: 38874144
The main issue is the order in which the access rules are defined.
i.e. your first rule is allowing everyone and it will be a match for everyone including jack, so it doesn't go to second rule at all.
You should define it in this order:

<authorization>
             <deny users="jack"/>   
             <allow users="*"/>
</authorization>   

Open in new window


So now if jack is logged in and tries to access the page, asp.net will see that jack is denied access and it will redirect him back to login page. Everyone else will have access to the file.

Check .
0
 

Author Closing Comment

by:praveen1981
ID: 38964826
Many thanks
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes in DotNetNuke module development you want to swap controls within the same module definition.  In doing this DNN (somewhat annoyingly) swaps the Skin and Container definitions to the default admin selections.  To get around this you need t…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
This is a video describing the growing solar energy use in Utah. This is a topic that greatly interests me and so I decided to produce a video about it.

939 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now