Solved

webconfig location path

Posted on 2013-02-07
4
350 Views
Last Modified: 2013-03-07
Hi,

I am storing roles in sqlserver , and i given permissions as below in web.config



<roleManager enabled="true" defaultProvider="AspNetSqlRoleProvider">
      <providers>
        <clear/>
        <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />      
      </providers>
    </roleManager>
    </system.web>


  <location path="~/Admin/abc.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
        <deny users="jack"/>      
      </authorization>      
    </system.web>    
  </location>

Here i am deny  jack  not to access the abc.aspx file, but it is allowing him to

 access that file

can you please guide me what are the steps i need to do more.
0
Comment
Question by:praveen1981
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 12

Assisted Solution

by:jitendra patil
jitendra patil earned 167 total points
ID: 38863509
please follow the guidesline in given below link.

Setting authorization rules for a particular page or folder in web.config

hope this helps.
0
 
LVL 26

Assisted Solution

by:Alan Warren
Alan Warren earned 166 total points
ID: 38866020
Hi Praveen,
I prefer to restrict access by role, so if jack is not in one of the permitted roles, then Jack don't get in, The following config would be in the web.config file in the Admin folder:
  <system.web>
    <authorization>
      <allow roles="Administrator" />
      <deny users="*" />
    </authorization>
  </system.web>

Open in new window

In the Mods folder something like this:
<system.web>
    <authorization>
      <allow roles="Administrator,Moderator" />
      <deny users="*" />
    </authorization>
  </system.web>

Open in new window

And in the Eds folder something like this:
<system.web>
    <authorization>
      <allow roles="Administrator,Moderator,PageEditor" />
      <deny users="*" />
    </authorization>
  </system.web>

Open in new window

Another thing to bear in mind is that the asp .net membership server will only protect asp .net file types, so if Jack or anyone in this world were to navigate to your protected admin folder, specifying an existing filename that is not a .net file type (e.g. ~/admin/top-sectet.pdf, IIS will serve it up to all and sundry without authentication. Maybe Jack is requesting a file that falls into this category?

Alan
0
 
LVL 41

Accepted Solution

by:
guru_sami earned 167 total points
ID: 38874144
The main issue is the order in which the access rules are defined.
i.e. your first rule is allowing everyone and it will be a match for everyone including jack, so it doesn't go to second rule at all.
You should define it in this order:

<authorization>
             <deny users="jack"/>   
             <allow users="*"/>
</authorization>   

Open in new window


So now if jack is logged in and tries to access the page, asp.net will see that jack is denied access and it will redirect him back to login page. Everyone else will have access to the file.

Check .
0
 

Author Closing Comment

by:praveen1981
ID: 38964826
Many thanks
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

User art_snob (http://www.experts-exchange.com/M_6114203.html) encountered strange behavior of Android Web browser on his Mobile Web site. It took a while to find the true cause. It happens so, that the Android Web browser (at least up to OS ver. 2.…
The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question