Solved

webconfig location path

Posted on 2013-02-07
4
346 Views
Last Modified: 2013-03-07
Hi,

I am storing roles in sqlserver , and i given permissions as below in web.config



<roleManager enabled="true" defaultProvider="AspNetSqlRoleProvider">
      <providers>
        <clear/>
        <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />      
      </providers>
    </roleManager>
    </system.web>


  <location path="~/Admin/abc.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
        <deny users="jack"/>      
      </authorization>      
    </system.web>    
  </location>

Here i am deny  jack  not to access the abc.aspx file, but it is allowing him to

 access that file

can you please guide me what are the steps i need to do more.
0
Comment
Question by:praveen1981
4 Comments
 
LVL 12

Assisted Solution

by:Jitendra Patil
Jitendra Patil earned 167 total points
ID: 38863509
please follow the guidesline in given below link.

Setting authorization rules for a particular page or folder in web.config

hope this helps.
0
 
LVL 26

Assisted Solution

by:Alan Warren
Alan Warren earned 166 total points
ID: 38866020
Hi Praveen,
I prefer to restrict access by role, so if jack is not in one of the permitted roles, then Jack don't get in, The following config would be in the web.config file in the Admin folder:
  <system.web>
    <authorization>
      <allow roles="Administrator" />
      <deny users="*" />
    </authorization>
  </system.web>

Open in new window

In the Mods folder something like this:
<system.web>
    <authorization>
      <allow roles="Administrator,Moderator" />
      <deny users="*" />
    </authorization>
  </system.web>

Open in new window

And in the Eds folder something like this:
<system.web>
    <authorization>
      <allow roles="Administrator,Moderator,PageEditor" />
      <deny users="*" />
    </authorization>
  </system.web>

Open in new window

Another thing to bear in mind is that the asp .net membership server will only protect asp .net file types, so if Jack or anyone in this world were to navigate to your protected admin folder, specifying an existing filename that is not a .net file type (e.g. ~/admin/top-sectet.pdf, IIS will serve it up to all and sundry without authentication. Maybe Jack is requesting a file that falls into this category?

Alan
0
 
LVL 41

Accepted Solution

by:
guru_sami earned 167 total points
ID: 38874144
The main issue is the order in which the access rules are defined.
i.e. your first rule is allowing everyone and it will be a match for everyone including jack, so it doesn't go to second rule at all.
You should define it in this order:

<authorization>
             <deny users="jack"/>   
             <allow users="*"/>
</authorization>   

Open in new window


So now if jack is logged in and tries to access the page, asp.net will see that jack is denied access and it will redirect him back to login page. Everyone else will have access to the file.

Check .
0
 

Author Closing Comment

by:praveen1981
ID: 38964826
Many thanks
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

IntroductionWhile developing web applications, a single page might contain many regions and each region might contain many number of controls with the capability to perform  postback. Many times you might need to perform some action on an ASP.NET po…
Problem Hi all,    While many today have fast Internet connection, there are many still who do not, or are connecting through devices with a slower connect, so light web pages and fast load times are still popular.    If your ASP.NET page …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now