Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

webconfig location path

Posted on 2013-02-07
4
Medium Priority
?
352 Views
Last Modified: 2013-03-07
Hi,

I am storing roles in sqlserver , and i given permissions as below in web.config



<roleManager enabled="true" defaultProvider="AspNetSqlRoleProvider">
      <providers>
        <clear/>
        <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />      
      </providers>
    </roleManager>
    </system.web>


  <location path="~/Admin/abc.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
        <deny users="jack"/>      
      </authorization>      
    </system.web>    
  </location>

Here i am deny  jack  not to access the abc.aspx file, but it is allowing him to

 access that file

can you please guide me what are the steps i need to do more.
0
Comment
Question by:praveen1981
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 13

Assisted Solution

by:Jitendra Patil
Jitendra Patil earned 501 total points
ID: 38863509
please follow the guidesline in given below link.

Setting authorization rules for a particular page or folder in web.config

hope this helps.
0
 
LVL 26

Assisted Solution

by:Alan Warren
Alan Warren earned 498 total points
ID: 38866020
Hi Praveen,
I prefer to restrict access by role, so if jack is not in one of the permitted roles, then Jack don't get in, The following config would be in the web.config file in the Admin folder:
  <system.web>
    <authorization>
      <allow roles="Administrator" />
      <deny users="*" />
    </authorization>
  </system.web>

Open in new window

In the Mods folder something like this:
<system.web>
    <authorization>
      <allow roles="Administrator,Moderator" />
      <deny users="*" />
    </authorization>
  </system.web>

Open in new window

And in the Eds folder something like this:
<system.web>
    <authorization>
      <allow roles="Administrator,Moderator,PageEditor" />
      <deny users="*" />
    </authorization>
  </system.web>

Open in new window

Another thing to bear in mind is that the asp .net membership server will only protect asp .net file types, so if Jack or anyone in this world were to navigate to your protected admin folder, specifying an existing filename that is not a .net file type (e.g. ~/admin/top-sectet.pdf, IIS will serve it up to all and sundry without authentication. Maybe Jack is requesting a file that falls into this category?

Alan
0
 
LVL 41

Accepted Solution

by:
guru_sami earned 501 total points
ID: 38874144
The main issue is the order in which the access rules are defined.
i.e. your first rule is allowing everyone and it will be a match for everyone including jack, so it doesn't go to second rule at all.
You should define it in this order:

<authorization>
             <deny users="jack"/>   
             <allow users="*"/>
</authorization>   

Open in new window


So now if jack is logged in and tries to access the page, asp.net will see that jack is denied access and it will redirect him back to login page. Everyone else will have access to the file.

Check .
0
 

Author Closing Comment

by:praveen1981
ID: 38964826
Many thanks
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Just a quick little trick I learned recently.  Now that I'm using jQuery with abandon in my asp.net applications, I have grown tired of the following syntax:      (CODE) I suppose it just offends my sense of decency to put inline VBScript on a…
Sometimes in DotNetNuke module development you want to swap controls within the same module definition.  In doing this DNN (somewhat annoyingly) swaps the Skin and Container definitions to the default admin selections.  To get around this you need t…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question