Solved

webconfig location path

Posted on 2013-02-07
4
351 Views
Last Modified: 2013-03-07
Hi,

I am storing roles in sqlserver , and i given permissions as below in web.config



<roleManager enabled="true" defaultProvider="AspNetSqlRoleProvider">
      <providers>
        <clear/>
        <add name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="ApplicationServices" applicationName="/" />      
      </providers>
    </roleManager>
    </system.web>


  <location path="~/Admin/abc.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
        <deny users="jack"/>      
      </authorization>      
    </system.web>    
  </location>

Here i am deny  jack  not to access the abc.aspx file, but it is allowing him to

 access that file

can you please guide me what are the steps i need to do more.
0
Comment
Question by:praveen1981
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 13

Assisted Solution

by:Jitendra Patil
Jitendra Patil earned 167 total points
ID: 38863509
please follow the guidesline in given below link.

Setting authorization rules for a particular page or folder in web.config

hope this helps.
0
 
LVL 26

Assisted Solution

by:Alan Warren
Alan Warren earned 166 total points
ID: 38866020
Hi Praveen,
I prefer to restrict access by role, so if jack is not in one of the permitted roles, then Jack don't get in, The following config would be in the web.config file in the Admin folder:
  <system.web>
    <authorization>
      <allow roles="Administrator" />
      <deny users="*" />
    </authorization>
  </system.web>

Open in new window

In the Mods folder something like this:
<system.web>
    <authorization>
      <allow roles="Administrator,Moderator" />
      <deny users="*" />
    </authorization>
  </system.web>

Open in new window

And in the Eds folder something like this:
<system.web>
    <authorization>
      <allow roles="Administrator,Moderator,PageEditor" />
      <deny users="*" />
    </authorization>
  </system.web>

Open in new window

Another thing to bear in mind is that the asp .net membership server will only protect asp .net file types, so if Jack or anyone in this world were to navigate to your protected admin folder, specifying an existing filename that is not a .net file type (e.g. ~/admin/top-sectet.pdf, IIS will serve it up to all and sundry without authentication. Maybe Jack is requesting a file that falls into this category?

Alan
0
 
LVL 41

Accepted Solution

by:
guru_sami earned 167 total points
ID: 38874144
The main issue is the order in which the access rules are defined.
i.e. your first rule is allowing everyone and it will be a match for everyone including jack, so it doesn't go to second rule at all.
You should define it in this order:

<authorization>
             <deny users="jack"/>   
             <allow users="*"/>
</authorization>   

Open in new window


So now if jack is logged in and tries to access the page, asp.net will see that jack is denied access and it will redirect him back to login page. Everyone else will have access to the file.

Check .
0
 

Author Closing Comment

by:praveen1981
ID: 38964826
Many thanks
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In .NET 2.0, Microsoft introduced the Web Site.  This was the default way to create a web Project in Visual Studio 2005.  In Visual Studio 2008, the Web Application has been restored as the default web Project in Visual Studio/.NET 3.x The Web Si…
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question