Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > role based security and

Reply
Thread Tools

role based security and

 
 
=?Utf-8?B?ZGF2aWQ=?=
Guest
Posts: n/a
 
      04-15-2005
I have the following questions to ask.

For example, there are two roles, A and B to grant to users UA and UB
respectively.
UB in not in role A and UA is not in role B.
A can access to Apage and B to Bpage by typing their passwords, resp..
However, when A has accessed Apage and know the URL of Bpage, A can access
to Bpage. Right now I hard-code it in codebehind functions to protect the
system from this case.

I would like to setup configuration file Web.config such that I do not need
to add code to each of the codebehind function.

I have added the following to Web.config, but it seems not working in this
way. Anyone can give me a help? thanks

David

<location path="Apage.aspx">
<system.web>
<authorization>
<allow roles="A" />
<deny users="*" />
</authorization>
</system.web>
</location>

<location path="Bpage.aspx">
<system.web>
<authorization>
<allow roles="B" />
<deny users="*" />
</authorization>
</system.web>
</location>
 
Reply With Quote
 
 
 
 
Brock Allen
Guest
Posts: n/a
 
      04-15-2005
This should work. I'm wondering if your roles aren't being properly created
upon each request. Are you doing this in Application_AuthenticateRequest
in global.asax?

-Brock
DevelopMentor
http://staff.develop.com/ballen



> I have the following questions to ask.
>
> For example, there are two roles, A and B to grant to users UA and UB
> respectively.
> UB in not in role A and UA is not in role B.
> A can access to Apage and B to Bpage by typing their passwords, resp..
> However, when A has accessed Apage and know the URL of Bpage, A can
> access
> to Bpage. Right now I hard-code it in codebehind functions to protect
> the
> system from this case.
> I would like to setup configuration file Web.config such that I do not
> need to add code to each of the codebehind function.
>
> I have added the following to Web.config, but it seems not working in
> this way. Anyone can give me a help? thanks
>
> David
>
> <location path="Apage.aspx">
> <system.web>
> <authorization>
> <allow roles="A" />
> <deny users="*" />
> </authorization>
> </system.web>
> </location>
> <location path="Bpage.aspx">
> <system.web>
> <authorization>
> <allow roles="B" />
> <deny users="*" />
> </authorization>
> </system.web>
> </location>




 
Reply With Quote
 
 
 
 
=?Utf-8?B?ZGF2aWQ=?=
Guest
Posts: n/a
 
      04-15-2005

yes, I implement Application_AuthenticateRequest.
I will try it once more.

Another new problem raised.
All forms located in Demo and secured by Web.config as
<authentication mode="Forms">
<forms name="AuthCookie" loginUrl="login.aspx" path="/" >
</forms>

</authentication>

I also have an image subfolder in Demo for storing images. The problem is
that I can access to all images in the image subfolder without asking
user/password.
What is the problem?



"Brock Allen" wrote:

> This should work. I'm wondering if your roles aren't being properly created
> upon each request. Are you doing this in Application_AuthenticateRequest
> in global.asax?
>
> -Brock
> DevelopMentor
> http://staff.develop.com/ballen
>
>
>
> > I have the following questions to ask.
> >
> > For example, there are two roles, A and B to grant to users UA and UB
> > respectively.
> > UB in not in role A and UA is not in role B.
> > A can access to Apage and B to Bpage by typing their passwords, resp..
> > However, when A has accessed Apage and know the URL of Bpage, A can
> > access
> > to Bpage. Right now I hard-code it in codebehind functions to protect
> > the
> > system from this case.
> > I would like to setup configuration file Web.config such that I do not
> > need to add code to each of the codebehind function.
> >
> > I have added the following to Web.config, but it seems not working in
> > this way. Anyone can give me a help? thanks
> >
> > David
> >
> > <location path="Apage.aspx">
> > <system.web>
> > <authorization>
> > <allow roles="A" />
> > <deny users="*" />
> > </authorization>
> > </system.web>
> > </location>
> > <location path="Bpage.aspx">
> > <system.web>
> > <authorization>
> > <allow roles="B" />
> > <deny users="*" />
> > </authorization>
> > </system.web>
> > </location>

>
>
>
>

 
Reply With Quote
 
Brock Allen
Guest
Posts: n/a
 
      04-15-2005
> yes, I implement Application_AuthenticateRequest.
> I will try it once more.


Hmm, ok, then I don't see why it's not working for you. I'd build a new simple
project that just does this little bit that you're trying to do and make
it work there. Sometimes the baggage of the rest of your application can
hide other problems.

> I also have an image subfolder in Demo for storing images. The problem
> is
> that I can access to all images in the image subfolder without asking
> user/password.
> What is the problem?


So add a <location path="image"> that denies user="?". This will not allow
any anonymous users. Again, I'd test this in the sample app I mentioned above
just so you know it works

-Brock
DevelopMentor
http://staff.develop.com/ballen



 
Reply With Quote
 
=?Utf-8?B?ZGF2aWQ=?=
Guest
Posts: n/a
 
      04-15-2005
Thanks

"Brock Allen" wrote:

> > yes, I implement Application_AuthenticateRequest.
> > I will try it once more.

>
> Hmm, ok, then I don't see why it's not working for you. I'd build a new simple
> project that just does this little bit that you're trying to do and make
> it work there. Sometimes the baggage of the rest of your application can
> hide other problems.
>
> > I also have an image subfolder in Demo for storing images. The problem
> > is
> > that I can access to all images in the image subfolder without asking
> > user/password.
> > What is the problem?

>
> So add a <location path="image"> that denies user="?". This will not allow
> any anonymous users. Again, I'd test this in the sample app I mentioned above
> just so you know it works
>
> -Brock
> DevelopMentor
> http://staff.develop.com/ballen
>
>
>
>

 
Reply With Quote
 
=?Utf-8?B?ZGF2aWQ=?=
Guest
Posts: n/a
 
      04-15-2005
It does not work. My configuration is:

<authorization>

<deny users="?" /> <!--deny anonymous users-->
<allow users="*" /> <!-- Allow all users -->

<!-- <allow users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
-->
</authorization>

<location path="images">
<system.web>
<authorization>

<deny users="?" />
</authorization>
</system.web>
</location>


"Brock Allen" wrote:

> > yes, I implement Application_AuthenticateRequest.
> > I will try it once more.

>
> Hmm, ok, then I don't see why it's not working for you. I'd build a new simple
> project that just does this little bit that you're trying to do and make
> it work there. Sometimes the baggage of the rest of your application can
> hide other problems.
>
> > I also have an image subfolder in Demo for storing images. The problem
> > is
> > that I can access to all images in the image subfolder without asking
> > user/password.
> > What is the problem?

>
> So add a <location path="image"> that denies user="?". This will not allow
> any anonymous users. Again, I'd test this in the sample app I mentioned above
> just so you know it works
>
> -Brock
> DevelopMentor
> http://staff.develop.com/ballen
>
>
>
>

 
Reply With Quote
 
Brock Allen
Guest
Posts: n/a
 
      04-15-2005
The <location> is outside your <system.web>, right?

-Brock
DevelopMentor
http://staff.develop.com/ballen



> It does not work. My configuration is:
>
> <authorization>
>
> <deny users="?" /> <!--deny anonymous users-->
> <allow users="*" /> <!-- Allow all users -->
> <!-- <allow users="[comma separated list of users]"
> roles="[comma separated list of roles]"/>
> <deny users="[comma separated list of users]"
> roles="[comma separated list of roles]"/>
> -->
> </authorization>
> <location path="images">
> <system.web>
> <authorization>
> <deny users="?" />
> </authorization>
> </system.web>
> </location>
> "Brock Allen" wrote:
>
>>> yes, I implement Application_AuthenticateRequest.
>>> I will try it once more.

>> Hmm, ok, then I don't see why it's not working for you. I'd build a
>> new simple project that just does this little bit that you're trying
>> to do and make it work there. Sometimes the baggage of the rest of
>> your application can hide other problems.
>>
>>> I also have an image subfolder in Demo for storing images. The
>>> problem
>>> is
>>> that I can access to all images in the image subfolder without
>>> asking
>>> user/password.
>>> What is the problem?

>> So add a <location path="image"> that denies user="?". This will not
>> allow any anonymous users. Again, I'd test this in the sample app I
>> mentioned above just so you know it works
>>
>> -Brock
>> DevelopMentor
>> http://staff.develop.com/ballen




 
Reply With Quote
 
=?Utf-8?B?ZGF2aWQ=?=
Guest
Posts: n/a
 
      04-15-2005
Yes, <location> is outside <system.web>,

"Brock Allen" wrote:

> The <location> is outside your <system.web>, right?
>
> -Brock
> DevelopMentor
> http://staff.develop.com/ballen
>
>
>
> > It does not work. My configuration is:
> >
> > <authorization>
> >
> > <deny users="?" /> <!--deny anonymous users-->
> > <allow users="*" /> <!-- Allow all users -->
> > <!-- <allow users="[comma separated list of users]"
> > roles="[comma separated list of roles]"/>
> > <deny users="[comma separated list of users]"
> > roles="[comma separated list of roles]"/>
> > -->
> > </authorization>
> > <location path="images">
> > <system.web>
> > <authorization>
> > <deny users="?" />
> > </authorization>
> > </system.web>
> > </location>
> > "Brock Allen" wrote:
> >
> >>> yes, I implement Application_AuthenticateRequest.
> >>> I will try it once more.
> >> Hmm, ok, then I don't see why it's not working for you. I'd build a
> >> new simple project that just does this little bit that you're trying
> >> to do and make it work there. Sometimes the baggage of the rest of
> >> your application can hide other problems.
> >>
> >>> I also have an image subfolder in Demo for storing images. The
> >>> problem
> >>> is
> >>> that I can access to all images in the image subfolder without
> >>> asking
> >>> user/password.
> >>> What is the problem?
> >> So add a <location path="image"> that denies user="?". This will not
> >> allow any anonymous users. Again, I'd test this in the sample app I
> >> mentioned above just so you know it works
> >>
> >> -Brock
> >> DevelopMentor
> >> http://staff.develop.com/ballen

>
>
>
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
role-based security and ActiveDirectory SpaceMarine ASP .Net 18 06-02-2009 08:46 PM
AzMan Role Based Security vs. ASP.NET Role Based Security Kursat ASP .Net Security 1 05-07-2007 01:33 PM
Role-Based Security: ACLs and Role Hierarchies Liet Kynes ASP .Net 0 11-26-2003 08:08 AM
Role Based Security : difference betweenn XP and 2K pro JACK ASP .Net Security 0 10-16-2003 09:33 AM
Role-based security: Access the role of current user Jesper Stocholm ASP .Net 2 08-23-2003 06:59 PM



Advertisments