«

Hi all,

I'm trying to implement role-based authentication for the following directory structure in my
ASP.NET app.

login.aspx
Admin/
Members/

The web.config in my Admin directory is as follows

<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>

When the user logs in using authentication mode set to Forms, they are authenticated against a SQL
table and then assigned a role

Dim roles() As String
If CurrentUser.IsAdministrator Then
roles = New String() {"Admin", "Member"}
Else
roles = New String() {"Member"}
End If

Where the roles string array is stored in the Session (although I've also tried storing it in the
cache object as well to try and solve my problem)

In Global.asax Application_AuthenticateRequest I have

If (Not (HttpContext.Current.User Is Nothing)) Then
If HttpContext.Current.User.Identity.AuthenticationTy pe = "Forms" Then
Dim id As System.Web.Security.FormsIdentity
id = HttpContext.Current.User.Identity
HttpContext.Current.User = New _
System.Security.Principal.GenericPrincipal(id, roles)
' roles extracted from session
End If
End If

My problem is that after a user having Administrator privelages logs in and they try to access a
page in the Admin directory they get a System.UnauthorizedAccessException exception. I've debugged
this and the roles array does indeed have "Admin" and "Members" in it, but the
HttpContext.Current.User doesn't seem to contain this information, even after assigning it the new
principal (I can't find it in any fields that are visible to the debugger) I've checked the
permissions on the directory and the ASP machine account has access to this directory. I've been
reading quite a few articles on role based security (expecially the ones from the Rolla guys) and
they all seem to use this approach. Why is this not working???

My test system is IIS5.1 on XP Pro using version 1.1 of the framework.

Thanks

Hello wrecker,

i doubt your code is working fine. In AuthenticateRequest you don't have
access to the Session as the SessionModule runs after this event....

The common approach is to store the roles in the cookie. I have a sample
on my blog for doing this:
http://www.leastprivilege.com/DevWee...onference.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi all,
>
> I'm trying to implement role-based authentication for the following
> directory structure in my ASP.NET app.
>
> login.aspx
> Admin/
> Members/
> The web.config in my Admin directory is as follows
>
> <configuration>
> <system.web>
> <authorization>
> <allow roles="Admin"/>
> <deny users="*"/>
> </authorization>
> </system.web>
> </configuration>
> When the user logs in using authentication mode set to Forms, they are
> authenticated against a SQL table and then assigned a role
>
> Dim roles() As String
> If CurrentUser.IsAdministrator Then
> roles = New String() {"Admin", "Member"}
> Else
> roles = New String() {"Member"}
> End If
> Where the roles string array is stored in the Session (although I've
> also tried storing it in the cache object as well to try and solve my
> problem)
>
> In Global.asax Application_AuthenticateRequest I have
>
> If (Not (HttpContext.Current.User Is Nothing)) Then
> If HttpContext.Current.User.Identity.AuthenticationTy pe =
> "Forms" Then
> Dim id As System.Web.Security.FormsIdentity
> id = HttpContext.Current.User.Identity
> HttpContext.Current.User = New _
>
> System.Security.Principal.GenericPrincipal(id, roles)
> ' roles extracted from session
> End If
> End If
> My problem is that after a user having Administrator privelages logs
> in and they try to access a page in the Admin directory they get a
> System.UnauthorizedAccessException exception. I've debugged this and
> the roles array does indeed have "Admin" and "Members" in it, but the
> HttpContext.Current.User doesn't seem to contain this information,
> even after assigning it the new principal (I can't find it in any
> fields that are visible to the debugger) I've checked the permissions
> on the directory and the ASP machine account has access to this
> directory. I've been reading quite a few articles on role based
> security (expecially the ones from the Rolla guys) and they all seem
> to use this approach. Why is this not working???
>
> My test system is IIS5.1 on XP Pro using version 1.1 of the framework.
>
> Thanks
>

Hi Dominick,

Thanks for you help. Now I'm wondering if there is anyway to access a users roles if they have
cookies disabled? I suppose that I could pass roles on the query string and check them on page load
but there must be a more elegant way. For now I'll follow your suggestion and store the roles in a
cookie.

Thanks again


On Thu, 18 Aug 2005 23:43:45 -0700, Dominick Baier [DevelopMentor]
<> wrote:

>Hello wrecker,
>
>i doubt your code is working fine. In AuthenticateRequest you don't have
>access to the Session as the SessionModule runs after this event....
>
>The common approach is to store the roles in the cookie. I have a sample
>on my blog for doing this:
>http://www.leastprivilege.com/DevWee...onference.aspx
>
>---------------------------------------
>Dominick Baier - DevelopMentor
>http://www.leastprivilege.com
>
>> Hi all,
>>
>> I'm trying to implement role-based authentication for the following
>> directory structure in my ASP.NET app.
>>
>> login.aspx
>> Admin/
>> Members/
>> The web.config in my Admin directory is as follows
>>
>> <configuration>
>> <system.web>
>> <authorization>
>> <allow roles="Admin"/>
>> <deny users="*"/>
>> </authorization>
>> </system.web>
>> </configuration>
>> When the user logs in using authentication mode set to Forms, they are
>> authenticated against a SQL table and then assigned a role
>>
>> Dim roles() As String
>> If CurrentUser.IsAdministrator Then
>> roles = New String() {"Admin", "Member"}
>> Else
>> roles = New String() {"Member"}
>> End If
>> Where the roles string array is stored in the Session (although I've
>> also tried storing it in the cache object as well to try and solve my
>> problem)
>>
>> In Global.asax Application_AuthenticateRequest I have
>>
>> If (Not (HttpContext.Current.User Is Nothing)) Then
>> If HttpContext.Current.User.Identity.AuthenticationTy pe =
>> "Forms" Then
>> Dim id As System.Web.Security.FormsIdentity
>> id = HttpContext.Current.User.Identity
>> HttpContext.Current.User = New _
>>
>> System.Security.Principal.GenericPrincipal(id, roles)
>> ' roles extracted from session
>> End If
>> End If
>> My problem is that after a user having Administrator privelages logs
>> in and they try to access a page in the Admin directory they get a
>> System.UnauthorizedAccessException exception. I've debugged this and
>> the roles array does indeed have "Admin" and "Members" in it, but the
>> HttpContext.Current.User doesn't seem to contain this information,
>> even after assigning it the new principal (I can't find it in any
>> fields that are visible to the debugger) I've checked the permissions
>> on the directory and the ASP machine account has access to this
>> directory. I've been reading quite a few articles on role based
>> security (expecially the ones from the Rolla guys) and they all seem
>> to use this approach. Why is this not working???
>>
>> My test system is IIS5.1 on XP Pro using version 1.1 of the framework.
>>
>> Thanks
>>
>
>

Hello wrecker,

in 1.1 - FormsAuth is totally dependent on cookies...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi Dominick,
>
> Thanks for you help. Now I'm wondering if there is anyway to access a
> users roles if they have cookies disabled? I suppose that I could
> pass roles on the query string and check them on page load but there
> must be a more elegant way. For now I'll follow your suggestion and
> store the roles in a cookie.
>
> Thanks again
>
> On Thu, 18 Aug 2005 23:43:45 -0700, Dominick Baier [DevelopMentor]
> <> wrote:
>
>> Hello wrecker,
>>
>> i doubt your code is working fine. In AuthenticateRequest you don't
>> have access to the Session as the SessionModule runs after this
>> event....
>>
>> The common approach is to store the roles in the cookie. I have a
>> sample on my blog for doing this:
>> http://www.leastprivilege.com/DevWee...onference.aspx
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Hi all,
>>>
>>> I'm trying to implement role-based authentication for the following
>>> directory structure in my ASP.NET app.
>>>
>>> login.aspx
>>> Admin/
>>> Members/
>>> The web.config in my Admin directory is as follows
>>> <configuration>
>>> <system.web>
>>> <authorization>
>>> <allow roles="Admin"/>
>>> <deny users="*"/>
>>> </authorization>
>>> </system.web>
>>> </configuration>
>>> When the user logs in using authentication mode set to Forms, they
>>> are
>>> authenticated against a SQL table and then assigned a role
>>> Dim roles() As String
>>> If CurrentUser.IsAdministrator Then
>>> roles = New String() {"Admin", "Member"}
>>> Else
>>> roles = New String() {"Member"}
>>> End If
>>> Where the roles string array is stored in the Session (although I've
>>> also tried storing it in the cache object as well to try and solve
>>> my
>>> problem)
>>> In Global.asax Application_AuthenticateRequest I have
>>>
>>> If (Not (HttpContext.Current.User Is Nothing)) Then
>>> If HttpContext.Current.User.Identity.AuthenticationTy pe =
>>> "Forms" Then
>>> Dim id As System.Web.Security.FormsIdentity
>>> id = HttpContext.Current.User.Identity
>>> HttpContext.Current.User = New _
>>> System.Security.Principal.GenericPrincipal(id, roles)
>>> ' roles extracted from session
>>> End If
>>> End If
>>> My problem is that after a user having Administrator privelages logs
>>> in and they try to access a page in the Admin directory they get a
>>> System.UnauthorizedAccessException exception. I've debugged this
>>> and
>>> the roles array does indeed have "Admin" and "Members" in it, but
>>> the
>>> HttpContext.Current.User doesn't seem to contain this information,
>>> even after assigning it the new principal (I can't find it in any
>>> fields that are visible to the debugger) I've checked the
>>> permissions
>>> on the directory and the ASP machine account has access to this
>>> directory. I've been reading quite a few articles on role based
>>> security (expecially the ones from the Rolla guys) and they all seem
>>> to use this approach. Why is this not working???
>>> My test system is IIS5.1 on XP Pro using version 1.1 of the
>>> framework.
>>>
>>> Thanks
>>>

But as it changed in ASP.NET 2.0?

"Dominick Baier [DevelopMentor]" <>
wrote in message news:.. .
> Hello wrecker,
>
> in 1.1 - FormsAuth is totally dependent on cookies...
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hi Dominick,
> >
> > Thanks for you help. Now I'm wondering if there is anyway to access a
> > users roles if they have cookies disabled? I suppose that I could
> > pass roles on the query string and check them on page load but there
> > must be a more elegant way. For now I'll follow your suggestion and
> > store the roles in a cookie.
> >
> > Thanks again
> >
> > On Thu, 18 Aug 2005 23:43:45 -0700, Dominick Baier [DevelopMentor]
> > <> wrote:
> >
> >> Hello wrecker,
> >>
> >> i doubt your code is working fine. In AuthenticateRequest you don't
> >> have access to the Session as the SessionModule runs after this
> >> event....
> >>
> >> The common approach is to store the roles in the cookie. I have a
> >> sample on my blog for doing this:
> >> http://www.leastprivilege.com/DevWee...onference.aspx
> >>
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com
> >>> Hi all,
> >>>
> >>> I'm trying to implement role-based authentication for the following
> >>> directory structure in my ASP.NET app.
> >>>
> >>> login.aspx
> >>> Admin/
> >>> Members/
> >>> The web.config in my Admin directory is as follows
> >>> <configuration>
> >>> <system.web>
> >>> <authorization>
> >>> <allow roles="Admin"/>
> >>> <deny users="*"/>
> >>> </authorization>
> >>> </system.web>
> >>> </configuration>
> >>> When the user logs in using authentication mode set to Forms, they
> >>> are
> >>> authenticated against a SQL table and then assigned a role
> >>> Dim roles() As String
> >>> If CurrentUser.IsAdministrator Then
> >>> roles = New String() {"Admin", "Member"}
> >>> Else
> >>> roles = New String() {"Member"}
> >>> End If
> >>> Where the roles string array is stored in the Session (although I've
> >>> also tried storing it in the cache object as well to try and solve
> >>> my
> >>> problem)
> >>> In Global.asax Application_AuthenticateRequest I have
> >>>
> >>> If (Not (HttpContext.Current.User Is Nothing)) Then
> >>> If HttpContext.Current.User.Identity.AuthenticationTy pe =
> >>> "Forms" Then
> >>> Dim id As System.Web.Security.FormsIdentity
> >>> id = HttpContext.Current.User.Identity
> >>> HttpContext.Current.User = New _
> >>> System.Security.Principal.GenericPrincipal(id, roles)
> >>> ' roles extracted from session
> >>> End If
> >>> End If
> >>> My problem is that after a user having Administrator privelages logs
> >>> in and they try to access a page in the Admin directory they get a
> >>> System.UnauthorizedAccessException exception. I've debugged this
> >>> and
> >>> the roles array does indeed have "Admin" and "Members" in it, but
> >>> the
> >>> HttpContext.Current.User doesn't seem to contain this information,
> >>> even after assigning it the new principal (I can't find it in any
> >>> fields that are visible to the debugger) I've checked the
> >>> permissions
> >>> on the directory and the ASP machine account has access to this
> >>> directory. I've been reading quite a few articles on role based
> >>> security (expecially the ones from the Rolla guys) and they all seem
> >>> to use this approach. Why is this not working???
> >>> My test system is IIS5.1 on XP Pro using version 1.1 of the
> >>> framework.
> >>>
> >>> Thanks
> >>>
>
>
>

Hello Pat,

yes - you can now do cookieless forms authentication, similar to cookieless
sessions, the authentication ticket gets mangled in the URL. Needless to
say - i don't like that

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> But as it changed in ASP.NET 2.0?
>
> "Dominick Baier [DevelopMentor]"
> <> wrote in message
> news:.. .
>
>> Hello wrecker,
>>
>> in 1.1 - FormsAuth is totally dependent on cookies...
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Hi Dominick,
>>>
>>> Thanks for you help. Now I'm wondering if there is anyway to access
>>> a users roles if they have cookies disabled? I suppose that I could
>>> pass roles on the query string and check them on page load but there
>>> must be a more elegant way. For now I'll follow your suggestion and
>>> store the roles in a cookie.
>>>
>>> Thanks again
>>>
>>> On Thu, 18 Aug 2005 23:43:45 -0700, Dominick Baier [DevelopMentor]
>>> <> wrote:
>>>
>>>> Hello wrecker,
>>>>
>>>> i doubt your code is working fine. In AuthenticateRequest you don't
>>>> have access to the Session as the SessionModule runs after this
>>>> event....
>>>>
>>>> The common approach is to store the roles in the cookie. I have a
>>>> sample on my blog for doing this:
>>>> http://www.leastprivilege.com/DevWee...onference.aspx
>>>>
>>>> ---------------------------------------
>>>> Dominick Baier - DevelopMentor
>>>> http://www.leastprivilege.com
>>>>> Hi all,
>>>>>
>>>>> I'm trying to implement role-based authentication for the
>>>>> following directory structure in my ASP.NET app.
>>>>>
>>>>> login.aspx
>>>>> Admin/
>>>>> Members/
>>>>> The web.config in my Admin directory is as follows
>>>>> <configuration>
>>>>> <system.web>
>>>>> <authorization>
>>>>> <allow roles="Admin"/>
>>>>> <deny users="*"/>
>>>>> </authorization>
>>>>> </system.web>
>>>>> </configuration>
>>>>> When the user logs in using authentication mode set to Forms, they
>>>>> are
>>>>> authenticated against a SQL table and then assigned a role
>>>>> Dim roles() As String
>>>>> If CurrentUser.IsAdministrator Then
>>>>> roles = New String() {"Admin", "Member"}
>>>>> Else
>>>>> roles = New String() {"Member"}
>>>>> End If
>>>>> Where the roles string array is stored in the Session (although
>>>>> I've
>>>>> also tried storing it in the cache object as well to try and solve
>>>>> my
>>>>> problem)
>>>>> In Global.asax Application_AuthenticateRequest I have
>>>>> If (Not (HttpContext.Current.User Is Nothing)) Then
>>>>> If HttpContext.Current.User.Identity.AuthenticationTy pe =
>>>>> "Forms" Then
>>>>> Dim id As System.Web.Security.FormsIdentity
>>>>> id = HttpContext.Current.User.Identity
>>>>> HttpContext.Current.User = New _
>>>>> System.Security.Principal.GenericPrincipal(id, roles)
>>>>> ' roles extracted from session
>>>>> End If
>>>>> End If
>>>>> My problem is that after a user having Administrator privelages
>>>>> logs
>>>>> in and they try to access a page in the Admin directory they get a
>>>>> System.UnauthorizedAccessException exception. I've debugged this
>>>>> and
>>>>> the roles array does indeed have "Admin" and "Members" in it, but
>>>>> the
>>>>> HttpContext.Current.User doesn't seem to contain this information,
>>>>> even after assigning it the new principal (I can't find it in any
>>>>> fields that are visible to the debugger) I've checked the
>>>>> permissions
>>>>> on the directory and the ASP machine account has access to this
>>>>> directory. I've been reading quite a few articles on role based
>>>>> security (expecially the ones from the Rolla guys) and they all
>>>>> seem
>>>>> to use this approach. Why is this not working???
>>>>> My test system is IIS5.1 on XP Pro using version 1.1 of the
>>>>> framework.
>>>>> Thanks
>>>>>