Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Role-based authentication and Forms and System.UnauthorizedAccessException

Reply
Thread Tools

Role-based authentication and Forms and System.UnauthorizedAccessException

 
 
wrecker
Guest
Posts: n/a
 
      08-18-2005
Hi all,

I'm trying to implement role-based authentication for the following directory structure in my
ASP.NET app.

login.aspx
Admin/
Members/

The web.config in my Admin directory is as follows

<configuration>
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>

When the user logs in using authentication mode set to Forms, they are authenticated against a SQL
table and then assigned a role

Dim roles() As String
If CurrentUser.IsAdministrator Then
roles = New String() {"Admin", "Member"}
Else
roles = New String() {"Member"}
End If

Where the roles string array is stored in the Session (although I've also tried storing it in the
cache object as well to try and solve my problem)

In Global.asax Application_AuthenticateRequest I have

If (Not (HttpContext.Current.User Is Nothing)) Then
If HttpContext.Current.User.Identity.AuthenticationTy pe = "Forms" Then
Dim id As System.Web.Security.FormsIdentity
id = HttpContext.Current.User.Identity
HttpContext.Current.User = New _
System.Security.Principal.GenericPrincipal(id, roles)
' roles extracted from session
End If
End If

My problem is that after a user having Administrator privelages logs in and they try to access a
page in the Admin directory they get a System.UnauthorizedAccessException exception. I've debugged
this and the roles array does indeed have "Admin" and "Members" in it, but the
HttpContext.Current.User doesn't seem to contain this information, even after assigning it the new
principal (I can't find it in any fields that are visible to the debugger) I've checked the
permissions on the directory and the ASP machine account has access to this directory. I've been
reading quite a few articles on role based security (expecially the ones from the Rolla guys) and
they all seem to use this approach. Why is this not working???

My test system is IIS5.1 on XP Pro using version 1.1 of the framework.

Thanks


 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      08-19-2005
Hello wrecker,

i doubt your code is working fine. In AuthenticateRequest you don't have
access to the Session as the SessionModule runs after this event....

The common approach is to store the roles in the cookie. I have a sample
on my blog for doing this:
http://www.leastprivilege.com/DevWee...onference.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi all,
>
> I'm trying to implement role-based authentication for the following
> directory structure in my ASP.NET app.
>
> login.aspx
> Admin/
> Members/
> The web.config in my Admin directory is as follows
>
> <configuration>
> <system.web>
> <authorization>
> <allow roles="Admin"/>
> <deny users="*"/>
> </authorization>
> </system.web>
> </configuration>
> When the user logs in using authentication mode set to Forms, they are
> authenticated against a SQL table and then assigned a role
>
> Dim roles() As String
> If CurrentUser.IsAdministrator Then
> roles = New String() {"Admin", "Member"}
> Else
> roles = New String() {"Member"}
> End If
> Where the roles string array is stored in the Session (although I've
> also tried storing it in the cache object as well to try and solve my
> problem)
>
> In Global.asax Application_AuthenticateRequest I have
>
> If (Not (HttpContext.Current.User Is Nothing)) Then
> If HttpContext.Current.User.Identity.AuthenticationTy pe =
> "Forms" Then
> Dim id As System.Web.Security.FormsIdentity
> id = HttpContext.Current.User.Identity
> HttpContext.Current.User = New _
>
> System.Security.Principal.GenericPrincipal(id, roles)
> ' roles extracted from session
> End If
> End If
> My problem is that after a user having Administrator privelages logs
> in and they try to access a page in the Admin directory they get a
> System.UnauthorizedAccessException exception. I've debugged this and
> the roles array does indeed have "Admin" and "Members" in it, but the
> HttpContext.Current.User doesn't seem to contain this information,
> even after assigning it the new principal (I can't find it in any
> fields that are visible to the debugger) I've checked the permissions
> on the directory and the ASP machine account has access to this
> directory. I've been reading quite a few articles on role based
> security (expecially the ones from the Rolla guys) and they all seem
> to use this approach. Why is this not working???
>
> My test system is IIS5.1 on XP Pro using version 1.1 of the framework.
>
> Thanks
>




 
Reply With Quote
 
 
 
 
wrecker
Guest
Posts: n/a
 
      08-19-2005
Hi Dominick,

Thanks for you help. Now I'm wondering if there is anyway to access a users roles if they have
cookies disabled? I suppose that I could pass roles on the query string and check them on page load
but there must be a more elegant way. For now I'll follow your suggestion and store the roles in a
cookie.

Thanks again


On Thu, 18 Aug 2005 23:43:45 -0700, Dominick Baier [DevelopMentor]
<(E-Mail Removed)> wrote:

>Hello wrecker,
>
>i doubt your code is working fine. In AuthenticateRequest you don't have
>access to the Session as the SessionModule runs after this event....
>
>The common approach is to store the roles in the cookie. I have a sample
>on my blog for doing this:
>http://www.leastprivilege.com/DevWee...onference.aspx
>
>---------------------------------------
>Dominick Baier - DevelopMentor
>http://www.leastprivilege.com
>
>> Hi all,
>>
>> I'm trying to implement role-based authentication for the following
>> directory structure in my ASP.NET app.
>>
>> login.aspx
>> Admin/
>> Members/
>> The web.config in my Admin directory is as follows
>>
>> <configuration>
>> <system.web>
>> <authorization>
>> <allow roles="Admin"/>
>> <deny users="*"/>
>> </authorization>
>> </system.web>
>> </configuration>
>> When the user logs in using authentication mode set to Forms, they are
>> authenticated against a SQL table and then assigned a role
>>
>> Dim roles() As String
>> If CurrentUser.IsAdministrator Then
>> roles = New String() {"Admin", "Member"}
>> Else
>> roles = New String() {"Member"}
>> End If
>> Where the roles string array is stored in the Session (although I've
>> also tried storing it in the cache object as well to try and solve my
>> problem)
>>
>> In Global.asax Application_AuthenticateRequest I have
>>
>> If (Not (HttpContext.Current.User Is Nothing)) Then
>> If HttpContext.Current.User.Identity.AuthenticationTy pe =
>> "Forms" Then
>> Dim id As System.Web.Security.FormsIdentity
>> id = HttpContext.Current.User.Identity
>> HttpContext.Current.User = New _
>>
>> System.Security.Principal.GenericPrincipal(id, roles)
>> ' roles extracted from session
>> End If
>> End If
>> My problem is that after a user having Administrator privelages logs
>> in and they try to access a page in the Admin directory they get a
>> System.UnauthorizedAccessException exception. I've debugged this and
>> the roles array does indeed have "Admin" and "Members" in it, but the
>> HttpContext.Current.User doesn't seem to contain this information,
>> even after assigning it the new principal (I can't find it in any
>> fields that are visible to the debugger) I've checked the permissions
>> on the directory and the ASP machine account has access to this
>> directory. I've been reading quite a few articles on role based
>> security (expecially the ones from the Rolla guys) and they all seem
>> to use this approach. Why is this not working???
>>
>> My test system is IIS5.1 on XP Pro using version 1.1 of the framework.
>>
>> Thanks
>>

>
>


 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      08-20-2005
Hello wrecker,

in 1.1 - FormsAuth is totally dependent on cookies...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi Dominick,
>
> Thanks for you help. Now I'm wondering if there is anyway to access a
> users roles if they have cookies disabled? I suppose that I could
> pass roles on the query string and check them on page load but there
> must be a more elegant way. For now I'll follow your suggestion and
> store the roles in a cookie.
>
> Thanks again
>
> On Thu, 18 Aug 2005 23:43:45 -0700, Dominick Baier [DevelopMentor]
> <(E-Mail Removed)> wrote:
>
>> Hello wrecker,
>>
>> i doubt your code is working fine. In AuthenticateRequest you don't
>> have access to the Session as the SessionModule runs after this
>> event....
>>
>> The common approach is to store the roles in the cookie. I have a
>> sample on my blog for doing this:
>> http://www.leastprivilege.com/DevWee...onference.aspx
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Hi all,
>>>
>>> I'm trying to implement role-based authentication for the following
>>> directory structure in my ASP.NET app.
>>>
>>> login.aspx
>>> Admin/
>>> Members/
>>> The web.config in my Admin directory is as follows
>>> <configuration>
>>> <system.web>
>>> <authorization>
>>> <allow roles="Admin"/>
>>> <deny users="*"/>
>>> </authorization>
>>> </system.web>
>>> </configuration>
>>> When the user logs in using authentication mode set to Forms, they
>>> are
>>> authenticated against a SQL table and then assigned a role
>>> Dim roles() As String
>>> If CurrentUser.IsAdministrator Then
>>> roles = New String() {"Admin", "Member"}
>>> Else
>>> roles = New String() {"Member"}
>>> End If
>>> Where the roles string array is stored in the Session (although I've
>>> also tried storing it in the cache object as well to try and solve
>>> my
>>> problem)
>>> In Global.asax Application_AuthenticateRequest I have
>>>
>>> If (Not (HttpContext.Current.User Is Nothing)) Then
>>> If HttpContext.Current.User.Identity.AuthenticationTy pe =
>>> "Forms" Then
>>> Dim id As System.Web.Security.FormsIdentity
>>> id = HttpContext.Current.User.Identity
>>> HttpContext.Current.User = New _
>>> System.Security.Principal.GenericPrincipal(id, roles)
>>> ' roles extracted from session
>>> End If
>>> End If
>>> My problem is that after a user having Administrator privelages logs
>>> in and they try to access a page in the Admin directory they get a
>>> System.UnauthorizedAccessException exception. I've debugged this
>>> and
>>> the roles array does indeed have "Admin" and "Members" in it, but
>>> the
>>> HttpContext.Current.User doesn't seem to contain this information,
>>> even after assigning it the new principal (I can't find it in any
>>> fields that are visible to the debugger) I've checked the
>>> permissions
>>> on the directory and the ASP machine account has access to this
>>> directory. I've been reading quite a few articles on role based
>>> security (expecially the ones from the Rolla guys) and they all seem
>>> to use this approach. Why is this not working???
>>> My test system is IIS5.1 on XP Pro using version 1.1 of the
>>> framework.
>>>
>>> Thanks
>>>




 
Reply With Quote
 
Pat
Guest
Posts: n/a
 
      08-29-2005
But as it changed in ASP.NET 2.0?

"Dominick Baier [DevelopMentor]" <(E-Mail Removed)>
wrote in message news:(E-Mail Removed).. .
> Hello wrecker,
>
> in 1.1 - FormsAuth is totally dependent on cookies...
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hi Dominick,
> >
> > Thanks for you help. Now I'm wondering if there is anyway to access a
> > users roles if they have cookies disabled? I suppose that I could
> > pass roles on the query string and check them on page load but there
> > must be a more elegant way. For now I'll follow your suggestion and
> > store the roles in a cookie.
> >
> > Thanks again
> >
> > On Thu, 18 Aug 2005 23:43:45 -0700, Dominick Baier [DevelopMentor]
> > <(E-Mail Removed)> wrote:
> >
> >> Hello wrecker,
> >>
> >> i doubt your code is working fine. In AuthenticateRequest you don't
> >> have access to the Session as the SessionModule runs after this
> >> event....
> >>
> >> The common approach is to store the roles in the cookie. I have a
> >> sample on my blog for doing this:
> >> http://www.leastprivilege.com/DevWee...onference.aspx
> >>
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com
> >>> Hi all,
> >>>
> >>> I'm trying to implement role-based authentication for the following
> >>> directory structure in my ASP.NET app.
> >>>
> >>> login.aspx
> >>> Admin/
> >>> Members/
> >>> The web.config in my Admin directory is as follows
> >>> <configuration>
> >>> <system.web>
> >>> <authorization>
> >>> <allow roles="Admin"/>
> >>> <deny users="*"/>
> >>> </authorization>
> >>> </system.web>
> >>> </configuration>
> >>> When the user logs in using authentication mode set to Forms, they
> >>> are
> >>> authenticated against a SQL table and then assigned a role
> >>> Dim roles() As String
> >>> If CurrentUser.IsAdministrator Then
> >>> roles = New String() {"Admin", "Member"}
> >>> Else
> >>> roles = New String() {"Member"}
> >>> End If
> >>> Where the roles string array is stored in the Session (although I've
> >>> also tried storing it in the cache object as well to try and solve
> >>> my
> >>> problem)
> >>> In Global.asax Application_AuthenticateRequest I have
> >>>
> >>> If (Not (HttpContext.Current.User Is Nothing)) Then
> >>> If HttpContext.Current.User.Identity.AuthenticationTy pe =
> >>> "Forms" Then
> >>> Dim id As System.Web.Security.FormsIdentity
> >>> id = HttpContext.Current.User.Identity
> >>> HttpContext.Current.User = New _
> >>> System.Security.Principal.GenericPrincipal(id, roles)
> >>> ' roles extracted from session
> >>> End If
> >>> End If
> >>> My problem is that after a user having Administrator privelages logs
> >>> in and they try to access a page in the Admin directory they get a
> >>> System.UnauthorizedAccessException exception. I've debugged this
> >>> and
> >>> the roles array does indeed have "Admin" and "Members" in it, but
> >>> the
> >>> HttpContext.Current.User doesn't seem to contain this information,
> >>> even after assigning it the new principal (I can't find it in any
> >>> fields that are visible to the debugger) I've checked the
> >>> permissions
> >>> on the directory and the ASP machine account has access to this
> >>> directory. I've been reading quite a few articles on role based
> >>> security (expecially the ones from the Rolla guys) and they all seem
> >>> to use this approach. Why is this not working???
> >>> My test system is IIS5.1 on XP Pro using version 1.1 of the
> >>> framework.
> >>>
> >>> Thanks
> >>>

>
>
>



 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      08-30-2005
Hello Pat,

yes - you can now do cookieless forms authentication, similar to cookieless
sessions, the authentication ticket gets mangled in the URL. Needless to
say - i don't like that

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> But as it changed in ASP.NET 2.0?
>
> "Dominick Baier [DevelopMentor]"
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed).. .
>
>> Hello wrecker,
>>
>> in 1.1 - FormsAuth is totally dependent on cookies...
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Hi Dominick,
>>>
>>> Thanks for you help. Now I'm wondering if there is anyway to access
>>> a users roles if they have cookies disabled? I suppose that I could
>>> pass roles on the query string and check them on page load but there
>>> must be a more elegant way. For now I'll follow your suggestion and
>>> store the roles in a cookie.
>>>
>>> Thanks again
>>>
>>> On Thu, 18 Aug 2005 23:43:45 -0700, Dominick Baier [DevelopMentor]
>>> <(E-Mail Removed)> wrote:
>>>
>>>> Hello wrecker,
>>>>
>>>> i doubt your code is working fine. In AuthenticateRequest you don't
>>>> have access to the Session as the SessionModule runs after this
>>>> event....
>>>>
>>>> The common approach is to store the roles in the cookie. I have a
>>>> sample on my blog for doing this:
>>>> http://www.leastprivilege.com/DevWee...onference.aspx
>>>>
>>>> ---------------------------------------
>>>> Dominick Baier - DevelopMentor
>>>> http://www.leastprivilege.com
>>>>> Hi all,
>>>>>
>>>>> I'm trying to implement role-based authentication for the
>>>>> following directory structure in my ASP.NET app.
>>>>>
>>>>> login.aspx
>>>>> Admin/
>>>>> Members/
>>>>> The web.config in my Admin directory is as follows
>>>>> <configuration>
>>>>> <system.web>
>>>>> <authorization>
>>>>> <allow roles="Admin"/>
>>>>> <deny users="*"/>
>>>>> </authorization>
>>>>> </system.web>
>>>>> </configuration>
>>>>> When the user logs in using authentication mode set to Forms, they
>>>>> are
>>>>> authenticated against a SQL table and then assigned a role
>>>>> Dim roles() As String
>>>>> If CurrentUser.IsAdministrator Then
>>>>> roles = New String() {"Admin", "Member"}
>>>>> Else
>>>>> roles = New String() {"Member"}
>>>>> End If
>>>>> Where the roles string array is stored in the Session (although
>>>>> I've
>>>>> also tried storing it in the cache object as well to try and solve
>>>>> my
>>>>> problem)
>>>>> In Global.asax Application_AuthenticateRequest I have
>>>>> If (Not (HttpContext.Current.User Is Nothing)) Then
>>>>> If HttpContext.Current.User.Identity.AuthenticationTy pe =
>>>>> "Forms" Then
>>>>> Dim id As System.Web.Security.FormsIdentity
>>>>> id = HttpContext.Current.User.Identity
>>>>> HttpContext.Current.User = New _
>>>>> System.Security.Principal.GenericPrincipal(id, roles)
>>>>> ' roles extracted from session
>>>>> End If
>>>>> End If
>>>>> My problem is that after a user having Administrator privelages
>>>>> logs
>>>>> in and they try to access a page in the Admin directory they get a
>>>>> System.UnauthorizedAccessException exception. I've debugged this
>>>>> and
>>>>> the roles array does indeed have "Admin" and "Members" in it, but
>>>>> the
>>>>> HttpContext.Current.User doesn't seem to contain this information,
>>>>> even after assigning it the new principal (I can't find it in any
>>>>> fields that are visible to the debugger) I've checked the
>>>>> permissions
>>>>> on the directory and the ASP machine account has access to this
>>>>> directory. I've been reading quite a few articles on role based
>>>>> security (expecially the ones from the Rolla guys) and they all
>>>>> seem
>>>>> to use this approach. Why is this not working???
>>>>> My test system is IIS5.1 on XP Pro using version 1.1 of the
>>>>> framework.
>>>>> Thanks
>>>>>




 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best practices for using forms authentication and security in a hosted env (was: Re: Using a Forms authentication in a shared hosting environment) JEFF ASP .Net 1 11-12-2007 07:00 PM
forms authentication -- expired forms cookie vs. not provided forms cookie Eric ASP .Net Security 2 01-27-2006 10:09 PM
Forms authentication - Multiple login forms based on directory acc Keltex ASP .Net Security 1 01-24-2006 03:06 PM
Winddows authentication AND Forms Authentication Galore ASP .Net 1 11-03-2004 06:25 AM
Forms Authentication question: How to have some pages open and some requiring forms authentication Eric ASP .Net 2 02-13-2004 02:14 PM



Advertisments