«

I am a fairly new developer and need some help setting up some security for a
site I am helping to build. The site should allow any one who goes there to
view and use some basic pages, but should also give the option of signing in
and then being redirected to the appropriate area of the application. I have
found some code to implement role base security (which is exactly what I'm
looking for) using Forms Authentication, but doesn't that force every one
accessing the web site to sign in? How can I restrict access to portions of
the site unless the appropriate login is provided, but not require a login
for the site as a whole?

Any help would be greatly appreciated.

Chris

hi,

partition your site in public and authenticated areas.

use a location element to restrict access to the authenticated area,

e.g. by restricting to specific roles

<location path="autharea">
<system.web>
<authorization>
<allow roles="Role1, Role2" />
<deny users="*" />
</authorization>
</system.web>

or generally deyning un-authenticated access

<location path="autharea">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I am a fairly new developer and need some help setting up some
> security for a site I am helping to build. The site should allow any
> one who goes there to view and use some basic pages, but should also
> give the option of signing in and then being redirected to the
> appropriate area of the application. I have found some code to
> implement role base security (which is exactly what I'm looking for)
> using Forms Authentication, but doesn't that force every one accessing
> the web site to sign in? How can I restrict access to portions of the
> site unless the appropriate login is provided, but not require a login
> for the site as a whole?
>
> Any help would be greatly appreciated.
>
> Chris
>

Thank you for your rapid response.

If I set the public side to allow anonymous user, will the Forms
Authentication be skipped? Once I have a user loged in, how do I direct them
to a "start" page based on their role? I need administrators to go to one
section, and registered customers to go somewhere else.

Chris

"Dominick Baier [DevelopMentor]" wrote:

> hi,
>
> partition your site in public and authenticated areas.
>
> use a location element to restrict access to the authenticated area,
>
> e.g. by restricting to specific roles
>
> <location path="autharea">
> <system.web>
> <authorization>
> <allow roles="Role1, Role2" />
> <deny users="*" />
> </authorization>
> </system.web>
>
> or generally deyning un-authenticated access
>
> <location path="autharea">
> <system.web>
> <authorization>
> <deny users="?" />
> </authorization>
> </system.web>
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > I am a fairly new developer and need some help setting up some
> > security for a site I am helping to build. The site should allow any
> > one who goes there to view and use some basic pages, but should also
> > give the option of signing in and then being redirected to the
> > appropriate area of the application. I have found some code to
> > implement role base security (which is exactly what I'm looking for)
> > using Forms Authentication, but doesn't that force every one accessing
> > the web site to sign in? How can I restrict access to portions of the
> > site unless the appropriate login is provided, but not require a login
> > for the site as a whole?
> >
> > Any help would be greatly appreciated.
> >
> > Chris
> >
>
>
>

hi,

you could do that in your login page - query the roles and do a response
redirect..

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Thank you for your rapid response.
>
> If I set the public side to allow anonymous user, will the Forms
> Authentication be skipped? Once I have a user loged in, how do I
> direct them to a "start" page based on their role? I need
> administrators to go to one section, and registered customers to go
> somewhere else.
>
> Chris
>
> "Dominick Baier [DevelopMentor]" wrote:
>
>> hi,
>>
>> partition your site in public and authenticated areas.
>>
>> use a location element to restrict access to the authenticated area,
>>
>> e.g. by restricting to specific roles
>>
>> <location path="autharea">
>> <system.web>
>> <authorization>
>> <allow roles="Role1, Role2" />
>> <deny users="*" />
>> </authorization>
>> </system.web>
>> or generally deyning un-authenticated access
>>
>> <location path="autharea">
>> <system.web>
>> <authorization>
>> <deny users="?" />
>> </authorization>
>> </system.web>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> I am a fairly new developer and need some help setting up some
>>> security for a site I am helping to build. The site should allow
>>> any one who goes there to view and use some basic pages, but should
>>> also give the option of signing in and then being redirected to the
>>> appropriate area of the application. I have found some code to
>>> implement role base security (which is exactly what I'm looking for)
>>> using Forms Authentication, but doesn't that force every one
>>> accessing the web site to sign in? How can I restrict access to
>>> portions of the site unless the appropriate login is provided, but
>>> not require a login for the site as a whole?
>>>
>>> Any help would be greatly appreciated.
>>>
>>> Chris
>>>

Thanks for your help. Acutally thought for a minute and think I answered my
own questions.

Chris

"Dominick Baier [DevelopMentor]" wrote:

> hi,
>
> partition your site in public and authenticated areas.
>
> use a location element to restrict access to the authenticated area,
>
> e.g. by restricting to specific roles
>
> <location path="autharea">
> <system.web>
> <authorization>
> <allow roles="Role1, Role2" />
> <deny users="*" />
> </authorization>
> </system.web>
>
> or generally deyning un-authenticated access
>
> <location path="autharea">
> <system.web>
> <authorization>
> <deny users="?" />
> </authorization>
> </system.web>
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > I am a fairly new developer and need some help setting up some
> > security for a site I am helping to build. The site should allow any
> > one who goes there to view and use some basic pages, but should also
> > give the option of signing in and then being redirected to the
> > appropriate area of the application. I have found some code to
> > implement role base security (which is exactly what I'm looking for)
> > using Forms Authentication, but doesn't that force every one accessing
> > the web site to sign in? How can I restrict access to portions of the
> > site unless the appropriate login is provided, but not require a login
> > for the site as a whole?
> >
> > Any help would be greatly appreciated.
> >
> > Chris
> >
>
>
>