Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > ASP.NET 2.0: Best Way To Set Up Access Based On Roles

Reply
Thread Tools

ASP.NET 2.0: Best Way To Set Up Access Based On Roles

 
 
va
Guest
Posts: n/a
 
      02-02-2006
Using the Web Site Administration Tool Security Tab, I wanted to:

1) Deny access to certain web pages based on a user's logged in Role

PROBLEM: But the Web Site Administration Tool Security Tab forces me to
deny access only by directory not actual web page files. Should I just
segregate the web page files into different directrories?

2) Have SiteNavigation and SiteMapData properly correspond and only show
allowable pages on the site based on role

PROBLEM: No idea how to do this?


Thanks
 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      02-02-2006
hi,

start here:
http://66.129.71.130/QuickStartv20/a...y/default.aspx

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Using the Web Site Administration Tool Security Tab, I wanted to:
>
> 1) Deny access to certain web pages based on a user's logged in Role
>
> PROBLEM: But the Web Site Administration Tool Security Tab forces me
> to deny access only by directory not actual web page files. Should
> I just segregate the web page files into different directrories?
>
> 2) Have SiteNavigation and SiteMapData properly correspond and only
> show allowable pages on the site based on role
>
> PROBLEM: No idea how to do this?
>
> Thanks
>



 
Reply With Quote
 
 
 
 
MikeS
Guest
Posts: n/a
 
      02-02-2006
1.Set up your location tags in web config (or using the UI) to protect
the pages themselves.

path="mypage.aspx"
allow roles="Admin"
deny users="*"

2. Set the securityTrimmingEnabled="true" attribute on your sitemap
provider to exclude nodes that a role can't use.

You can also add a roles attribute to your site map nodes but that just
excludes them and does not protect them like 1 above, as far as I know.

3. Profit

 
Reply With Quote
 
va
Guest
Posts: n/a
 
      02-02-2006
Mike,

Thank you so much. I got caught up in the new stuff and forgot the told
approaches!
 
Reply With Quote
 
Yendi
Guest
Posts: n/a
 
      02-03-2006
Hi Mike,

Is there a way to declare the url the user has to be redirected when
he's not authorized to view certain page? Rigth now, I'm doing it
exactly as you said, and is's redirecting to login.aspx... but I want
it to go to... let's say... noAccess.aspx. Can I do that?

Thanks.

 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      02-03-2006
Hi,

no - you will always redirect to the login page.

You can however on the login page detect if the user is already logged in
- if he is - then the redirect is most like a noacess problem - if he is
not authenticated - then it seems to be a logon...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hi Mike,
>
> Is there a way to declare the url the user has to be redirected when
> he's not authorized to view certain page? Rigth now, I'm doing it
> exactly as you said, and is's redirecting to login.aspx... but I want
> it to go to... let's say... noAccess.aspx. Can I do that?
>
> Thanks.
>



 
Reply With Quote
 
MikeS
Guest
Posts: n/a
 
      02-04-2006
Dominick has a good suggestions, and there are others.

http://weblogs.asp.net/pwilson/archi...11/129844.aspx

Me, I just wouldn't show them a link they can't visit and if they visit
it, it is OK to boot them.

Otherwise, if you want to show the link as a tease for premium content
maybe disable the link or change it's navurl based on whether the user
has rights to the content., perhaps with a custom sitemap provider or
web control.

 
Reply With Quote
 
MikeS
Guest
Posts: n/a
 
      02-05-2006
Short of all that, it looks like you can set your sitemap up to show
different links to different user types.

<siteMapNode url="default.aspx" title="Home" >
<siteMapNode title="Premium" url="noaccess.aspx?wanted=premium"
/>
<siteMapNode title="Premium" url="premium.aspx" />
</siteMapNode>

You have to have location tags in web.config restricting premium.aspx
to the "premium" role and restricting noaccess.aspx to the "regular"
role as well as securityTrimmingEnabled set on the provider. This makes
for double sitemap entries for each premium offering (but I could not
get a custom provider and/or SiteMapResolve to do this for me). Note
that noaccess.aspx can be used repeatedly in the map if the querystring
is changed to make the url unique, besides, you can use that to figure
out why they got bounced. Also note that the user can only be in one
role or the other.

 
Reply With Quote
 
MikeS
Guest
Posts: n/a
 
      02-05-2006
Moreover...

If you want to do without the location tags in web.config you could set
up the sitemap using the roles I described like so.

<siteMapNode url="default.aspx" title="Home">
<siteMapNode title="Premium" roles="premium">
<siteMapNode title="Blog" url="blog.aspx" />
<siteMapNode title="Email" url="email.aspx" />
</siteMapNode>
<siteMapNode title="Premium" roles="regular">
<siteMapNode title="Blog" url="noaccess.aspx?what=blog" />
<siteMapNode title="Email" url="noaccess.aspx?what=email" />
</siteMapNode>
</siteMapNode>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
class-based access control VS instance-based access control xz C++ 9 01-08-2008 11:20 AM
RE: Authorization based on roles or directory access? Steven Cheng[MSFT] ASP .Net 6 01-16-2007 12:56 AM
Application level roles + Item level roles... how to do it? Jéjé ASP .Net Security 0 09-26-2005 11:06 PM
Restricting access based on roles Andrew Banks ASP .Net 0 02-26-2004 02:41 PM
Set based vs. IOS based Jim Cisco 2 02-18-2004 09:23 PM



Advertisments