Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > ASP.NET Role Authorization Override

Reply
Thread Tools

ASP.NET Role Authorization Override

 
 
Mike
Guest
Posts: n/a
 
      06-09-2009
Hello,

I am having difficulty achieving a result I expected to be very easy with
ASP.NET role authorization. I would like to set a site-wide authorization
policy where only members of a certain role may access any page in the site,
but I would like suspend this authorization policy for *one* single page in
the site, so that any authenticated user may access the page, no matter which
role they are assigned to or even if they have no roles.

I have tried using a <location> element to turn off role authorization for
the single page, but it doesn't seem to have any affect. Authenticated users
without the proper role that try to access the unrestricted page are prompted
over and over again to log in, which indicates that a role is still needed
for the page. How can I override the site-wide role authorization requirement
and turn it off for the one page?

TIA,
-Mike
 
Reply With Quote
 
 
 
 
Joe Kaplan
Guest
Posts: n/a
 
      06-09-2009
Perhaps you could show the markup from the web.config? There may be an
error in your location tag usage that is preventing it from giving you the
desired results.

An alternate approach would be to handle the "Authenticate" event in
global.asax, check for a request for the specific excluded page and use the
SkipAuthorization property on HttpContext to override the behavior of the
UrlAuthorizationModule (the <allow><deny> tags in web.config). This
approach is a bit dangerous because you need to do matching on the URL which
can lead to security issues if you have any problems with your string
matching and it may be harder to maintain, but sometimes you need the extra
flexibility the code solution gives you.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Mike" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
>
> I am having difficulty achieving a result I expected to be very easy with
> ASP.NET role authorization. I would like to set a site-wide authorization
> policy where only members of a certain role may access any page in the
> site,
> but I would like suspend this authorization policy for *one* single page
> in
> the site, so that any authenticated user may access the page, no matter
> which
> role they are assigned to or even if they have no roles.
>
> I have tried using a <location> element to turn off role authorization for
> the single page, but it doesn't seem to have any affect. Authenticated
> users
> without the proper role that try to access the unrestricted page are
> prompted
> over and over again to log in, which indicates that a role is still needed
> for the page. How can I override the site-wide role authorization
> requirement
> and turn it off for the one page?
>
> TIA,
> -Mike


 
Reply With Quote
 
 
 
 
Mike
Guest
Posts: n/a
 
      06-09-2009
Joe,

Thanks for the suggestion. The markup from the web.config file is as follows:

<!-- site-wide authorization: only allow Administrators access -->
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH"
slidingExpiration="true" protection="All" />
</authentication>
<authorization>
<allow roles="Administrators"/>
<deny users="*"/>
</authorization>
</system.web>

<!-- location override: let any authenticated user access the EditUser page
-->
<location path="Users/EditUser.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>

As you can see, my approach was to limit access by role site-wide, but then
for the page I wanted an exclusion for, simply restrict anonymous users from
accessing it, which I thought would be logically equivalent to allowing any
authenticated user, irrespective of role, access it. Perhaps this is not how
ASP.NET interprets it, and this may be the disjuncture. Maybe the <location>
element isn't viewed as an override on the <authorization> element, since it
isn't explicitly specified. That being the case, how does one turn it off in
a sub-directory?

I'd like to establish this policy via configuration versus code, if
possible. I'd be quite surprised if there wasn't a way to achieve what I'm
trying to do, given how simple it seems: make every page in the site require
Administrators membership except for 1 page, which would only require user
authentication.

Thanks again,
-Mike

"Joe Kaplan" wrote:

> Perhaps you could show the markup from the web.config? There may be an
> error in your location tag usage that is preventing it from giving you the
> desired results.
>
> An alternate approach would be to handle the "Authenticate" event in
> global.asax, check for a request for the specific excluded page and use the
> SkipAuthorization property on HttpContext to override the behavior of the
> UrlAuthorizationModule (the <allow><deny> tags in web.config). This
> approach is a bit dangerous because you need to do matching on the URL which
> can lead to security issues if you have any problems with your string
> matching and it may be harder to maintain, but sometimes you need the extra
> flexibility the code solution gives you.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> "Mike" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hello,
> >
> > I am having difficulty achieving a result I expected to be very easy with
> > ASP.NET role authorization. I would like to set a site-wide authorization
> > policy where only members of a certain role may access any page in the
> > site,
> > but I would like suspend this authorization policy for *one* single page
> > in
> > the site, so that any authenticated user may access the page, no matter
> > which
> > role they are assigned to or even if they have no roles.
> >
> > I have tried using a <location> element to turn off role authorization for
> > the single page, but it doesn't seem to have any affect. Authenticated
> > users
> > without the proper role that try to access the unrestricted page are
> > prompted
> > over and over again to log in, which indicates that a role is still needed
> > for the page. How can I override the site-wide role authorization
> > requirement
> > and turn it off for the one page?
> >
> > TIA,
> > -Mike

>
>

 
Reply With Quote
 
Jesse Houwing
Guest
Posts: n/a
 
      06-09-2009
Hello Mike,

Add a specific Allow users tag to the location specific rule, otherwise there's
only deny rules in the whole set that applies to this location.

Jesse

> Joe,
>
> Thanks for the suggestion. The markup from the web.config file is as
> follows:
>
> <!-- site-wide authorization: only allow Administrators access -->
> <system.web>
> <authentication mode="Forms">
> <forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH"
> slidingExpiration="true" protection="All" />
> </authentication>
> <authorization>
> <allow roles="Administrators"/>
> <deny users="*"/>
> </authorization>
> </system.web>
> <!-- location override: let any authenticated user access the EditUser
> page
> -->
> <location path="Users/EditUser.aspx">
> <system.web>
> <authorization>
> <deny users="?"/>
> </authorization>
> </system.web>
> </location>
> As you can see, my approach was to limit access by role site-wide, but
> then for the page I wanted an exclusion for, simply restrict anonymous
> users from accessing it, which I thought would be logically equivalent
> to allowing any authenticated user, irrespective of role, access it.
> Perhaps this is not how ASP.NET interprets it, and this may be the
> disjuncture. Maybe the <location> element isn't viewed as an override
> on the <authorization> element, since it isn't explicitly specified.
> That being the case, how does one turn it off in a sub-directory?
>
> I'd like to establish this policy via configuration versus code, if
> possible. I'd be quite surprised if there wasn't a way to achieve what
> I'm trying to do, given how simple it seems: make every page in the
> site require Administrators membership except for 1 page, which would
> only require user authentication.
>
> Thanks again,
> -Mike
> "Joe Kaplan" wrote:
>
>> Perhaps you could show the markup from the web.config? There may be
>> an error in your location tag usage that is preventing it from giving
>> you the desired results.
>>
>> An alternate approach would be to handle the "Authenticate" event in
>> global.asax, check for a request for the specific excluded page and
>> use the SkipAuthorization property on HttpContext to override the
>> behavior of the UrlAuthorizationModule (the <allow><deny> tags in
>> web.config). This approach is a bit dangerous because you need to do
>> matching on the URL which can lead to security issues if you have any
>> problems with your string matching and it may be harder to maintain,
>> but sometimes you need the extra flexibility the code solution gives
>> you.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> "Mike" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Hello,
>>>
>>> I am having difficulty achieving a result I expected to be very easy
>>> with
>>> ASP.NET role authorization. I would like to set a site-wide
>>> authorization
>>> policy where only members of a certain role may access any page in
>>> the
>>> site,
>>> but I would like suspend this authorization policy for *one* single
>>> page
>>> in
>>> the site, so that any authenticated user may access the page, no
>>> matter
>>> which
>>> role they are assigned to or even if they have no roles.
>>> I have tried using a <location> element to turn off role
>>> authorization for
>>> the single page, but it doesn't seem to have any affect.
>>> Authenticated
>>> users
>>> without the proper role that try to access the unrestricted page are
>>> prompted
>>> over and over again to log in, which indicates that a role is still
>>> needed
>>> for the page. How can I override the site-wide role authorization
>>> requirement
>>> and turn it off for the one page?
>>> TIA,
>>> -Mike

--
Jesse Houwing
jesse.houwing at sogeti.nl


 
Reply With Quote
 
Mike
Guest
Posts: n/a
 
      06-09-2009
Thanks Jesse, your advice seems to have gotten me past this hurdle. It's odd,
because I could have sworn that I had tried this already. Below is the
updated <location> element that appears to have done the trick:

<location path="Users/EditUser.aspx">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/> <!-- this resets the parent role auth, I
guess? -->
</authorization>
</system.web>
</location>

Thanks once again to Jesse and Joe for their help.

-Mike

"Jesse Houwing" wrote:

> Hello Mike,
>
> Add a specific Allow users tag to the location specific rule, otherwise there's
> only deny rules in the whole set that applies to this location.
>
> Jesse
>
> > Joe,
> >
> > Thanks for the suggestion. The markup from the web.config file is as
> > follows:
> >
> > <!-- site-wide authorization: only allow Administrators access -->
> > <system.web>
> > <authentication mode="Forms">
> > <forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH"
> > slidingExpiration="true" protection="All" />
> > </authentication>
> > <authorization>
> > <allow roles="Administrators"/>
> > <deny users="*"/>
> > </authorization>
> > </system.web>
> > <!-- location override: let any authenticated user access the EditUser
> > page
> > -->
> > <location path="Users/EditUser.aspx">
> > <system.web>
> > <authorization>
> > <deny users="?"/>
> > </authorization>
> > </system.web>
> > </location>
> > As you can see, my approach was to limit access by role site-wide, but
> > then for the page I wanted an exclusion for, simply restrict anonymous
> > users from accessing it, which I thought would be logically equivalent
> > to allowing any authenticated user, irrespective of role, access it.
> > Perhaps this is not how ASP.NET interprets it, and this may be the
> > disjuncture. Maybe the <location> element isn't viewed as an override
> > on the <authorization> element, since it isn't explicitly specified.
> > That being the case, how does one turn it off in a sub-directory?
> >
> > I'd like to establish this policy via configuration versus code, if
> > possible. I'd be quite surprised if there wasn't a way to achieve what
> > I'm trying to do, given how simple it seems: make every page in the
> > site require Administrators membership except for 1 page, which would
> > only require user authentication.
> >
> > Thanks again,
> > -Mike
> > "Joe Kaplan" wrote:
> >
> >> Perhaps you could show the markup from the web.config? There may be
> >> an error in your location tag usage that is preventing it from giving
> >> you the desired results.
> >>
> >> An alternate approach would be to handle the "Authenticate" event in
> >> global.asax, check for a request for the specific excluded page and
> >> use the SkipAuthorization property on HttpContext to override the
> >> behavior of the UrlAuthorizationModule (the <allow><deny> tags in
> >> web.config). This approach is a bit dangerous because you need to do
> >> matching on the URL which can lead to security issues if you have any
> >> problems with your string matching and it may be harder to maintain,
> >> but sometimes you need the extra flexibility the code solution gives
> >> you.
> >>
> >> --
> >> Joe Kaplan-MS MVP Directory Services Programming
> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> Programming"
> >> http://www.directoryprogramming.net
> >> "Mike" <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed)...
> >>> Hello,
> >>>
> >>> I am having difficulty achieving a result I expected to be very easy
> >>> with
> >>> ASP.NET role authorization. I would like to set a site-wide
> >>> authorization
> >>> policy where only members of a certain role may access any page in
> >>> the
> >>> site,
> >>> but I would like suspend this authorization policy for *one* single
> >>> page
> >>> in
> >>> the site, so that any authenticated user may access the page, no
> >>> matter
> >>> which
> >>> role they are assigned to or even if they have no roles.
> >>> I have tried using a <location> element to turn off role
> >>> authorization for
> >>> the single page, but it doesn't seem to have any affect.
> >>> Authenticated
> >>> users
> >>> without the proper role that try to access the unrestricted page are
> >>> prompted
> >>> over and over again to log in, which indicates that a role is still
> >>> needed
> >>> for the page. How can I override the site-wide role authorization
> >>> requirement
> >>> and turn it off for the one page?
> >>> TIA,
> >>> -Mike

> --
> Jesse Houwing
> jesse.houwing at sogeti.nl
>
>
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
URL Authorization does not override File Authorization? SeanRW ASP .Net Security 1 05-25-2006 06:18 AM
Can we override the Authorization Module to write custom access rules? (.NET 2.0) dorionda@gmail.com ASP .Net Security 3 03-10-2006 10:25 PM
Customizable Role-based Authorization Snig ASP .Net 5 04-25-2005 07:08 AM
<location> path authorization is not properly checked for override restrictions Gery D. Dorazio ASP .Net Security 0 08-13-2004 05:11 AM
Role-Based Authorization =?Utf-8?B?UFRC?= ASP .Net 1 04-17-2004 01:14 AM



Advertisments