473,385 Members | 1,798 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > role based security and

Join Bytes to post your question to a community of 473,385 software developers and data experts.

role based security and

I have the following questions to ask.

For example, there are two roles, A and B to grant to users UA and UB
respectively.
UB in not in role A and UA is not in role B.
A can access to Apage and B to Bpage by typing their passwords, resp..
However, when A has accessed Apage and know the URL of Bpage, A can access
to Bpage. Right now I hard-code it in codebehind functions to protect the
system from this case.

I would like to setup configuration file Web.config such that I do not need
to add code to each of the codebehind function.

I have added the following to Web.config, but it seems not working in this
way. Anyone can give me a help? thanks

David

<location path="Apage.aspx">
<system.web>
<authorization>
<allow roles="A" />
<deny users="*" />
</authorization>
</system.web>
</location>

<location path="Bpage.aspx">
<system.web>
<authorization>
<allow roles="B" />
<deny users="*" />
</authorization>
</system.web>
</location>
Nov 19 '05 #1
7 1054
This should work. I'm wondering if your roles aren't being properly created
upon each request. Are you doing this in Application_AuthenticateRequest
in global.asax?

-Brock
DevelopMentor
http://staff.develop.com/ballen
I have the following questions to ask.

For example, there are two roles, A and B to grant to users UA and UB
respectively.
UB in not in role A and UA is not in role B.
A can access to Apage and B to Bpage by typing their passwords, resp..
However, when A has accessed Apage and know the URL of Bpage, A can
access
to Bpage. Right now I hard-code it in codebehind functions to protect
the
system from this case.
I would like to setup configuration file Web.config such that I do not
need to add code to each of the codebehind function.

I have added the following to Web.config, but it seems not working in
this way. Anyone can give me a help? thanks

David

<location path="Apage.aspx">
<system.web>
<authorization>
<allow roles="A" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Bpage.aspx">
<system.web>
<authorization>
<allow roles="B" />
<deny users="*" />
</authorization>
</system.web>
</location>


Nov 19 '05 #2

yes, I implement Application_AuthenticateRequest.
I will try it once more.

Another new problem raised.
All forms located in Demo and secured by Web.config as
<authentication mode="Forms">
<forms name="AuthCookie" loginUrl="login.aspx" path="/" >
</forms>

</authentication>

I also have an image subfolder in Demo for storing images. The problem is
that I can access to all images in the image subfolder without asking
user/password.
What is the problem?

"Brock Allen" wrote:
This should work. I'm wondering if your roles aren't being properly created
upon each request. Are you doing this in Application_AuthenticateRequest
in global.asax?

-Brock
DevelopMentor
http://staff.develop.com/ballen
I have the following questions to ask.

For example, there are two roles, A and B to grant to users UA and UB
respectively.
UB in not in role A and UA is not in role B.
A can access to Apage and B to Bpage by typing their passwords, resp..
However, when A has accessed Apage and know the URL of Bpage, A can
access
to Bpage. Right now I hard-code it in codebehind functions to protect
the
system from this case.
I would like to setup configuration file Web.config such that I do not
need to add code to each of the codebehind function.

I have added the following to Web.config, but it seems not working in
this way. Anyone can give me a help? thanks

David

<location path="Apage.aspx">
<system.web>
<authorization>
<allow roles="A" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Bpage.aspx">
<system.web>
<authorization>
<allow roles="B" />
<deny users="*" />
</authorization>
</system.web>
</location>


Nov 19 '05 #3
> yes, I implement Application_AuthenticateRequest.
I will try it once more.
Hmm, ok, then I don't see why it's not working for you. I'd build a new simple
project that just does this little bit that you're trying to do and make
it work there. Sometimes the baggage of the rest of your application can
hide other problems.
I also have an image subfolder in Demo for storing images. The problem
is
that I can access to all images in the image subfolder without asking
user/password.
What is the problem?


So add a <location path="image"> that denies user="?". This will not allow
any anonymous users. Again, I'd test this in the sample app I mentioned above
just so you know it works :)

-Brock
DevelopMentor
http://staff.develop.com/ballen

Nov 19 '05 #4
Thanks

"Brock Allen" wrote:
yes, I implement Application_AuthenticateRequest.
I will try it once more.


Hmm, ok, then I don't see why it's not working for you. I'd build a new simple
project that just does this little bit that you're trying to do and make
it work there. Sometimes the baggage of the rest of your application can
hide other problems.
I also have an image subfolder in Demo for storing images. The problem
is
that I can access to all images in the image subfolder without asking
user/password.
What is the problem?


So add a <location path="image"> that denies user="?". This will not allow
any anonymous users. Again, I'd test this in the sample app I mentioned above
just so you know it works :)

-Brock
DevelopMentor
http://staff.develop.com/ballen

Nov 19 '05 #5
It does not work. My configuration is:

<authorization>

<deny users="?" /> <!--deny anonymous users-->
<allow users="*" /> <!-- Allow all users -->

<!-- <allow users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
-->
</authorization>

<location path="images">
<system.web>
<authorization>

<deny users="?" />
</authorization>
</system.web>
</location>
"Brock Allen" wrote:
yes, I implement Application_AuthenticateRequest.
I will try it once more.


Hmm, ok, then I don't see why it's not working for you. I'd build a new simple
project that just does this little bit that you're trying to do and make
it work there. Sometimes the baggage of the rest of your application can
hide other problems.
I also have an image subfolder in Demo for storing images. The problem
is
that I can access to all images in the image subfolder without asking
user/password.
What is the problem?


So add a <location path="image"> that denies user="?". This will not allow
any anonymous users. Again, I'd test this in the sample app I mentioned above
just so you know it works :)

-Brock
DevelopMentor
http://staff.develop.com/ballen

Nov 19 '05 #6
The <location> is outside your <system.web>, right?

-Brock
DevelopMentor
http://staff.develop.com/ballen
It does not work. My configuration is:

<authorization>

<deny users="?" /> <!--deny anonymous users-->
<allow users="*" /> <!-- Allow all users -->
<!-- <allow users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
-->
</authorization>
<location path="images">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
"Brock Allen" wrote:
yes, I implement Application_AuthenticateRequest.
I will try it once more.

Hmm, ok, then I don't see why it's not working for you. I'd build a
new simple project that just does this little bit that you're trying
to do and make it work there. Sometimes the baggage of the rest of
your application can hide other problems.
I also have an image subfolder in Demo for storing images. The
problem
is
that I can access to all images in the image subfolder without
asking
user/password.
What is the problem?

So add a <location path="image"> that denies user="?". This will not
allow any anonymous users. Again, I'd test this in the sample app I
mentioned above just so you know it works :)

-Brock
DevelopMentor
http://staff.develop.com/ballen


Nov 19 '05 #7
Yes, <location> is outside <system.web>,

"Brock Allen" wrote:
The <location> is outside your <system.web>, right?

-Brock
DevelopMentor
http://staff.develop.com/ballen
It does not work. My configuration is:

<authorization>

<deny users="?" /> <!--deny anonymous users-->
<allow users="*" /> <!-- Allow all users -->
<!-- <allow users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
-->
</authorization>
<location path="images">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
"Brock Allen" wrote:
yes, I implement Application_AuthenticateRequest.
I will try it once more.
Hmm, ok, then I don't see why it's not working for you. I'd build a
new simple project that just does this little bit that you're trying
to do and make it work there. Sometimes the baggage of the rest of
your application can hide other problems.

I also have an image subfolder in Demo for storing images. The
problem
is
that I can access to all images in the image subfolder without
asking
user/password.
What is the problem?
So add a <location path="image"> that denies user="?". This will not
allow any anonymous users. Again, I'd test this in the sample app I
mentioned above just so you know it works :)

-Brock
DevelopMentor
http://staff.develop.com/ballen


Nov 19 '05 #8
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
Developing role-based security question
by: craig | last post by:
I am working on my first .NET development project that involves custom role-based security per the project requirements. This lead to a general design issue this week that really caused us some...
.NET Framework
0
Role Based Security Issue
by: ChrisB | last post by:
Hello: I am a member of a team creating a .NET application, and we seem to have run into an issue when trying to implement role based security. Our application makes use of a fairly common...
.NET Framework
4
threading and Principal question - from Role-based security to declarative security.
by: hazz | last post by:
If I successfully run a VS.NET app which includes the following; ************************** APP 1 **************************** m_iIdnt = new...
C# / C Sharp
2
Role-based security: Access the role of current user
by: Jesper Stocholm | last post by:
I have implemented role-based security within my ASP.Net application. However, it seems the role is not passed to the authentication ticket I create. I want to use it to display/hide some...
ASP.NET
0
Role-Based Security: ACLs and Role Hierarchies
by: Liet Kynes | last post by:
I'm new to the .NET security framework, and I pose the following questions: 1) According to the documentation I've read .NET is promoting a role-based security model centered around IPrincipal....
ASP.NET
6
Role-based security
by: Scott Natwick | last post by:
I would like to setup role-based security for my forms, however I'm having trouble working through an example I found. The example suggests creating a subdirectory for each role. I haven't been...
ASP.NET
3
Role Based Security Question
by: Mike Logan | last post by:
Questions about Role Based Security in ASP.Net: I have a few questions about role based security in an ASP.Net application. Below are some points about our system: - We have a hierarchical...
ASP.NET
8
Role of current windows login user
by: Mark White | last post by:
Hey everyone I'm having a great deal of problems finding this information through google and yahoo, so I turn to you on this. I have a Windows app running on XP. I am able to caputre the...
C# / C Sharp
7
Role-based security for an ASP/ASP.NET mixed environment
by: nugget | last post by:
Role-based security for an ASP/ASP.NET mixed environment Hello: My co-worker and I have been charged with designing role-based security for our intranet. The technologies we have to work with...
ASP / Active Server Pages
6
XmlSiteMapProvider: How to hide siteMapNode to a certain role?
by: Max2006 | last post by:
Hi, I need to hide a series of siteMapNodes to certain roles. That means roles have access to the siteMapNode, but the node doesn't appear on the navigation menu. I'll use Response.Redirect to...
ASP.NET
0
Easy Steps to Fix "Canon Printer Won't Connect to WiFi Network"
by: taylorcarr | last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
General
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Basic Javascript concepts
by: aa123db | last post by:
Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...
Javascript
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!