By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,309 Members | 1,452 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,309 IT Pros & Developers. It's quick & easy.

web.config roles

P: n/a
Hi,

I have a default.aspx which allows the user to choose between module Admin
and module B. When the user clicks either one, he will be redirected to a
FormsAuthentication login page. The problem I have is that currently, users
of one module are able to access the other since I have only 1 login page.
How do I prevent this ?

I am not sure how to go about configuring the web.config file for having 2
modules that have a separate set of users for each. The files are all in the
same directory.

I've written the code for the login using the genericprincipal class etc.
However, I got the error at "Thread was aborted" on my Login.aspx. I can't
figure out why. The debugger jumps to the exception at the
"Response.Redirect" (last) line:

FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
(string)Session["UserLoginName"], DateTime.Now, DateTime.Now.AddMinutes(30),
false, (string)Session["UserDomain"]);
// Encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket as data
HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection
Response.Cookies.Add(authCookie);
Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Text, true));

Am I on the right path ? Any help appreaciated.
regards,
andrew
Mar 30 '06 #1
Share this Question
Share on Google+
5 Replies


P: n/a
You can use location path like below.
You can even add for example admin.aspx page to the location path.
then deny users or allow users

<configuration>

<appSettings/>
<connectionStrings/>

<location path="Admin">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>

<location path="Users">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>

<system.web>

<compilation debug="true" />

<authentication mode="Forms">
<forms loginUrl ="Login.aspx" timeout ="10">
</forms>
</authentication>
</system.web>

</configuration

Patrick
"Andrew" <An****@discussions.microsoft.com> wrote in message
news:05**********************************@microsof t.com...
Hi,

I have a default.aspx which allows the user to choose between module Admin
and module B. When the user clicks either one, he will be redirected to a
FormsAuthentication login page. The problem I have is that currently,
users
of one module are able to access the other since I have only 1 login page.
How do I prevent this ?

I am not sure how to go about configuring the web.config file for having 2
modules that have a separate set of users for each. The files are all in
the
same directory.

I've written the code for the login using the genericprincipal class etc.
However, I got the error at "Thread was aborted" on my Login.aspx. I can't
figure out why. The debugger jumps to the exception at the
"Response.Redirect" (last) line:

FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
(string)Session["UserLoginName"], DateTime.Now,
DateTime.Now.AddMinutes(30),
false, (string)Session["UserDomain"]);
// Encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket as data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection
Response.Cookies.Add(authCookie);
Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Text,
true));

Am I on the right path ? Any help appreaciated.
regards,
andrew

Mar 30 '06 #2

P: n/a
hi,
thanks for your reply.

what i have tried is to use a role based authorization.
I have 3 web.config files, one in the main folder n one each in the 2
subfolders.
My main web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/" loginUrl="UserLogin.aspx?Action=login"
protection="All" timeout="60" />
</authentication>

<authorization>
<deny users="?" />
</authorization>

<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

my subfolder web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/"
loginUrl="../UserLogin.aspx?Action=login" protection="All" timeout="20" />
</authentication>

<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>

<location path="Admin">
<system.web>
<authorization>
<deny users="*"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>

Any help appreciated. Am I on the right track ?
regards,
andrew

"Patrick.O.Ige" wrote:
You can use location path like below.
You can even add for example admin.aspx page to the location path.
then deny users or allow users

<configuration>

<appSettings/>
<connectionStrings/>

<location path="Admin">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>

<location path="Users">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>

<system.web>

<compilation debug="true" />

<authentication mode="Forms">
<forms loginUrl ="Login.aspx" timeout ="10">
</forms>
</authentication>
</system.web>

</configuration

Patrick
"Andrew" <An****@discussions.microsoft.com> wrote in message
news:05**********************************@microsof t.com...
Hi,

I have a default.aspx which allows the user to choose between module Admin
and module B. When the user clicks either one, he will be redirected to a
FormsAuthentication login page. The problem I have is that currently,
users
of one module are able to access the other since I have only 1 login page.
How do I prevent this ?

I am not sure how to go about configuring the web.config file for having 2
modules that have a separate set of users for each. The files are all in
the
same directory.

I've written the code for the login using the genericprincipal class etc.
However, I got the error at "Thread was aborted" on my Login.aspx. I can't
figure out why. The debugger jumps to the exception at the
"Response.Redirect" (last) line:

FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
(string)Session["UserLoginName"], DateTime.Now,
DateTime.Now.AddMinutes(30),
false, (string)Session["UserDomain"]);
// Encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket as data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection
Response.Cookies.Add(authCookie);
Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Text,
true));

Am I on the right path ? Any help appreaciated.
regards,
andrew


Mar 30 '06 #3

P: n/a
i forgot to add that it is not working.
my login page keeps getting redirected back to itself. the url is:
http://localhost/MainFolder/UserLogi...erA%2fxxx.aspx

Note: xxx.aspx is located within FolderA of the MainFolder.

"Andrew" wrote:
hi,
thanks for your reply.

what i have tried is to use a role based authorization.
I have 3 web.config files, one in the main folder n one each in the 2
subfolders.
My main web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/" loginUrl="UserLogin.aspx?Action=login"
protection="All" timeout="60" />
</authentication>

<authorization>
<deny users="?" />
</authorization>

<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

my subfolder web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/"
loginUrl="../UserLogin.aspx?Action=login" protection="All" timeout="20" />
</authentication>

<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>

<location path="Admin">
<system.web>
<authorization>
<deny users="*"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>

Any help appreciated. Am I on the right track ?
regards,
andrew

"Patrick.O.Ige" wrote:
You can use location path like below.
You can even add for example admin.aspx page to the location path.
then deny users or allow users

<configuration>

<appSettings/>
<connectionStrings/>

<location path="Admin">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>

<location path="Users">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>

<system.web>

<compilation debug="true" />

<authentication mode="Forms">
<forms loginUrl ="Login.aspx" timeout ="10">
</forms>
</authentication>
</system.web>

</configuration

Patrick
"Andrew" <An****@discussions.microsoft.com> wrote in message
news:05**********************************@microsof t.com...
Hi,

I have a default.aspx which allows the user to choose between module Admin
and module B. When the user clicks either one, he will be redirected to a
FormsAuthentication login page. The problem I have is that currently,
users
of one module are able to access the other since I have only 1 login page.
How do I prevent this ?

I am not sure how to go about configuring the web.config file for having 2
modules that have a separate set of users for each. The files are all in
the
same directory.

I've written the code for the login using the genericprincipal class etc.
However, I got the error at "Thread was aborted" on my Login.aspx. I can't
figure out why. The debugger jumps to the exception at the
"Response.Redirect" (last) line:

FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
(string)Session["UserLoginName"], DateTime.Now,
DateTime.Now.AddMinutes(30),
false, (string)Session["UserDomain"]);
// Encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket as data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection
Response.Cookies.Add(authCookie);
Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Text,
true));

Am I on the right path ? Any help appreaciated.
regards,
andrew


Mar 30 '06 #4

P: n/a
DWS
Andrew,
Yeah, your on right track and I have divined that you've used the asp.net
configuration tool security tab because you have a web.config file in your
sub folder.

Proplem:
deny users="?" reads deny users that aren't authenticated to asp.net once
logged in they could go to the admin folder.

Solution: deny users="*" wild card to exclude everyone.

The authorization works top to bottom your in or your out. There is no
middle ground logical processing so you have to allow admin first then deny
everyone.

Your new web.config for the admin folder.
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authorization>
<allow roles="Admin"/> /*admin is allowed */
<deny users="*"/> /* man nobody gets by the wildcard */
</authorization>
</system.web>
</configuration>

Try it watch how asp.net adds a query string "ReturnUrL" to redirect after
login. Cool stuff it will pick up the location of the login page from the
root web.config and automatically redirect there if it needs to, once you log
in asp.net will automatically redirect you back to the page that needs
authentication like any page in the admin folder.

Good Luck
DWS

"Andrew" wrote:
hi,
thanks for your reply.

what i have tried is to use a role based authorization.
I have 3 web.config files, one in the main folder n one each in the 2
subfolders.
My main web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/" loginUrl="UserLogin.aspx?Action=login"
protection="All" timeout="60" />
</authentication>

<authorization>
<deny users="?" />
</authorization>

<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

my subfolder web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/"
loginUrl="../UserLogin.aspx?Action=login" protection="All" timeout="20" />
</authentication>

<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>

<location path="Admin">
<system.web>
<authorization>
<deny users="*"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>

Any help appreciated. Am I on the right track ?
regards,
andrew

"Patrick.O.Ige" wrote:
You can use location path like below.
You can even add for example admin.aspx page to the location path.
then deny users or allow users

<configuration>

<appSettings/>
<connectionStrings/>

<location path="Admin">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>

<location path="Users">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>

<system.web>

<compilation debug="true" />

<authentication mode="Forms">
<forms loginUrl ="Login.aspx" timeout ="10">
</forms>
</authentication>
</system.web>

</configuration

Patrick
"Andrew" <An****@discussions.microsoft.com> wrote in message
news:05**********************************@microsof t.com...
Hi,

I have a default.aspx which allows the user to choose between module Admin
and module B. When the user clicks either one, he will be redirected to a
FormsAuthentication login page. The problem I have is that currently,
users
of one module are able to access the other since I have only 1 login page.
How do I prevent this ?

I am not sure how to go about configuring the web.config file for having 2
modules that have a separate set of users for each. The files are all in
the
same directory.

I've written the code for the login using the genericprincipal class etc.
However, I got the error at "Thread was aborted" on my Login.aspx. I can't
figure out why. The debugger jumps to the exception at the
"Response.Redirect" (last) line:

FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
(string)Session["UserLoginName"], DateTime.Now,
DateTime.Now.AddMinutes(30),
false, (string)Session["UserDomain"]);
// Encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket as data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection
Response.Cookies.Add(authCookie);
Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Text,
true));

Am I on the right path ? Any help appreaciated.
regards,
andrew


Mar 30 '06 #5

P: n/a
Hi,

I should have said that I am still using aspnet1.0.
I did as u suggested n i got an error saying that "Threat is being aborted"
when it hits the "Response.Redirect" line in my UserLogin.aspx page, it then
jumps to my catch(Exception ex) error handler. I put here an excerpt of my
login page:

string returnUrl = Request.QueryString["ReturnUrl"];
if (returnUrl == null) returnUrl = "UserLogin.aspx";
lblMessage.Text = returnUrl;
Response.Redirect(returnUrl);

When using the debugger I could see that the returnURL value is:
/MainFolder/FolderA/AdminMenu.aspx
which is correct.
Dun know why.. Help ??

regards,
andrew
"DWS" wrote:
Andrew,
Yeah, your on right track and I have divined that you've used the asp.net
configuration tool security tab because you have a web.config file in your
sub folder.

Proplem:
deny users="?" reads deny users that aren't authenticated to asp.net once
logged in they could go to the admin folder.

Solution: deny users="*" wild card to exclude everyone.

The authorization works top to bottom your in or your out. There is no
middle ground logical processing so you have to allow admin first then deny
everyone.

Your new web.config for the admin folder.
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
<system.web>
<authorization>
<allow roles="Admin"/> /*admin is allowed */
<deny users="*"/> /* man nobody gets by the wildcard */
</authorization>
</system.web>
</configuration>

Try it watch how asp.net adds a query string "ReturnUrL" to redirect after
login. Cool stuff it will pick up the location of the login page from the
root web.config and automatically redirect there if it needs to, once you log
in asp.net will automatically redirect you back to the page that needs
authentication like any page in the admin folder.

Good Luck
DWS

"Andrew" wrote:
hi,
thanks for your reply.

what i have tried is to use a role based authorization.
I have 3 web.config files, one in the main folder n one each in the 2
subfolders.
My main web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/" loginUrl="UserLogin.aspx?Action=login"
protection="All" timeout="60" />
</authentication>

<authorization>
<deny users="?" />
</authorization>

<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

my subfolder web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/"
loginUrl="../UserLogin.aspx?Action=login" protection="All" timeout="20" />
</authentication>

<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>

<location path="Admin">
<system.web>
<authorization>
<deny users="*"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>

Any help appreciated. Am I on the right track ?
regards,
andrew

"Patrick.O.Ige" wrote:
You can use location path like below.
You can even add for example admin.aspx page to the location path.
then deny users or allow users

<configuration>

<appSettings/>
<connectionStrings/>

<location path="Admin">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>

<location path="Users">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>

<system.web>

<compilation debug="true" />

<authentication mode="Forms">
<forms loginUrl ="Login.aspx" timeout ="10">
</forms>
</authentication>
</system.web>

</configuration

Patrick
"Andrew" <An****@discussions.microsoft.com> wrote in message
news:05**********************************@microsof t.com...
> Hi,
>
> I have a default.aspx which allows the user to choose between module Admin
> and module B. When the user clicks either one, he will be redirected to a
> FormsAuthentication login page. The problem I have is that currently,
> users
> of one module are able to access the other since I have only 1 login page.
> How do I prevent this ?
>
> I am not sure how to go about configuring the web.config file for having 2
> modules that have a separate set of users for each. The files are all in
> the
> same directory.
>
> I've written the code for the login using the genericprincipal class etc.
> However, I got the error at "Thread was aborted" on my Login.aspx. I can't
> figure out why. The debugger jumps to the exception at the
> "Response.Redirect" (last) line:
>
> FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
> (string)Session["UserLoginName"], DateTime.Now,
> DateTime.Now.AddMinutes(30),
> false, (string)Session["UserDomain"]);
> // Encrypt the ticket
> string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
> // Create a cookie and add the encrypted ticket as data
> HttpCookie authCookie = new
> HttpCookie(FormsAuthentication.FormsCookieName,
> encryptedTicket);
> // Add the cookie to the outgoing cookies collection
> Response.Cookies.Add(authCookie);
> Response.Redirect(FormsAuthentication.GetRedirectU rl(txtUserName.Text,
> true));
>
> Am I on the right path ? Any help appreaciated.
> regards,
> andrew
>
>

Mar 31 '06 #6

This discussion thread is closed

Replies have been disabled for this discussion.