473,326 Members | 2,805 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,326 software developers and data experts.

authorization based on url parameters

xke
Using web.config authorization settings, is it possible to allow my
users to access default.aspx but not default.aspx?action=edit ??

<location path="default.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>

Thanks

xke

Mar 12 '07 #1
4 2395
If you don't want your users to use it, then why is it there?

If you mean that you only want a certain type of user to be able to use it,
then it seems to me that you need role-based authorisation. This is
probably most easily done by using forms authentication. Once you have
obtained the roles (from a database or whatever) for the user, you can use
attributes on your classes and/or methods to determine which types of user
can do what (e.g. you can use attributes to ensure that a user trying to
access the edit functionality is both logged in and a member of the "edit"
role (or whatever you might like to call it)). If they are not
authenticated, a SecurityException will be thrown - which you must make sure
to catch (probably in Global.aspx).

HTH
Peter
"xke" <xk****@gmail.comwrote in message
news:11**********************@64g2000cwx.googlegro ups.com...
Using web.config authorization settings, is it possible to allow my
users to access default.aspx but not default.aspx?action=edit ??

<location path="default.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>

Thanks

xke

Mar 12 '07 #2
xke
Hi Peter,

True, sorry, I only want users with certain roles to be able to access
the page.
So, only let's say, Role:Admin will be able to access default.aspx?
action=edit

I was wondering if this can be done only by using web.config settings,
something like

<location path="default.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>

<location path="default.aspx?action=edit">
<system.web>
<authorization>
<allow roles ="Admin" />
<deny users="?" />
</authorization>
</system.web>
</location>

About the last setting I've added of course it won't work, as path
attribute will only accept virtual paths with no querystring
parameters.

Thanks
On Mar 12, 11:35 am, "Peter Bradley" <pbrad...@uwic.ac.ukwrote:
If you don't want your users to use it, then why is it there?

If you mean that you only want a certain type of user to be able to use it,
then it seems to me that you need role-based authorisation. This is
probably most easily done by using forms authentication. Once you have
obtained the roles (from a database or whatever) for the user, you can use
attributes on your classes and/or methods to determine which types of user
can do what (e.g. you can use attributes to ensure that a user trying to
access the edit functionality is both logged in and a member of the "edit"
role (or whatever you might like to call it)). If they are not
authenticated, a SecurityException will be thrown - which you must make sure
to catch (probably in Global.aspx).

HTH

Peter

"xke" <xke...@gmail.comwrote in message

news:11**********************@64g2000cwx.googlegro ups.com...
Using web.config authorization settings, is it possible to allow my
users to access default.aspx but not default.aspx?action=edit ??
<location path="default.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
Thanks
xke- Hide quoted text -

- Show quoted text -

Mar 12 '07 #3
You might be able to (although I can't see how the role information is being
transmitted), but the only sure way I know of, is to use Forms
authentication.

Others may know better.

Cheers
Peter

"xke" <xk****@gmail.comwrote in message
news:11**********************@64g2000cwx.googlegro ups.com...
Hi Peter,

True, sorry, I only want users with certain roles to be able to access
the page.
So, only let's say, Role:Admin will be able to access default.aspx?
action=edit

I was wondering if this can be done only by using web.config settings,
something like

<location path="default.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>

<location path="default.aspx?action=edit">
<system.web>
<authorization>
<allow roles ="Admin" />
<deny users="?" />
</authorization>
</system.web>
</location>

About the last setting I've added of course it won't work, as path
attribute will only accept virtual paths with no querystring
parameters.

Thanks
On Mar 12, 11:35 am, "Peter Bradley" <pbrad...@uwic.ac.ukwrote:
>If you don't want your users to use it, then why is it there?

If you mean that you only want a certain type of user to be able to use
it,
then it seems to me that you need role-based authorisation. This is
probably most easily done by using forms authentication. Once you have
obtained the roles (from a database or whatever) for the user, you can
use
attributes on your classes and/or methods to determine which types of
user
can do what (e.g. you can use attributes to ensure that a user trying to
access the edit functionality is both logged in and a member of the
"edit"
role (or whatever you might like to call it)). If they are not
authenticated, a SecurityException will be thrown - which you must make
sure
to catch (probably in Global.aspx).

HTH

Peter

"xke" <xke...@gmail.comwrote in message

news:11**********************@64g2000cwx.googlegr oups.com...
Using web.config authorization settings, is it possible to allow my
users to access default.aspx but not default.aspx?action=edit ??
<location path="default.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
Thanks
xke- Hide quoted text -

- Show quoted text -


Mar 12 '07 #4
If you have a method that is calling the "edit" command based on what your
action querystring is equal to, you could just use:

If (Roles.IsUserInRole("Admin"))
{
\\ Do whatever it is that they have access to, get forwarded to, etc.

}

Else, leave the Visible=false set on those objects.

---
David Longnecker
Web Developer
http://blog.tiredstudent.com
Hi Peter,

True, sorry, I only want users with certain roles to be able to access
the page.
So, only let's say, Role:Admin will be able to access default.aspx?
action=edit
I was wondering if this can be done only by using web.config settings,
something like

<location path="default.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<location path="default.aspx?action=edit">
<system.web>
<authorization>
<allow roles ="Admin" />
<deny users="?" />
</authorization>
</system.web>
</location>
About the last setting I've added of course it won't work, as path
attribute will only accept virtual paths with no querystring
parameters.

Thanks

On Mar 12, 11:35 am, "Peter Bradley" <pbrad...@uwic.ac.ukwrote:
>If you don't want your users to use it, then why is it there?

If you mean that you only want a certain type of user to be able to
use it, then it seems to me that you need role-based authorisation.
This is probably most easily done by using forms authentication.
Once you have obtained the roles (from a database or whatever) for
the user, you can use attributes on your classes and/or methods to
determine which types of user can do what (e.g. you can use
attributes to ensure that a user trying to access the edit
functionality is both logged in and a member of the "edit" role (or
whatever you might like to call it)). If they are not authenticated,
a SecurityException will be thrown - which you must make sure to
catch (probably in Global.aspx).

HTH

Peter

"xke" <xke...@gmail.comwrote in message

news:11**********************@64g2000cwx.googlegr oups.com...
>>Using web.config authorization settings, is it possible to allow my
users to access default.aspx but not default.aspx?action=edit ??

<location path="default.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
Thanks

xke- Hide quoted text -
- Show quoted text -

Mar 12 '07 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
by: phreeskier | last post by:
i want to implement authorization with windows authentication and don't have the slightest clue of how to do this implementation. the basic windows authentication for this .NET application is...
0
by: Brent Burkart | last post by:
Can anyone show me an example of how to use url-based authorization? I have two parts of my web application, one that does not need authorization and one that requires a username and password. ...
1
by: Chris Leffer | last post by:
Hi. I would like to confirm a behaviour in the authorization element from the web.config file. Suppose the following (using Forms authentication): <authorization> <deny users="?" /> <deny...
15
by: Shaun Wilde | last post by:
I am not sure if this is a .NET bug/feature and IIS5 one or a combination of the 2 so here goes I have a situation where when I call an ASP.NET webservice running under windows 2000 (I assume...
2
by: Water Cooler v2 | last post by:
Is the authorization tag/class in web.config\<system.web> available only for Windows authorization? Does it make sense for Forms based authentication?
2
by: jack | last post by:
HI i have tried different types of form based authentications but im not able to get how to make a session level authorization. im a begginer and im not able to make that difference off like what...
0
by: Douglas J. Badin | last post by:
Hi, The problem with Authorization is it stops at the first match and doesn't permit Grouping. On the Web Site, I am trying to Secure Page Access and SiteNaviagation by implementing the...
1
by: Chang Lui | last post by:
This might be a stupid question - but is there any way to store authorization infomation (allow users="" deny users="") somewhere other then a web.config file. We have a very large site with many...
0
by: ronscottlangham | last post by:
I have a web page that any authenticated user can access, but I dynamically enable/disable other asp.net controls on the web page based on the Role that they are in via C# code behind. My web...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.