Blocking Direct URL Access through web config

Chase Kang #52

I have a web application using custom authentication and role
management, which seems to work properly. I also have a web config
file with the following:

<location path="systems">
<system.web>
<authorization>
<allow roles="Administrator,Reader" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="applications">
<system.web>
<authorization>
<allow roles="Administrator,Reader" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="certification">
<system.web>
<authorization>
<allow roles="Administrator,Reader" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="admin">
<system.web>
<authorization>
<allow roles="Administrator" />
<deny users="*" />
</authorization>
</system.web>
</location>

When I run the application, everything works fine. Clicking on my
menu links, I cannot access the pages for which I'm not assigned to an
allowed role. The problem is when I paste the direct URL into the
browser, I'm still able to pull up the pages I'm not supposed to have
access to. For example, when I log in as a reader (which I've
verified the role), I can click on the "Admin" link from the menu and
I get an "Access Denied" 401.2 error. However, when I copy the URL to
the browser, I can gain access to that page.

Anyone have any ideas? Any help is appreciated. Thank you.

Oct 1 '08 #1

Subscribe Post Reply

3452

Joe Fawcett

"Chase Kang #52" <ch********@gmail.comwrote in message
news:33**********************************@k30g2000 hse.googlegroups.com...

I have a web application using custom authentication and role
management, which seems to work properly. I also have a web config
file with the following:

<location path="systems">
<system.web>
<authorization>
<allow roles="Administrator,Reader" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="applications">
<system.web>
<authorization>
<allow roles="Administrator,Reader" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="certification">
<system.web>
<authorization>
<allow roles="Administrator,Reader" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="admin">
<system.web>
<authorization>
<allow roles="Administrator" />
<deny users="*" />
</authorization>
</system.web>
</location>

When I run the application, everything works fine. Clicking on my
menu links, I cannot access the pages for which I'm not assigned to an
allowed role. The problem is when I paste the direct URL into the
browser, I'm still able to pull up the pages I'm not supposed to have
access to. For example, when I log in as a reader (which I've
verified the role), I can click on the "Admin" link from the menu and
I get an "Access Denied" 401.2 error. However, when I copy the URL to
the browser, I can gain access to that page.

Anyone have any ideas? Any help is appreciated. Thank you.

Are these aspx pages you are trying to access?

--

Joe Fawcett (MVP - XML)
http://joe.fawcett.name

Oct 9 '08 #2

by: David Sworder | last post by:

This message was already cross-posted to C# and ADO.NET, but I forgot to post to this "general" group... sorry about that. It just occured to me after my first post that the "general" group readers...

.NET Framework

non-blocking file access possible in c++?

by: Mario | last post by:

Hello, I couldn't find a solution to the following problem (tried google and dejanews), maybe I'm using the wrong keywords? Is there a way to open a file (a linux fifo pipe actually) in...

C / C++

Popup window blocking in XP Service Pack 2

by: Simon Knox | last post by:

Hi I have a web app that has a legitimate use for pop up windows. My web app is an insurance quoting app. I use the window.open method to display another aspx page so that the user can check...

ASP.NET

ASP 2.0 Direct Connection Question

by: Mike | last post by:

Hi We are new to the world of ASP Development and I have a simple question - we are starting a test development in ASP 2.0 Beta and we are building an application using a Direct Connection to...

ASP.NET

Which elements on web.config to force re-direct to the another page?

by: ABC | last post by:

I have a web site include three folders: public, admin and member. I place web.config files to admin and members folders only allow admin and members to access. If there are a user login as Demo...

ASP.NET

Blocking files via. web.config

by: David | last post by:

I am installing apps on an asp.net 1.1 machine to which I have no access to the IIS configuration. I need to lock out the viewing of files types in a directory. As per info on the net, I added...

ASP.NET

asp.net, iis, blocking httphandlers

by: Jan Kucera | last post by:

Hi, I do that for the first time, but posting this in microsoft.public.dotnet.framework.aspnet, microsoft.public.inetserver.iis, http://forums.asp.net/thread/1271188.aspx (no response) and...

ASP.NET

Blocking/Allowing by IP in ASP?

by: newguy99 | last post by:

Hi, i need to know how to write a page in either JS, ASP etc.. page(s) that does the following. 1) Checks the ‘referrer’ page, where that person clicked on the link from. 2) If...

ASP / Active Server Pages

Membership Security 403 - how to direct to Custom page instead of Login page

by: jobs | last post by:

Hello. If my users are logged in, and try to access restricted pages I want to direct them to a custom 403 page. If they are not logged in, I would like to continue to direct them to the login...

ASP.NET

Cloud Servers without Credit Card and Email Registration: A Simpler Way to Get on the Cloud

by: CloudSolutions | last post by:

Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...

General

Wordpress or something else?

by: Faith0G | last post by:

I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

Content Management Systems

Access Europe: Command bars, the Access Shortcut Tool and a simple Audit Log - Wed 3 April

by: isladogs | last post by:

The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

General

How to turn on java script in a villaon keypad mobile phone

by: Charles Arthur | last post by:

How do i turn on java script on a villaon, callus and itel keypad mobile phone

Java

Basic Javascript concepts

by: aa123db | last post by:

Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...

Javascript

Batch import of multiple excel files into the database

by: ryjfgjl | last post by:

If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...

Data Management

Merging data from multiple Excel files

by: ryjfgjl | last post by:

In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...

Data Management

Migrating Website to Cloud - Emmanuel Katto

by: emmanuelkatto | last post by:

Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel

General

Looking to do Android software development, any suggestions? Is flutter better?

by: nemocccc | last post by:

hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?

General

Blocking Direct URL Access through web config

Similar topics