473,320 Members | 2,146 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Forms authentication + roles + non-aspx files

Hey guys/gals,

I have successfully implemented forms authentication on my site:

Expand|Select|Wrap|Line Numbers
  1.        <authentication mode="Forms">
  2.             <forms loginUrl="/Members/Login.aspx" timeout="20" defaultUrl="/Members/Welcome.aspx" protection="All" requireSSL="false" path="/" />
  3.         </authentication>
Now I would like to restrict certain subfolders within /Members by Role. I have the following roles for testing:
  • Media
  • Admin

... I have made the following entry in my web.config to test denying all access to the /Members/Media subfolder:

Expand|Select|Wrap|Line Numbers
  1.     <location path="Members/Media" >
  2.         <system.web>
  3.             <authorization>
  4.                 <deny users="*"></deny>
  5.             </authorization>
  6.         </system.web>
  7.     </location>
... I have then made a Default.aspx and a Test.txt within the /Members/Media directory.

The user I am logging in as does NOT have the role of "Media".

To test, I navigate to http://www.somesite.com/Members/Media/Default.aspx and http://www.somesite.com/Members/Media/Test.txt and in both cases forms authentication properly routed me the login page.

I then proceed to authenticate as the user without the Media role then try to access the resources in /Members/Media.

I am properly denied from accessing Default.aspx, but I can successfully get to Test.txt.

To test further, I placed a GIF into the /Members/Media and am able to access that as well.

I guess my question is, does Role based authorization only apply to requests for ASPX files and not requests for non-ASPX files such as txt, pdf, gif, etc... or have I totally screwed something up along the way?

If Role based authorization does only work with ASPX files, should I write an HTTPModule to authorize the requests for non-ASPX files?

Thanks a million!
Andrew
Dec 23 '08 #1
1 1819
kenobewan
4,871 Expert 4TB
Here is an article that may help:
Protecting Files with ASP.NET
Dec 24 '08 #2

Sign in to post your reply or Sign up for a free account.

Similar topics

3
by: Nick | last post by:
I am working a new application...well actually a series of applications for my company. They want internal users to be able to go to a site and everything regarding security is transparent,...
1
by: AVance | last post by:
Hi, I've come across this scenario in ASP.NET 1.1 with forms authentication where the forms auth doesn't seem to timeout correctly, nor redirect to the login page. I have done some testing, and...
3
by: Nick | last post by:
I am working a new application...well actually a series of applications for my company. They want internal users to be able to go to a site and everything regarding security is transparent,...
4
by: alexandis | last post by:
There are tons of articles about custom role and provider membership, but they just tear me apart and confuse :( The situation is following: I use DB2, so I wrote custom role + membership...
4
by: Bjorn Sagbakken | last post by:
In a web-application with login creds (user, pwd), these are checked against a user table on a SQL server. On a positive validation I have saved the userID, name, custno and role-settings in a...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.