I have following folder structure in my asp.net webform application.
_AdminUser
_ModeratorUser
_EmployeeUser
Images
js
css
ckeditor
App_Code
errorPages
Default.aspx
News.aspx
Article.aspx
So far i had only one type of user who used to edit contents of the website. I used to simply authorise users and redirect authorised user to folder '_AdminUser' so that they
can make changes to the site.
And below code in web.config was enough for me to work without any issue.
<authentication mode="Forms">
<forms loginUrl="~/_Login.aspx" timeout="2880"/>
</authentication>
<location path="_adminUser">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="ckeditor">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
In my new project i have to create three different types of users
Admin User (who is a super user & can have access to all the files in different folder )
Moderator User (This type of user can have access to only files in this folder _ModeratorUser & other general foleder but no access to _AdminUser or _EmployeeUser )
Employee User (This type of user can have access to only files in this folder _EmployeeUser& other general folder but no access to_AdminUseror_EmployeeUser` )
In order to achieve this i have create three types of roles Admin , Moderator and Employee. When i create new user I assign it to specific role and i want each role to have access to different folder as described above.
but i am not sure how i can modify web.config file so that i can achieve this kind of role based permission. I have been looking for such tutorial but no luck so far. other tutorial which i looked at doesn't seem to address my problem. I would appreciate a pointer in right direction.
I assume you use ASP.Net Membership and Role provider. If so, you need a separate web.config in each folder to restrict permission.
web.config inside Admin folder
The following web.conf setting (located inside Admin folder) allows only users in Admin role accessing files inside Admin folder. Other users cannot access those files.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
You have here a very good tutorial and you even can download a tool for administrate user, roles, permissions. You can download the source code from the bottom of the page, on the attachments section.
Web.Config Setting
<!--Path: folder path -->
<location path="_adminUser">
<system.web>
<authorization>
<!-- Allow user who have Admin role can access the AdminUser folder aspx pages -->
<allow roles="Admin"/>
<!-- Other user can not access AdminUser folder aspx pages -->
<deny users="*"/>
</authorization>
</system.web>
</location>
<!--Path: folder path -->
<location path="_EmployeeUser">
<system.web>
<authorization>
<!-- Allow user who have Client role can access the ClientUser folder aspx pages -->
<allow roles="Employee"/>
<!-- Other user can not access ClientUser folder aspx pages -->
<deny users="*"/>
</authorization>
</system.web>
</location>
I also wrote following code for my Login Control Button
protected void Login1_LoggedIn(object sender, EventArgs e)
{
// please don't use User.IsInRole here , because it will not be populated yet at this stage.
if (Roles.IsUserInRole(Login1.UserName, "Admin"))
{
Login1.DestinationPageUrl = "~/_adminUser/Default.aspx";
}
else if (Roles.IsUserInRole(Login1.UserName, "Heroes"))
{
Login1.DestinationPageUrl = "~/_EmployeeUser/Default.aspx";
}
}
Above approach is working for me but it has a drawback that i have to code in every time a new role is added. I am not sure which separate web.config file for related for is not working as mentioned in one of the solution.
Related
I am using MembershipProvider and currently a have 3 roles:
User, Super User, Admin.
Also I have pages that can be seen only by Admin and Super User.
For these pages a I use configuration in web config:
<location path="Users.aspx">
<system.web>
<authorization>
<allow roles="Admin, Super User"/>
<deny users="*" />
</authorization>
</system.web>
</location>
And this works perfectly fine.
But I have bunch of pages
Evaluations
Actions
Reports
Files
to which a I want separate access. I want grant access to each page individually.
Is there better way to do it than create roles for each page and than assign to these roles?
P.S.
I am using ASP.NET, not MVC
Yes, modify your folder structure to be something like this:
- Super User
- Admin
- All
And then you can do stuff like this:
<location path="Super User">
<system.web>
<authorization>
<allow roles="Super User"/>
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Super User/Admin">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Super User/Admin/All">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
And now simply place the pages in the appropriate folders. Per the MSDN Documentation the location element applies to all sub-directories:
Specifies the resource that the contained configuration settings apply to. Using location with a missing path attribute applies the configuration settings to the current directory and all child directories. If location is used with no path attribute and allowOverride is False, configuration settings cannot be altered by Web.config files that are in child directories.
so Super User by definition will have access to all other pages below and so on.
Yes, there is a better a simpler way. Put all your restricted pages in a separate folder and create an additional web.config in this folder. This additional web.config should contain the authorization section only.
The runtime will evaluate your web.configs from the request folder up to the application root. Because the authorization section exists in this additional web.config it will overwrite your root authorization section.
This way a single setting (single web.config) can guard arbitrary number of files (all files in the directory).
You can also assign permissions to a folder instead using the <location> element. This way, you can group a bunch of pages into one permission set. Also, you could validate permissions in code; in global.asax, the application_postauthenticaterequest runs for each request to the server (so for each aspx page), and you can write code here to do the validation, and redirect away if the user doesn't have the permissions.
I have some created web forms and I need to check whether the user is authenticated or not, before displaying the other web forms. All the users can access Default.aspx and About.aspx pages.
And I have three types of users namely- Admin,User and Super User. Also, I keep the authentication details in my own SQL server db.
How can I do this?
Thanks in advance!
First establish membership and role provider. There is whole story about it. I will give a help here.
Here is link to SqlMembershipProvider (one of the options you can take):
http://msdn.microsoft.com/en-us/library/system.web.security.sqlmembershipprovider.aspx
Here is link to SqlRoleProvider (again only one of the options you can take)::
http://msdn.microsoft.com/en-us/library/system.web.security.sqlroleprovider.aspx
After you have established this you can limit user/role access on folder level. Put this code to web.config (inside configuration tag):
<location path="AdminPages">
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="UserPages">
<system.web>
<authorization>
<allow roles="Administrator,User"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Here is little explaination. Root folder "AdminPages" will be alowed only to users in role "Administrators". Root folder "UserPages" to users in role "Administrator" and "User". In both cases unknown users will not be allowed to access folders. This is all you need. Alternative to this is to create class that inherits from Page and then there handle page access... however I would not go that way.
Possibly a stupid question:
I have a site, developed by an outside company, which requires logon for all pages.
We'd like to add a single page to the site that DOESN'T require the user to be logged in...so they can click the link on the logon page to view "T&C's" type info.
Is this possible?
(ASP.Net 4.0 on IIS)
If you're using the ASP.Net membership providers you can specify this in the web.config file. Where for blocked pages you would expect:
<authorization>
<allow roles="granted"/>
<deny users ="*"/>
</authorization>
you can specify this per folder (or per page):
<location path="terms.aspx">
<system.web>
<authorization>
<allow users ="*"/>
</authorization>
</system.web>
</location>
to allow everyone access to this specific page.
Note that you can create a specific web.config in a folder in your website, these settings override the general web.config. This allows you to customize these settings per folder level.
Thanks to oɔɯǝɹ for pointing me in the right direction:
Added this after my node
<location path="terms.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Will this only have static content? Is it the asp.net application dealing with authentication?
If so you can just upload a .html file containing simple HTML (and your T&C) which will be served no problem to anyone requesting it.
I'm looking to deploy a web app and I have a simple question about the <location> tag of the web.config file. For the moment, I want all the pages to be password protected and I've created a simple login page with the login object. I've put all my .aspx file in a directory called AppMyPages and I've put this in the config file:
<location path="AppMyPages">
<system.web>
<authorization>
<allow roles="tester" />
<deny users="*" />
</authorization>
</system.web>
</location>
If I want to fully protect my site, do I need to do the same thing for all the other folders (AppCode, AppData, MyJavascripts, MyStylesheets, MyImages....)?
Thanks.
You don't have to do AppCode/AppData, but you need to be careful restricting the MyJavascripts/Stylesheets/Images if any of those resources are used on unauthenticated pages (e.g. Login page).
I've got an ASP.NET application that uses the CreateUserWizard to register new users. Part of my registration process is creating a "home directory" for the user where they'll be able to upload files.
I'd like to use the ASP.NET authorization features to restrict access to the "home directory". Only the registered user assigned to the directory should have access.
I think I know how to do this declaritively with Web.config. I can do something like the following:
<?xml version="1.0"?>
<configuration>
.
.
<location path="UserHomeDirectories">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="UserHomeDirectories/MyUser">
<system.web>
<authorization>
<allow users="MyUser"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
.
.
.
This post almost answers my question, but can someone help me out with my particular situation? One more thing: doesn't modifying the Web.config restart the application? (i.e. when my code in the directory creation/authorization code in my CreatedUser event handler of the CreateUserWizard class is run?)
Thank you for your help!
Instead of using the location attribute in your app-wide web.config, you can place a new one inside the user's folder. In this new file, you specify the authorization rules for that specific folder, and they will override the app-wide rules.
As this does not change your original web.config file, your application will not restart.