ASP web.config authorization to new roles added by users - asp.net

I've been searching around the internet and I can't find an exact solution. Sorry it's a bit long but I'm hoping someone can help me.
I'm working on a web-based system using ASP.Net (4.0). This system allows an administrator to add new roles. Apart from adding new roles, the administrator can also set permissions to a role to access different pages.
For example, by default the User role can only access the Home page and. Say the administrator decides to set a new permission to this role and allows it to access another page (for example: ManageUsers.aspx)
I am using the Forms Authentication via the web.config. The web-pages are in two separate folders, one for each role (Admin and User). In each folder another web.config defines which roles can access the pages in this folder.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="2"/>
<deny users="*"/>
</authorization>
</system.web>
</configuration>
The problem is that if the administrator grants access to the User role for a page (for example: ManageUsers.aspx) that is allocated in the Admin folder, the User role is denied access to this page since only an Admin role can access these pages.
The first solution I thought of was changing the web.config on run-time but this will restart the application every time the web.config is changed.
The second solution is listing the pages each role can access from a database table or an XML file. I'm not sure if it will work if I still use the Forms Authentication. Shall I use locations in the web.config files? Or maybe there's another way to solve this? I can't get my head around it.
Thanks in advance for any help!

Related

How to restrict access a folder in my domain using web.config file aspx page

Hello Im Having a domain
www.xxxx.com/folder/folder/default.aspx
inside the second folder im having lot of sub folders
i want to restrict access for unauthorized user
can any one explain how to do using Web
i want to check the User name[session ] from the Cookies
if session is there need to allow access other wise deney
can any one pls help
<system.web>
<authorization>
<deny users="?"/>
<allow users="xxxx"/>
</authorization>
</system.web>
Now its blocking all users its not allowing for user xxxx
Please help
The best way for doing this is setting the authentication mode to Windows. By doing this the server will use the domain accounts or the local user accounts to allow access. You just have to set the appropriate permissions to these users or to their user groups directly in this folder (by using the security tab in Windows folder properties).

Set permission for each page user wise in ASP.NET

I am working with a very large application in ASP.NET and SQL Server 2012 Express.
Mainly there are few folders as roles like Admin, Manager, Accountant etc.
In those folders there are hundreds of .aspx pages.
I also have a custom user management system with roles like Admin, Manager, Accountant.
I am looking for a permission mechanism with which I will be able to set permission for each page with each user. And I need permission like READ, EDIT, DELETE for each page and each user.
When user logs in, and clicks on page link, if he has permission to see that page, he will get the page otherwise not.
Is there any framework or code or something like that I can utilize?
Or can somebody give me idea on how do I achieve this?
I believe you have a web.config in each folder. In your config file you can set the role based permission like below for each specific folder
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="?"/>
</authorization>
</system.web>

Restrict user from directly typing the from url to access other aspx pages

Hi Guys please need your expertise with regards to my problem...
My scenario is my web app can be access by users active directory I don't have any login...
once the authorized user access my web app I wan't them to be restricted in typing directly to the url by typing a particular aspx page.Is any one knows how to do it?
Regards.
You cannot restrict a user from typing in a url in a browser - that just does not make sense.
You will need to restrict access to your pages using standard ASP.NET roles or authorization, or some other method.
As blorkfish suggested you can use forms authorisation to restrict user from access a page or a folder by redirecting him/her to a default/login page. Here is an Example:
<configuration>
<system.web>
<authorization>
<allow roles="Admin,User"/>
<deny users="*"/>
</authorization>
</system.web>
This a web config file that you can place in a folder containing some web pages. So in this example only users with the role "User" and/or "Admin" will be allowed to open a page within this folder. All the rest will be denied and (if settup in root web.config) redirected to default page.

ASP Authentication set to None and still prompting for login

Firstly I just want to say I'm not an ASP developer, I'm PHP through n through...
So my problem is this, all of a sudden a client site has started prompting for users to be logged in when viewing pages in a sub directory, when I download the web.config file I can see the authentication mode set to "Windows" this would appear to be an issue but it was working up until now, so I set it to None and uploaded the file (there isn't a web.config in the sub directory, just the site root) and it continues to prompt me for the login.
Is there something I need to do to "refresh" the server or something? I've looked through the hosting control panel and can't find anything about anonymous access or restarting the server, its on a shared hosting account and the control panel is pretty below average
Any help is greatly appreciated!! I'm in a panic and the hosting company don't have ASP support on hand
Thanks,
Mark
In the folder that you want anonymous access, just use the web.config authorization section to allow anonymous users:
<configuration>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</configuration>
The * essentially means Everyone so it just saying that for the current directory, everyone is allowed access- you only need this in the web.config...nothing more.
If you are still receiving prompts after this, then the folder itself must have permissions at the operating centre level (NTFS permissions) which do not allow Anonymous access...Although you say the ASP support isn't at hand, I presume you can raise help tickets with them to enable this access?
Edit
I should add that this setting of authorization is different to setting an Authentication scheme (Windows Authentication, Forms Authentication etc). For example, you might have Forms Authentication for your website but specifically want anonymous access to a folder (like this case) so setting your authentication option isn't actually relevant.

ASP.Net Roles: Page-Level Security Question

We're currently in the process of re-creating a brand new security model that dwarfs our existing process. Right now, we plan on grabbing a user's roles during the login process and then using a Base Page class to check if the user has the role of the corresponding page the user is navigating to.
We can limit the menu's options by the user's roles as well, but we have had problems with users navigating to pages in our system by typing them in or having old bookmarks. Obviously, we need some sort of page level access.
A simple function in our Base Page class that checks the role in the Arraylist against the page's assigned role would work, but I was wondering if there was any built-in functionality to support this or a cleaner solution possibly.
Have you looked at ASP.Net Membership for this yet? It takes care of all of the scenarios you listed above (trimming menus, page security,) and in a very easy to use manner.
See here for more information about membership - http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx.
Are you using built-in membership?
If so, you can use the location section of your web.config file to restrict access to individual pages or entire directories. From MSDN:
The following example allows an
anonymous user to access the
Logon.aspx page:
<configuration>
<location path="Logon.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>

Resources