I have given the particular permission for the particular user.
Only that menu will be enabled which permission is set for that user.
I have two problems....
1) Menu item should be invisible rather than disable
2) If any User copy the page name which it has no access and can open it..
Suggest any....(urgent)
you can add this in the page load
if (!HttpContext.Current.User.IsInRole("YourRole"))
{
Response.Redirect("~/AccessDenied.aspx");
}
you can manage the menu security by using ASP.NET Site-Map Security Trimming but if you want to prevent the uses from accessing the page through the url you can use put it inro your web.config file like:
<location path="securedAdministrationPage.aspx">
<system.web>
<authorization>
<deny users="*" />
<allow users="*" roles="Admins"/>
</authorization>
</system.web>
</location>
this link will help you http://wiki.asp.net/page.aspx/653/aspnet-webconfig--location-and-authroization-tags/
You should look into the <location> element in <system.web> section of web.config. There you can set access rules as simple as
<authorization>
<allow roles="Admin" /> <!--allows access to admins-->
<deny users="*" /> <!-- denies access to any other users -->
</authorization>
More info here
I would suggest putting your navigation into an user control and then use a switch statement or such, as well as the location section in the webconfig.
In the switch statement you can then use the 'Visible' attributes to hide the nav links (make sure they have a runat="server") from the users who do not have permission to view certain pages, dependant on their role (if using asp.net membership)
Related
I have a specific page within a webform application which i never want to log out.
It is not within a masterpage
It has an auto refresh tag in the header to refresh the entire page on intervals:
(added via code)
all functions correctly but appears to logout after 2 hours.
You could fix the issue by configuring your web.config for an individual location, like below:
<location path="PATH TO THE FOLDER/FILE THAT YOU DO NOT WANT TO BE AUTHORIZED">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
I have an asp.net 3.5 website with using forms authentication and asp.net roles and membership. I have an image in folder images. In my web.config i give access to this folder
<location path="images">
<system.web>
<authorization>
<!-- Order and case are important below -->
<allow roles="*"/>
<allow users="*"/>
</authorization>
</system.web>
</location>
I can see the image from a page in my root. When i traverse to a page(Page.aspx) one folder down, the image is not visible, i.e /Operational/Page.aspx.
How should i setup authorisation with regards to subfolders?
It can be a path issue. As I guess you settings are good you don't need to change it.
You can view the path in the browser and see if there path are correct or not.
You can use firebug or Firefox to check the path.
I am using MembershipProvider and currently a have 3 roles:
User, Super User, Admin.
Also I have pages that can be seen only by Admin and Super User.
For these pages a I use configuration in web config:
<location path="Users.aspx">
<system.web>
<authorization>
<allow roles="Admin, Super User"/>
<deny users="*" />
</authorization>
</system.web>
</location>
And this works perfectly fine.
But I have bunch of pages
Evaluations
Actions
Reports
Files
to which a I want separate access. I want grant access to each page individually.
Is there better way to do it than create roles for each page and than assign to these roles?
P.S.
I am using ASP.NET, not MVC
Yes, modify your folder structure to be something like this:
- Super User
- Admin
- All
And then you can do stuff like this:
<location path="Super User">
<system.web>
<authorization>
<allow roles="Super User"/>
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Super User/Admin">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="Super User/Admin/All">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
And now simply place the pages in the appropriate folders. Per the MSDN Documentation the location element applies to all sub-directories:
Specifies the resource that the contained configuration settings apply to. Using location with a missing path attribute applies the configuration settings to the current directory and all child directories. If location is used with no path attribute and allowOverride is False, configuration settings cannot be altered by Web.config files that are in child directories.
so Super User by definition will have access to all other pages below and so on.
Yes, there is a better a simpler way. Put all your restricted pages in a separate folder and create an additional web.config in this folder. This additional web.config should contain the authorization section only.
The runtime will evaluate your web.configs from the request folder up to the application root. Because the authorization section exists in this additional web.config it will overwrite your root authorization section.
This way a single setting (single web.config) can guard arbitrary number of files (all files in the directory).
You can also assign permissions to a folder instead using the <location> element. This way, you can group a bunch of pages into one permission set. Also, you could validate permissions in code; in global.asax, the application_postauthenticaterequest runs for each request to the server (so for each aspx page), and you can write code here to do the validation, and redirect away if the user doesn't have the permissions.
In my asp.net application ,in web.config file i have set authentication mode="forms" and protection="All".But after doing this i get access to login page without any image and css resources .I also need to access my home page without login.How can i do this kindly help.
In the web.config, you will need to add a location that allows all user to access the images and CSS files. Something like:
<location path="images">
<system.web>
<authorization>
<allow users="*" />
<allow users="?" />
</authorization>
</system.web>
</location>
That should sit under the root node of the config file.
You can do the same for the homepage, adjusting the value of path to the correct location.
Possibly a stupid question:
I have a site, developed by an outside company, which requires logon for all pages.
We'd like to add a single page to the site that DOESN'T require the user to be logged in...so they can click the link on the logon page to view "T&C's" type info.
Is this possible?
(ASP.Net 4.0 on IIS)
If you're using the ASP.Net membership providers you can specify this in the web.config file. Where for blocked pages you would expect:
<authorization>
<allow roles="granted"/>
<deny users ="*"/>
</authorization>
you can specify this per folder (or per page):
<location path="terms.aspx">
<system.web>
<authorization>
<allow users ="*"/>
</authorization>
</system.web>
</location>
to allow everyone access to this specific page.
Note that you can create a specific web.config in a folder in your website, these settings override the general web.config. This allows you to customize these settings per folder level.
Thanks to oɔɯǝɹ for pointing me in the right direction:
Added this after my node
<location path="terms.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Will this only have static content? Is it the asp.net application dealing with authentication?
If so you can just upload a .html file containing simple HTML (and your T&C) which will be served no problem to anyone requesting it.