Can I use <authorization> to protect webforms from being accessed if a person does not have a specific role?
I tried this:
<authentication mode="windows" />
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
but if the role Admin is not available then I can still visit the page by typing in the URL. How can I protect this page?
I read the documentation on MSDN (ASP.NET Authorization).
I also put the UrlAuthorizeModule extra in the web.config to make sure that it gets hit.
Best to read this: ASP.NET Authorization
It explains how to set the allow/deny elements for users and roles.
Related
I have one application with Form Authentication.I have different levels of users.
When logged as Admin It has to show all the screens and when logged as Client the data need to restricted.
I have logged as Client in Internet Explorer.After time out Its showing Admin's data .please tell me the way to get log in page after Timeout.
My Config File sttings are :
protection="All" enableCrossAppRedirects="false" slidingExpiration="true"
Thanks,
Rakesh.
You can put all admin accessible pages in one folder and give folder level security to allow only user's in admin role to brose through the pages. And put all the pages to be accessible by users in client role in another folder, with accessible role to be client as well as admin.
You need to implement role based authorization as per below
<location path=”Admin”>
<authorization>
<allow roles=”Admin” />
<deny users=”*” />
<deny roles=”*” />
</authorization>
</location>
<location path=”Members”>
<authorization>
<allow roles=”Members” />
<deny users=”*” />
<deny roles=”*” />
</authorization>
</location>
Please refer this nice article for more details
I have an app with two pages: pagein.aspx and pageout.aspx. Pagein.aspx must be accessible ONLY to intranet users of my company, but pageout.aspx must be accessible to extranet users (world). My last option is to use the authorization (user and password), but I prefer to use the logic I described. Is this possible in asp.net? If yes, how?
You can do this via web.config
<location path="Pagein.aspx">
<system.web>
<authorization>
<allow users="*" allow role="YourDomain\Domain Users" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="PageOut.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
The simpler solution is to have two websites (two virtual directories), in one enable windows authentication: http://msdn.microsoft.com/en-us/library/ff647405.aspx
In the other, use ASP.NET membership, or leave it public and accessible by anonymous users.
If you need both in the same application, then use the various authorization techniques to require authorization for some pages and leave other pages open to the public.
Is it possible to use multiple authorization elements in a single web.config to allow additional users access to one file?
E.g., I would like to allow User1 access to the whole application (including Page1.aspx), and User2 access to only Page1.aspx:
<system.web>
<authorization>
<allow users="DOMAIN\User1" />
<deny users="*" />
</authorization>
</system.web>
<location path="~/Page1.aspx">
<system.web>
<authorization>
<allow users="DOMAIN\User2" />
<deny users="*" />
</authorization>
</system.web>
</location>
I believe you can use a comma delimited list of users, so there should be no need for using multiple authorization elements for a single resource.
Also, it is generally better to rely on roles instead of specific users. Since it appears you are using AD, then you can use a security group or something similar for the roles.
If you remove the <deny users="*" /> from the Page1.aspx authorization section, you should get what you want. It will allow User2 to use just that page, and User1's authorization to everything will still apply to this page as well.
Here's a pretty good tutorial on all things related to authorization.
I am working on Asp.net Application where I have 4 roles in my application. 1. Admin 2. User 3. Reseller 4. Affiliate. And I am Using Form Authentication for this everything was working fine for single role(User). But now i have 4 roles and I am not getting how to manage this. I have 4 folders for different Users.
If i login with reseller account and if i change the url for user then its allowing me to access user part also. But i don't want this. I need in my app that user can access only his access area. Means If your reseller logged in then he can only access reseller pages or same folder nothing else.
Please help me to find this solution.
You can use the web.config to set the permission or you can also get more granular and decorate the class or method you want to lock down like this:
[PrincipalPermissionAttribute(SecurityAction.Demand, Role = #"Administrators")]
All of this is part of the role manager that you can set up. Start by reading this article that explains what to do.
There's two things to look at here. First of all, restricting access to each folder by role ought to be straightforward enough if you use <location> elements in your web.config e.g.
<location path="Resellers">
<system.web>
<authorization>
<allow roles="Reseller"/>
<deny roles="*"/>
</authorization>
</system.web>
</location>
<location path="Users">
<system.web>
<authorization>
<allow roles="User"/>
<deny roles="*"/>
</authorization>
</system.web>
</location>
...
Also in your individual pages, you can call the IsUserInRole function to check whether your user is in the correct role to access the page.
You might want to get hold of a copy of Beginning ASP.NET Security, it's got great information on how to do this.
You need to set the appropriate authentication settings in a web.config file for each folder you are restricting access to, i.e.
<authorization>
<deny users="?" />
<allow roles="Administrators" />
<deny users="*" />
</authorization>
Will allow access only to validated users with the role of "Administrators".
In each of the folders you have to place a web.config file that restricts access to the role in question. For example, in the resellers folder you have a web.config containing:
<authorization>
<deny users="*"/>
<allow roles="Resellers"/>
</authorization>
And so on for the other folders.
use like below code:
<location path="Users">
<system.web>
<authorization>
<allow roles="Users"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
I have one asp.net web application.
It is using two membership provider.
Two sign-in pages one for each provider.
Now i have two folders in root Folder1 & Folder2
Folder1 uses 1st membership provider
Folder2 uses 2nd membership provider
I got almost everything working including signin, create user etc in both provider.
Only issue is in Form authentication i can define only one loginpath. So when session expires or need login to access secure pages. it can only redirct to one sign in page.
Also that section can't be defined by location. by application only.
How can i get folder2 to use 2nd sign in page?
if there is anything i can define by location?
See How to override/change FormsAuthentication LoginUrl in certain cases
It appears from various people researching, that you cannot tell FormsAuthentication to have two different Login pages. But there is nothing preventing you from creating some base page class or other code in your two folders that can determine which login page to direct to. Or, I think that the Application_BeginRequest event fires before the FormsAuthentication module fires, so you could examine requests before they get redirected by FormsAuthentication. Either way though, you would be forced to allow anonymous users to Folder1 and Folder2, which is not ideal.
You need to use the <location> element in your web.config. You can use the <location> tag to apply authorization settings to an individual file or directory.
<location path="/root">
<system.web>
<authentication mode="Forms" >
<forms name="LoginForm" defaultUrl="default.aspx"
loginUrl="/root/login.aspx" protection="Encryption"
timeout="30" path="/"/>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
<location path="/root/admin">
<system.web>
<authentication mode="Forms" >
<forms name="formName" defaultUrl="login.aspx"
loginUrl="/root/admin/login.aspx" protection="Encryption"
timeout="30" path="/"/>
</authentication>
<authorization>
<allow users="?" />
</authorization>
</system.web>
</location>
MSDN
For centralized administration,
settings can be applied in the
Machine.config file. The settings in
the Machine.config file define
machine-wide policy and can also be
used to apply application-specific
configuration using <location>
elements. Developers can provide
application-configuration files to
override aspects of machine policy.
For ASP.NET Web applications, a
Web.config file is located in the
application's virtual root directory
and optionally in subdirectories
beneath the virtual root.
If you would like 1 login location and different access levels you might want to use roles.
<location path="/root">
<system.web>
<authorization>
<allow roles="admin,root" />/*admin, root is allowed */
<deny users="*" />
</authorization>
<system.web>
</location>
<location path="/root/admin">
<system.web>
<authorization>
<allow roles="admin" />/*admin is allowed */
<deny users="*" />
</authorization>
<system.web>
</location>
Users can belong to more than one
role. For example, if your site is a
discussion forum, some users might be
in the role of both Members and
Moderators. You might define each role
to have different privileges on the
site, and a user who is in both roles
would then have both sets of
privileges.
You can access all these element at
the code level if you would like to
manipulate the roles/authentication
programmatically
Page.User.Identity.Name
Page.User.Identity.IsAuthenticated
Page.User.Identity.AuthenticationType
Page.User.IsInRole("string");
Additional Links
Using 2 Membership Providers in asp.net
4 Guys From Rolla Tutorial
The ASP.NET web.config File Demystified