I am trying to setup roles in a dynamic data website..
the problem is that i cant set it by simpy doing this.
<location path="List.aspx">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>
so even when i login as a role called "Member" it still alows me to go into List.aspx
can any one please guide me on this..
oh btw i am also using mvc on the same site
Dynamic Data pages ignores all that jazz.
Look at the Secure Dynamic Data Project here:
http://www.codeplex.com/aspnet/Release/ProjectReleases.aspx?ReleaseId=14473
...
Or there is another way which worked for me.
Change your location path to:
<location path="Admin/<TableName>/List.aspx">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>
And then (in your global.asax.cs file) change your dynamic data route to:
routes.Add(new DynamicDataRoute("Admin/{table}/{action}.aspx")
This allowed me to provide table level security. If that doesn't work just make a comment and I'll look into again.
Your question as my friend said , needs more details ,
anyway
at first try to check whether you enabled Roles inside web.config or not .
Have you done this by WAT or not ? Try the alternative as a test .
3 . Set the authentication inside web.config to Forms .
hope to help
Regards
-MHM-
Related
Possibly a stupid question:
I have a site, developed by an outside company, which requires logon for all pages.
We'd like to add a single page to the site that DOESN'T require the user to be logged in...so they can click the link on the logon page to view "T&C's" type info.
Is this possible?
(ASP.Net 4.0 on IIS)
If you're using the ASP.Net membership providers you can specify this in the web.config file. Where for blocked pages you would expect:
<authorization>
<allow roles="granted"/>
<deny users ="*"/>
</authorization>
you can specify this per folder (or per page):
<location path="terms.aspx">
<system.web>
<authorization>
<allow users ="*"/>
</authorization>
</system.web>
</location>
to allow everyone access to this specific page.
Note that you can create a specific web.config in a folder in your website, these settings override the general web.config. This allows you to customize these settings per folder level.
Thanks to oɔɯǝɹ for pointing me in the right direction:
Added this after my node
<location path="terms.aspx">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Will this only have static content? Is it the asp.net application dealing with authentication?
If so you can just upload a .html file containing simple HTML (and your T&C) which will be served no problem to anyone requesting it.
I am working on Asp.net Application where I have 4 roles in my application. 1. Admin 2. User 3. Reseller 4. Affiliate. And I am Using Form Authentication for this everything was working fine for single role(User). But now i have 4 roles and I am not getting how to manage this. I have 4 folders for different Users.
If i login with reseller account and if i change the url for user then its allowing me to access user part also. But i don't want this. I need in my app that user can access only his access area. Means If your reseller logged in then he can only access reseller pages or same folder nothing else.
Please help me to find this solution.
You can use the web.config to set the permission or you can also get more granular and decorate the class or method you want to lock down like this:
[PrincipalPermissionAttribute(SecurityAction.Demand, Role = #"Administrators")]
All of this is part of the role manager that you can set up. Start by reading this article that explains what to do.
There's two things to look at here. First of all, restricting access to each folder by role ought to be straightforward enough if you use <location> elements in your web.config e.g.
<location path="Resellers">
<system.web>
<authorization>
<allow roles="Reseller"/>
<deny roles="*"/>
</authorization>
</system.web>
</location>
<location path="Users">
<system.web>
<authorization>
<allow roles="User"/>
<deny roles="*"/>
</authorization>
</system.web>
</location>
...
Also in your individual pages, you can call the IsUserInRole function to check whether your user is in the correct role to access the page.
You might want to get hold of a copy of Beginning ASP.NET Security, it's got great information on how to do this.
You need to set the appropriate authentication settings in a web.config file for each folder you are restricting access to, i.e.
<authorization>
<deny users="?" />
<allow roles="Administrators" />
<deny users="*" />
</authorization>
Will allow access only to validated users with the role of "Administrators".
In each of the folders you have to place a web.config file that restricts access to the role in question. For example, in the resellers folder you have a web.config containing:
<authorization>
<deny users="*"/>
<allow roles="Resellers"/>
</authorization>
And so on for the other folders.
use like below code:
<location path="Users">
<system.web>
<authorization>
<allow roles="Users"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
I have given the particular permission for the particular user.
Only that menu will be enabled which permission is set for that user.
I have two problems....
1) Menu item should be invisible rather than disable
2) If any User copy the page name which it has no access and can open it..
Suggest any....(urgent)
you can add this in the page load
if (!HttpContext.Current.User.IsInRole("YourRole"))
{
Response.Redirect("~/AccessDenied.aspx");
}
you can manage the menu security by using ASP.NET Site-Map Security Trimming but if you want to prevent the uses from accessing the page through the url you can use put it inro your web.config file like:
<location path="securedAdministrationPage.aspx">
<system.web>
<authorization>
<deny users="*" />
<allow users="*" roles="Admins"/>
</authorization>
</system.web>
</location>
this link will help you http://wiki.asp.net/page.aspx/653/aspnet-webconfig--location-and-authroization-tags/
You should look into the <location> element in <system.web> section of web.config. There you can set access rules as simple as
<authorization>
<allow roles="Admin" /> <!--allows access to admins-->
<deny users="*" /> <!-- denies access to any other users -->
</authorization>
More info here
I would suggest putting your navigation into an user control and then use a switch statement or such, as well as the location section in the webconfig.
In the switch statement you can then use the 'Visible' attributes to hide the nav links (make sure they have a runat="server") from the users who do not have permission to view certain pages, dependant on their role (if using asp.net membership)
Can I use <authorization> to protect webforms from being accessed if a person does not have a specific role?
I tried this:
<authentication mode="windows" />
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
but if the role Admin is not available then I can still visit the page by typing in the URL. How can I protect this page?
I read the documentation on MSDN (ASP.NET Authorization).
I also put the UrlAuthorizeModule extra in the web.config to make sure that it gets hit.
Best to read this: ASP.NET Authorization
It explains how to set the allow/deny elements for users and roles.
I've got an ASP.NET application that uses the CreateUserWizard to register new users. Part of my registration process is creating a "home directory" for the user where they'll be able to upload files.
I'd like to use the ASP.NET authorization features to restrict access to the "home directory". Only the registered user assigned to the directory should have access.
I think I know how to do this declaritively with Web.config. I can do something like the following:
<?xml version="1.0"?>
<configuration>
.
.
<location path="UserHomeDirectories">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
<location path="UserHomeDirectories/MyUser">
<system.web>
<authorization>
<allow users="MyUser"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
.
.
.
This post almost answers my question, but can someone help me out with my particular situation? One more thing: doesn't modifying the Web.config restart the application? (i.e. when my code in the directory creation/authorization code in my CreatedUser event handler of the CreateUserWizard class is run?)
Thank you for your help!
Instead of using the location attribute in your app-wide web.config, you can place a new one inside the user's folder. In this new file, you specify the authorization rules for that specific folder, and they will override the app-wide rules.
As this does not change your original web.config file, your application will not restart.