Re: web.config roles

Andrew,
Yeah, your on right track and I have divined that you've used the asp.net
configuration tool security tab because you have a web.config file in your
sub folder.

Proplem:
deny users="?" reads deny users that aren't authenticated to asp.net once
logged in they could go to the admin folder.

Solution: deny users="*" wild card to exclude everyone.

The authorization works top to bottom your in or your out. There is no
middle ground logical processing so you have to allow admin first then deny
everyone.

Your new web.config for the admin folder.
<?xml version="1.0" encoding="utf-8"?>
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0";>
<system.web>
<authorization>
<allow roles="Admin"/> /*admin is allowed */
<deny users="*"/> /* man nobody gets by the wildcard */
</authorization>
</system.web>
</configuration>

Try it watch how asp.net adds a query string "ReturnUrL" to redirect after
login. Cool stuff it will pick up the location of the login page from the
root web.config and automatically redirect there if it needs to, once you log
in asp.net will automatically redirect you back to the page that needs
authentication like any page in the admin folder.

Good Luck
DWS

"Andrew" wrote:

hi,
thanks for your reply.

what i have tried is to use a role based authorization.
I have 3 web.config files, one in the main folder n one each in the 2
subfolders.
My main web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/" loginUrl="UserLogin.aspx?Action=login"
protection="All" timeout="60" />
</authentication>

<authorization>
<deny users="?" />
</authorization>

<location path="default.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>

my subfolder web.config has:
<authentication mode="Forms">
<forms name="logincookie" path="/"
loginUrl="../UserLogin.aspx?Action=login" protection="All" timeout="20" />
</authentication>

<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>

<location path="Admin">
<system.web>
<authorization>
<deny users="*"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>

Any help appreciated. Am I on the right track ?
regards,
andrew

"Patrick.O.Ige" wrote:

You can use location path like below.
You can even add for example admin.aspx page to the location path.
then deny users or allow users

<configuration>

<appSettings/>
<connectionStrings/>

<location path="Admin">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>

<location path="Users">
<system.web>

<authorization>
<deny users="?"/>
</authorization>

</system.web>
</location>



<system.web>

<compilation debug="true" />

<authentication mode="Forms">
<forms loginUrl ="Login.aspx" timeout ="10">
</forms>
</authentication>


</system.web>

</configuration

Patrick
"Andrew" <Andrew@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0507CABC-6604-4DD7-A21D-A069E6084525@xxxxxxxxxxxxxxxx
Hi,

I have a default.aspx which allows the user to choose between module Admin
and module B. When the user clicks either one, he will be redirected to a
FormsAuthentication login page. The problem I have is that currently,
users
of one module are able to access the other since I have only 1 login page.
How do I prevent this ?

I am not sure how to go about configuring the web.config file for having 2
modules that have a separate set of users for each. The files are all in
the
same directory.

I've written the code for the login using the genericprincipal class etc.
However, I got the error at "Thread was aborted" on my Login.aspx. I can't
figure out why. The debugger jumps to the exception at the
"Response.Redirect" (last) line:

FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
(string)Session["UserLoginName"], DateTime.Now,
DateTime.Now.AddMinutes(30),
false, (string)Session["UserDomain"]);
// Encrypt the ticket
string encryptedTicket = FormsAuthentication.Encrypt(authTicket);
// Create a cookie and add the encrypted ticket as data
HttpCookie authCookie = new
HttpCookie(FormsAuthentication.FormsCookieName,
encryptedTicket);
// Add the cookie to the outgoing cookies collection
Response.Cookies.Add(authCookie);
Response.Redirect(FormsAuthentication.GetRedirectUrl(txtUserName.Text,
true));

Am I on the right path ? Any help appreaciated.
regards,
andrew





.

Relevant Pages

  • Re: web.config roles
    ... login page: ... The authorization works top to bottom your in or your out. ... Your new web.config for the admin folder. ... string encryptedTicket = FormsAuthentication.Encrypt; ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Direkten Seitenaufruf verhindern
    ... Wenn die Seite vor dem Login aufgerufen wird, ...
    (microsoft.public.de.german.entwickler.dotnet.asp)
  • Re: Direkten Seitenaufruf verhindern
    ... Wie kann ich aber einen direkten Aufruf dieser Seite durch manuelle Eingabe ... Wenn die Seite vor dem Login aufgerufen wird, wird zur Loginseite umgeleitet und nach erfolgtem Login wieder auf diese Seite zurück. ...
    (microsoft.public.de.german.entwickler.dotnet.asp)
  • re: Security trimming enabled / Web Admin Tool
    ... From the configuration and sitemap code fragment you provided, ... you also configured the same authorization setting through the ... settings so that security trimming will work correctly(for TreeView or menu ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.vsnet.general)
  • <location> path authorization is not properly checked for override restrictions
    ... Another possible algorithm is that the topdown check of authorization occurs ... control information...especially in this type of scenareo where a 'linked' ...
    (microsoft.public.dotnet.framework.aspnet.security)