Blocking Direct URL Access through web config
- From: "Chase Kang #52" <chase.kang@xxxxxxxxx>
- Date: Wed, 1 Oct 2008 11:06:31 -0700 (PDT)
I have a web application using custom authentication and role
management, which seems to work properly. I also have a web config
file with the following:
<location path="systems">
<system.web>
<authorization>
<allow roles="Administrator,Reader" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="applications">
<system.web>
<authorization>
<allow roles="Administrator,Reader" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="certification">
<system.web>
<authorization>
<allow roles="Administrator,Reader" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="admin">
<system.web>
<authorization>
<allow roles="Administrator" />
<deny users="*" />
</authorization>
</system.web>
</location>
When I run the application, everything works fine. Clicking on my
menu links, I cannot access the pages for which I'm not assigned to an
allowed role. The problem is when I paste the direct URL into the
browser, I'm still able to pull up the pages I'm not supposed to have
access to. For example, when I log in as a reader (which I've
verified the role), I can click on the "Admin" link from the menu and
I get an "Access Denied" 401.2 error. However, when I copy the URL to
the browser, I can gain access to that page.
Anyone have any ideas? Any help is appreciated. Thank you.
.
- Follow-Ups:
- Re: Blocking Direct URL Access through web config
- From: Joe Fawcett
- Re: Blocking Direct URL Access through web config
- Prev by Date: Re: session variables being lost
- Next by Date: Delayed databinding
- Previous by thread: Posible to capture the string of asp:loginname instear of displaying it?
- Next by thread: Re: Blocking Direct URL Access through web config
- Index(es):
Relevant Pages
|
Loading
