Re: Blocking Direct URL Access through web config

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: "Joe Fawcett" <joefawcett@xxxxxxxxxxxxxxxx>
Date: Thu, 9 Oct 2008 09:51:07 +0100

"Chase Kang #52" <chase.kang@xxxxxxxxx> wrote in message news:334ac9a6-a792-4ada-868b-4c66527c0d59@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I have a web application using custom authentication and role
management, which seems to work properly. I also have a web config
file with the following:

<location path="systems">
<system.web>
<authorization>
<allow roles="Administrator,Reader" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="applications">
<system.web>
<authorization>
<allow roles="Administrator,Reader" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="certification">
<system.web>
<authorization>
<allow roles="Administrator,Reader" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="admin">
<system.web>
<authorization>
<allow roles="Administrator" />
<deny users="*" />
</authorization>
</system.web>
</location>

When I run the application, everything works fine. Clicking on my
menu links, I cannot access the pages for which I'm not assigned to an
allowed role. The problem is when I paste the direct URL into the
browser, I'm still able to pull up the pages I'm not supposed to have
access to. For example, when I log in as a reader (which I've
verified the role), I can click on the "Admin" link from the menu and
I get an "Access Denied" 401.2 error. However, when I copy the URL to
the browser, I can gain access to that page.

Anyone have any ideas? Any help is appreciated. Thank you.

Are these aspx pages you are trying to access?

--

Joe Fawcett (MVP - XML)
http://joe.fawcett.name

.

References:
- Blocking Direct URL Access through web config
  - From: Chase Kang #52

Prev by Date: Re: Web App With Signature
Next by Date: RE: Ajax not working on IE6
Previous by thread: Blocking Direct URL Access through web config
Next by thread: Delayed databinding
Index(es):
- Date
- Thread

Relevant Pages

Basic Authorization Security Issue?
... seems like closing the browser ... When an non-authorized URL request in our intranet web server is attempted, ... resent with the basic authorization credentials and the user is logged in. ...
(microsoft.public.security)
Re: Basic Authorization Security Issue?
... browser and simply restarting to browser and going back to the web site ... allows him to automatically relogin into a basic authentication intranet. ... > When an non-authorized URL request in our intranet web server is ... > resent with the basic authorization credentials and the user is logged in. ...
(microsoft.public.security)
Re: Cookies from ASP.NET app not persisting even when enabled!
... > if you site only works form a local browser, ... >> I'm new to ASP.NET and have been developing a small app at work to test ... >> and the authorization cookie is saved as expected on the local machine. ...
(microsoft.public.dotnet.framework.aspnet)
Blocking Direct URL Access through web config
... I also have a web config ... The problem is when I paste the direct URL into the ... the browser, I can gain access to that page. ...
(microsoft.public.dotnet.framework.aspnet)
Re: Upload a text file thru webclient
... Authorization header... ... ya its really confusing ... HTTP/1.1 401 Authorization Required ... browser doesn't understand how to supply ...
(microsoft.public.dotnet.languages.csharp)