September 25, 2008 at 1:45 am
Hi. I posted a similar request on ASP.NET a while back but could not find an answer to my question so here's hoping.........
I have developed an intranet site and was looking to control access to certain pages based on the users role. I have added a web.config file to each folder and configured similar to code shown in post.
So......................
1) If a user clicks link for 'Production' and they are not currently logged in the login page displays. If they login and are a member of the 2 groups listed they can access the Production page.
2) If a user is already logged in and selects the 'Production' page then once again the login screen is displayed. How can I forward unauthorized users to a page advising they do not have permission to access the page requested?
Finally. The Login page has a destination url of Default.ASPX. So if the Login is successful users should be forwarded to the home page. However if you traverse the site and select the Login link from say the Support Page then upon successful login the users remains on the support page and is not forwarded to the destination url specified?
Here is an example of my web.config:
I hope I my request makes sense.
I am hoping one of you gurus has worked on a similar project and can advise a resolution.
Many Thanks,
Phil.
-------------------------------------------------------------------------------------
A neutron walks into a bar. "I'd like a beer" he says. The bartender promptly serves up a beer. "How much will that be?" asks the neutron. "For you?" replies the bartender, "no charge."
Two hydrogen atoms walk into a bar. One says, 'I think I've lost an electron.' The other says 'Are you sure?' The first says, 'Yes, I'm positive... '
Tommy Cooper
September 25, 2008 at 10:35 am
In an intranet you can use Windows authentication and use authorization sections to apply folder permissions using Windows ACL(access control list). The reason impersonation is invalid with Windows authentication and IIS 6 comes locked down. Check the thread below for all you need, if you still have questions post again.
http://support.microsoft.com/kb/812614
Kind regards,
Gift Peddie
September 25, 2008 at 2:14 pm
Hi and thanks for the reply (not sure what happened to my code there...). I use windows authentication within my connection string to connect to SQL.
Let me try with that config code again....
?xml version="1.0" encoding="utf-8"?
configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"
location path="production.aspx"
system.web
authorization
allow roles="PRODUCTION,ADMINISTRATION"
deny users="*"
authorization
system.web
location
configuration
Stripped a bit out (tags) but you get the picture.
I will follow the links and hope the penny drops. I am close to having a functional site, just need to crack this.
Many Thanks,
Phil.
-------------------------------------------------------------------------------------
A neutron walks into a bar. "I'd like a beer" he says. The bartender promptly serves up a beer. "How much will that be?" asks the neutron. "For you?" replies the bartender, "no charge."
Two hydrogen atoms walk into a bar. One says, 'I think I've lost an electron.' The other says 'Are you sure?' The first says, 'Yes, I'm positive... '
Tommy Cooper
September 25, 2008 at 2:49 pm
What I gave you does not include SQL Server just the application layer. Here is another using Asp.net AD(active directory) provider and AZMAN authorization manager with your application. You must know that you use LDAP instead of AD to authenticate your users because AD primary task is to authenticate users in a Windows domain. Adding SQL Server adds complication that is the reason there is also a SQL Server Membership provider. Check the thread below for details about AD provider and AZMAN.
http://social.msdn.microsoft.com/Forums/en-US/netfxbcl/thread/a6d2b577-679b-472c-8f27-20ef1a14255d/
Kind regards,
Gift Peddie
September 26, 2008 at 12:13 am
Hi and once again many thanks. Maybe I have not explained myself properly? I do not have a problem with users authenticating, that side of things works fine. The issue is that when I specify within my web.config file (I have one for each directory) the groups that have access to the page users that are not members of the group are redirected to the login page. However they do not have access so it would be better to direct them to a page that explained this.
Example:
User A member of Accounts
User B member of Sales
User A logs in and selects Accounts. They are directed to the login.aspx page. They successfully authenticate and they are able to access accounts.aspx.
User B logs in and selects Accounts. User B is not a member of Accounts. User B is directed to the login.aspx. Even if he authenticates he will be unable to access accounts. The login status changes to show that the user has successfully authenticated and is now logged in but they remain at the login screen as they do not have permission to access accounts (not a member of accounts).
It would be better that if after User B authenticates rather than remaining on the login.aspx page they are forwarded to a web page that states 'You do not have permission to access the page requested'.
I hope I have explained myself a little better?
Many Thanks,
Phil.
-------------------------------------------------------------------------------------
A neutron walks into a bar. "I'd like a beer" he says. The bartender promptly serves up a beer. "How much will that be?" asks the neutron. "For you?" replies the bartender, "no charge."
Two hydrogen atoms walk into a bar. One says, 'I think I've lost an electron.' The other says 'Are you sure?' The first says, 'Yes, I'm positive... '
Tommy Cooper
September 26, 2008 at 8:56 am
Hi Philip,
I understand you the first time and both threads I gave you will get what you are looking for but the second one require more work and so is more scalable.
That said here is the Microsoft doc covering all you need to create the authorization sections. On a side note authentication and authorization are all connected.
http://msdn.microsoft.com/en-us/library/acsd09b0.aspx
Kind regards,
Gift Peddie
September 26, 2008 at 9:27 am
Thanks, just making sure i wasn't confusing you!
I will follow the link and see if I can work it all out.
Many Thanks,
Phil.
-------------------------------------------------------------------------------------
A neutron walks into a bar. "I'd like a beer" he says. The bartender promptly serves up a beer. "How much will that be?" asks the neutron. "For you?" replies the bartender, "no charge."
Two hydrogen atoms walk into a bar. One says, 'I think I've lost an electron.' The other says 'Are you sure?' The first says, 'Yes, I'm positive... '
Tommy Cooper
September 26, 2008 at 9:55 am
Hi again. I followed the last link. I could not decipher how I might add a redirect based on my role based authorization?
Maybe I am missing the point? My rules state that all members can access the page
but all users are denied access .
The article advises that:
At run time, the authorization module iterates through the allow and deny elements, starting at the most local configuration file, until the authorization module finds the first access rule that fits a particular user account. Then, the authorization module grants or denies access to a URL resource depending on whether the first access rule found is an allow or a deny rule
So in my scenario the authorization module processes role Accounts (contains members A B C) and allows access to the url. My question is when the authorization module hits the deny can I forward to unauthorized.aspx?
Thanks,
Phil.
-------------------------------------------------------------------------------------
A neutron walks into a bar. "I'd like a beer" he says. The bartender promptly serves up a beer. "How much will that be?" asks the neutron. "For you?" replies the bartender, "no charge."
Two hydrogen atoms walk into a bar. One says, 'I think I've lost an electron.' The other says 'Are you sure?' The first says, 'Yes, I'm positive... '
Tommy Cooper
September 26, 2008 at 12:22 pm
If you are using URL with roles then you need to implement AD provider and use AZMAN which require more work but what I am telling you is you configuring your folders and adding users you want to access these folders and creating authorization section with the people whom you have added to the folder so Asp.net can use that to decide if that person can see the content of the folder. Remember the default IIS6 folder permisisons I posted you need to make sure all the relevant permissions work so folder access is resolved using ACL. It is not complicated yet details is relevant for it to work. Microsoft have covered the details below. I am still here post again.
http://msdn.microsoft.com/en-us/library/ms998358.aspx
Kind regards,
Gift Peddie
September 26, 2008 at 1:36 pm
Thanks once again, I will take another look.
Kind Regards,
Phil.
-------------------------------------------------------------------------------------
A neutron walks into a bar. "I'd like a beer" he says. The bartender promptly serves up a beer. "How much will that be?" asks the neutron. "For you?" replies the bartender, "no charge."
Two hydrogen atoms walk into a bar. One says, 'I think I've lost an electron.' The other says 'Are you sure?' The first says, 'Yes, I'm positive... '
Tommy Cooper
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply