Can't Access Restricted Pages

Discussion in 'ASP.NET / ASP.NET Core' started by pbc83, Jan 18, 2012.

  1. My web site works (www.infortechinc.com/Paragon6/login.aspx )to an extent, but it still doesn't access the restricted pages, namely the two middle pages, "Edit Properties" and "View Properties". These 2 pages should open if the user enters a valid username and password. I've attached my web.config file for anyone who can tell me what I'm doing wrong. I'm stumped. I've masked my password in the file and zipped the file for upload.

    Can anyone help?

    Peter
     

    Attached Files:

  2. It seems like you're attempting to protect access to your MVC routes with the <authorization> element in the web.config so I have to ask, are your controllers decorated with the Authorize attribute? This is the recommended method to secure routes in MVC and achieves the same result to what you'd achieve with a location element in the web.config in an ASP.NET web forms app.

    If the location element actually did work in an MVC application, it would be quite easy to introduce a security vulnerability by perhaps mistakenly enabling access to a controller via a custom route. This is exactly the reason why the Authorize attribute was introduced in MVC. Try this: http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute.aspx
     
  3. Thanks

    I'm new to building web pages. Unless I'm mistaken, I thought my web application is using ASP.Net web pages, not MVC (model view controller) architecture. What made you think I'm using MVC?

    Thanks,
    Peter
     
  4. I'm sorry my mistake you're right, it is an ASP.NET web forms site. It's been a long day.

    There is one thing I noticed - applicationName="/" for the role provider yet is applicationName="/SamplesRolesApp" for the membership provider. You could perhaps try rendering the current role for the user out after login to check the user is in the Management role as expected.

    EDIT: The plot thickens - I've just noticed you have 2 login pages:
    http://www.infortechinc.com/Paragon6/login.aspx
    http://www.infortechinc.com/Paragon6/Account/Login.aspx
     
  5. Removed application name

    After reading Scott Guthrie's posting (http://weblogs.asp.net/scottgu/archive/2006/04/22/443634.aspx) I figured out that yes indeed the the applicationName="/" for the role provider yet is applicationName="/SamplesRolesApp" for the membership provider. So I removed "SamplesRolesApp" and made it simply "/" (which I believe points to the root of the web site, right?). Now the logon appears to work, but the two pages that are restricted still don't open. The credentials are: username - PeterC, password - abc123#. You can use these to test. The data is just test data so there are no problems showing this data publicly.

    Thanks for the help, I sure wish I could get this working though :(

    Peter.
     
  6. Hi Peter I've some info for you and I need to send you a PM but you've disabled that option on your forum account. Let me know when you've enabled it.
     
  7. Can't Seem to Access My Forum CP

    I can't seem to be able to access my user control panel (CP) on the forum to change the PM setting. How can I change it?

    Peter
     
  8. Support's Reply

    I wrote to Support and this was their reply:

    The Private message feature on the forum is enabled by default. You should be able to send or receive private messages without having to enable it first.
     
  9. Oh well there's not much for me to say about that except that it's definitely not working.
     
  10. I hate to be a pest, but what do I do now?

    Peter
     
  11. mjp

    mjp

    What do you mean? Are you getting an error?

    If you are logged in there is nothing that could prevent you from getting to the forum control panel.

    I've checked your account settings and private messaging is enabled, and I just sent a test message successfully.
     
  12. OK, then it works, but another Forum user CrystalCMS claimed he couldn't send me a PM?

    Go figure!

    Well, I suppose if you made it work, he should be able too.

    Thanks,
    Peter
     
  13. I'm afraid not. I've PM'd DASP staff in the last 24hrs but there appears to be something screwy with your account preventing me sending you a PM. Anyway never mind, back to the point. I see your role related problem still persists so I now have two questions for you:

    1) How did you create your roles in your db?
    2) At login time you could do something like this:

    string[] roles = Roles.GetRolesForUser(userName);
    foreach (string role in roles)
    LabelRole.Text += role + ",";

    Where userName is the user name of the user who has just logged in and LabelRole is a label control dropped onto your form. This will enable you to see the roles the user is in.

    If you were to do this, what roles do you see?
     
  14. Still having trouble!

    I have been pursuing this matter for a very long time. I still cannot get the restricted pages to appear after successfully logging in. If I run the web page from my local host with the server being DASP, then I can open the pages. But, if I run the web page remotely through a browser, I can only sign in successfully but when I click on either of the restricted pages, nothing happens. I've attached my web.config file for your review. If you could tell me what I am doing wrong, I would be very thankful.

    My web page is (http://www.infortechinc.com/Paragon5/Login.aspx) the username is PeterC and the pw is abc123#. Don't worry about the credentials being public, the data is simply a sample with no relevance.

    Thanks in advance anyone!

    Peter:(:(
     

    Attached Files:

  15. Finally Able to Access Restricted Pages

    After numerous attempts at getting this web site to work. I finally figured out what was wrong. I've posted a short video on how to do this, so that if anyone else has the same problem they can refer to this thread. As I had said in previous emails, I could access the web site from my localhost by having my connection string point to the DASP server, but couldn't access the restricted pages. Yet, for some reason I could access those restricted pages when I tested my web site from my localhost with my connection string pointing to my localhost.

    So the first thing I changed in my web.config file was to add this entry:

    <remove name="LocalSQLServer" />
    <add
    name="LocalSQLServer"
    connectionString="Data Source=tcp:sql2k805.discountasp.net;Initial Catalog=SQL2008R2_277230_pps;User ID=SQL2008R2_277230_pps_user;Password=#######"
    providerName="System.Data.SqlClient"/>

    In my connectionStrings section of the web.config.

    So that this had a server to access the security tables in my database as follows in my roleManager section:

    <roleManager enabled="true">
    <providers>
    <clear />
    <add connectionStringName="LocalSqlServer" applicationName="/" name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" />
    <add applicationName="/" name="AspNetWindowsTokenRoleProvider" type="System.Web.Security.WindowsTokenRoleProvider" />
    </providers>
    </roleManager>

    Finally, using the Web Site Administration Tool (WSAT) from within VS 2010 I added the roles to the users 0.:D
     
  16. mjp

    mjp

    That's cool, do you have a URL for the video?
     

Share This Page