Roles and Access Rules on dasp.net

Discussion in 'ASP.NET / ASP.NET Core' started by JRusty15, Feb 5, 2010.

Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.
  1. I'm having some trouble managing roles and access rules on my asp.net 3.5 web application. I followed the video here, and read the KB article on using SQL databases to manage roles in asp.net. Everything works 100% when debugging on my localhost. I use the connection string to connect to the DB I setup on DASP.NET when I debug too, and all my roles and users are working fine. The problem is that when I upload the web application, the access rules don't seem to work. I can access the pages that should be protected by anonymous users before I even log in.

    Can somebody please help me? I can provide any information necessary to assist in this, but I am totally stumped on this one.

    Thank you,
     
  2. Does anybody have an idea of how I can go about finding a solution to this issue? Has anyone had similar problems?
     
  3. I still haven't gotten anywhere with this. Can anyone help?
     
  4. Let me post again to bump this thread up. I would GREATLY appreciate any help I can get on this subject. Thank you.
     
  5. I have emailed one our system administrators too look in to your post.
     
  6. Can you post your web.config settings. You can blank out any passwords and such. Also, is your application on the root or in a sub directory of your site?
     
  7. The app is in a sub folder. That sub folder has been set to a web app in the control panel. The sub folder, RDMTime, is the main (root) folder for the web app. The protected pages are in sub folders of RDMTime folder.

    I uploaded the web.config as a txt to this post, but also posted it below in case one is easier than the other to see/read.

    <?xml version="1.0"?>
    <configuration>
    <configSections>
    <sectionGroup name="system.web.extensions" type="System.Web.Configuration.SystemWebExtensionsSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
    <sectionGroup name="scripting" type="System.Web.Configuration.ScriptingSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
    <section name="scriptResourceHandler" type="System.Web.Configuration.ScriptingScriptResourceHandlerSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
    <sectionGroup name="webServices" type="System.Web.Configuration.ScriptingWebServicesSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
    <section name="jsonSerialization" type="System.Web.Configuration.ScriptingJsonSerializationSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="Everywhere"/>
    <section name="profileService" type="System.Web.Configuration.ScriptingProfileServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
    <section name="authenticationService" type="System.Web.Configuration.ScriptingAuthenticationServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
    <section name="roleService" type="System.Web.Configuration.ScriptingRoleServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/></sectionGroup></sectionGroup></sectionGroup></configSections><appSettings/>
    <connectionStrings>
    <remove name="LocalSqlServer"/>
    <add name="LocalSqlServer" connectionString="Data Source=tcp:sql2k801.discountasp.net;Initial Catalog=SQL2008_695747_rdmtime;User ID=SQL2008_695747_rdmtime_user;Password=******;"/>
    </connectionStrings>
    <!--<location allowOverride="true" path="/rdmtime"/>-->
    <system.web>
    <!--<trust level="Full" />-->
    <authentication mode="Forms"/>
    <roleManager enabled="true"/>
    <customErrors mode="Off"/>
    <!--
    Set compilation debug="true" to insert debugging
    symbols into the compiled page. Because this
    affects performance, set this value to true only
    during development.
    -->
    <compilation debug="false">
    <assemblies>
    <add assembly="System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
    <add assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
    <add assembly="System.Xml.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
    <add assembly="System.Data.DataSetExtensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/></assemblies></compilation>
    <!--
    The <authentication> section enables configuration
    of the security authentication mode used by
    ASP.NET to identify an incoming user.
    -->
    <!--
    The <customErrors> section enables configuration
    of what to do if/when an unhandled error occurs
    during the execution of a request. Specifically,
    it enables developers to configure html error pages
    to be displayed in place of a error stack trace.

    <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
    <error statusCode="403" redirect="NoAccess.htm" />
    <error statusCode="404" redirect="FileNotFound.htm" />
    </customErrors>
    -->
    <pages enableEventValidation="false">
    <controls>
    <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
    <add tagPrefix="asp" namespace="System.Web.UI.WebControls" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/></controls>
    </pages>
    <httpHandlers>
    <remove verb="*" path="*.asmx"/>
    <add verb="*" path="*.asmx" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
    <add verb="*" path="*_AppService.axd" validate="false" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
    <add verb="GET,HEAD" path="ScriptResource.axd" validate="false" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/></httpHandlers>
    <httpModules>
    <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/></httpModules></system.web>
    <system.codedom>
    <compilers>
    <compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CSharp.CSharpCodeProvider,System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" warningLevel="4">
    <providerOption name="CompilerVersion" value="v3.5"/>
    <providerOption name="WarnAsError" value="false"/></compiler></compilers></system.codedom>
    <system.webServer>
    <validation validateIntegratedModeConfiguration="false"/>
    <modules>
    <remove name="ScriptModule"/>
    <add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/></modules>
    <handlers>
    <remove name="WebServiceHandlerFactory-Integrated"/>
    <remove name="ScriptHandlerFactory"/>
    <remove name="ScriptHandlerFactoryAppServices"/>
    <remove name="ScriptResource"/>
    <add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
    <add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
    <add name="ScriptResource" verb="GET,HEAD" path="ScriptResource.axd" preCondition="integratedMode" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/></handlers></system.webServer>
    <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
    <dependentAssembly>
    <assemblyIdentity name="System.Web.Extensions" publicKeyToken="31bf3856ad364e35"/>
    <bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0"/></dependentAssembly>
    <dependentAssembly>
    <assemblyIdentity name="System.Web.Extensions.Design" publicKeyToken="31bf3856ad364e35"/>
    <bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="3.5.0.0"/></dependentAssembly></assemblyBinding></runtime><system.net>
    <mailSettings>
    <smtp from="[email protected]">
    <network host="smtp.rdm-engineering.com" password="*******" port="587" userName="***************@rdm-engineering.com"/>
    </smtp>
    </mailSettings>
    </system.net>
    </configuration>
     

    Attached Files:

  8. Looks like you are missing the authorization setting.

    Code:
    <configuration>
      <system.web>
        <authorization>
          <deny users="?" /> 
        </authorization>
      </system.web>
    </configuration>
    
     
  9. Thanks Aristotle! Looks like that did the trick where if you are not logged in and try to view a page, it will re-direct you to the login page. However, I still seem to have one last issue....

    There are two subfolders
    1) MemberPages
    2) AdminPages

    And as you may have guessed, all members have access to the MemberPages folder, but only users who belong to the "Admin" group SHOULD have access to the AdminPages page. However, when logging in as any user, it allows access to the AdminPages folder. But made the settings in the configuration manager to deny everyone and only allow members of the "Admin" group in.
     
  10. Put a web.config file in your AdminPages folder with just this in it to allow only users with the Admin role to have access:
    Code:
    <configuration>
        <system.web>
          <authorization>
            <allow roles="Admin" />
            <deny users="*" />
          </authorization>
        </system.web>
    <configuration>
    
     
  11. Thank you CrystalCMS. My question though, is why is it necessary to add these items to the web.config files when I thought this configuration was setup in the same place where you setup the users and roles?
     
  12. You mentioned in this thread that you are using SQL Server to manage your roles and assign them to users. To enable the behaviour you described (users with the Admin role get access to the admin folder and it's resources; all other users are denied) you need to implement asp.net url authorization which is what I have described above.

    If you actually use the ASP.NET website administration tool that ships with Visual Studio to manage role assignment to folders, it does exactly this. It writes role and user authorization rules into the web.config file(s).

    Read more about it here and here.
     
Thread Status:
Threads that have been inactive for 5 years or longer are closed to further replies. Please start a new thread.

Share This Page