Authorization - Why Does Authorization Boot The User To The Login Screen
Jun 28, 2010
When a user attempts to directly visit the url admin.aspx, and they are not an admin, they are redirected to the login page. However, the user then attempts to visit ViewWeek.aspx, it indicates that they are still logged in. Why does this ASP.NET authorization boot the user to the login screen, yet keep the user logged in? I'd rather it just direct the user to the default URL specified in the forms tag.
I am using ASP.NET MVC 3 and am trying to do something that should be really straight forward...
My application uses Forms authentication and that is working perfectly for controllers/actions. For example if I decorate either a controller or an action with the attribute below only members of the administrators group can view them:
[Authorize(Roles="Administrators")]
However I have a folder under the default Scripts folder called Admin. I only want members of the Administrators group to be able to access scripts within this directory so I created a new web.config in the directory with the following inside:
[code]....
However no matter whether a user is a member of the Administrators group or not they receive a 302 Found message and are then redirected to the login page.
If I change the web.config to allow user="*" then it works. It also works if I add an allow users="Username" for a specific user I am testing with.
Our team has recently implemented a role permission based authorization so that we can have granular control. This is similar to what Rockford Lhotka suggests herehttp://www.lhotka.net/weblog/PermissionbasedAuthorizationVsRolebasedAuthorization.aspx I have also read about the Claims based authorization which to me looks very similar to what we have. Can some one put in simple terms what the advantages of claims based authorization are.
I am going through the Security Tutorials here on ASP.Net. I am currently working on the last part of the Membership - User-Based Authorization. The tutorial covers restricting access to specific pages or to directories using a second Web.Config file. I am running into a problem with the myLogin page DestinationPageURL. Here is what is happening: 1. When the website starts, the Login page opens. 2. If I log in with an existing user, I am sent to the Default.aspx page. That is what is in the yLogin.DestinationPageURL for the login page.
I am using asp.net authentication and authorization with form authentication for my web application.
When I create a new user using asp.net create user control,the newly create user automatically gets logged in,the already logged users looses his session.
Don't know why this is happening.Is there some setting for this?
Suppose some users log in to my web app. They get authenticated (as something other than the anonymous user), so they can access any resource in the directory. The system.web/authorization section of web.config is set to deny access to anonymous users like this:
Actually, from what I understand, this only protects files accessed through the ASP.NET system. If I drop a JPG file in there, it's accessible to everyone, without authentication/authorization. In order to ensure all files are protected, there's a different section for that:
Of course, now when someone attempts to access the JPG file, they don't get redirected to the login page. Instead, they get a nasty HTTP Error 401.2 - Unauthorized.
Now, suppose a user causes a file to be created on the server. How, in context of this elaborate Forms Authentication and Authorization scheme, do I ensure that only that user's web browser can access the file via it's URL? For example, must I modify the web.config file? If so, do I have to do this manually or can it be done through code? Will modifying it frequently cause the application to be interrupted/restarted?
My scenario is a 3-Tier app where the data tier is a SQL Server database, the middle tier is a WCF application hosted in a Windows Service and finally the presentation is an Asp.Net MVC application.As usual, the middle tier is the one that performs all of the business logic. Access database, define business rules.. etc. BUT now here's question: How do you handle security in such a scenario? I mean, the user has to log in on the ASP.NET application, but I want to authenticate it not only in ASP but in the WCF middle tier as well, since a WCF service is supposed to be accessed by more apps.
I want the user to log in on the Asp.Net application and let WCF know the credentials as well. Is there some kind of session in WCF in which to specify a logged in user? How do pros handle security in this case? I know you can secure the WCF services with message security, but how do Asp.Net and WCF sync on a single logged user? I want to secure WCF operations depending on the user for authorization means.
I am writing two ASP.NET apps. One is a web service that provides xml data and the other is a web client that will use the service to display and manipulate data. I would like for the web service to do the membership authentication and authorization. Is there any way to simply point the login controls in my client application to the web service instead of to a database. I assume I would have to provide the necesarry methods in my web service interface, which would then use the membership provider database I created and pass the results back through to the client.
Is this possible? I have seen many articles on security provisioin from a web service but none has really been what I am looking for. I was hoping that, since my service and my client are both written in ASP.NET, there might be some built functionality that would benefit me.
I have created my first MVC application. I am using forms authenticataion. I have created a custom action filter MyAppAuthorizationFilter which inherits from AuthorizeFilter. Inside this filter I'm authenticating the user credentials by checking them against a database table (by overriding OnAuthorize method). If the user is not authenticated, I am redirecting the users to a login page (which is view of LoginController). I am using this filter agaginst my main controller so that all actions in this filter will execute only if the user is authenticated.
I do not have any problem when I use the asp.net development server (shipped with Visual Studio). But when I deploy the app to our IIS7 server, I can see the login screen when I access the default url, but after entering the credentials (both correct and incorrect) and posting back the Login page, it stays on the Login page (clears the pwd, but not the username). Its never getting redirected to the home screen or invalid login screen.
IIS 7 server has .net framework 3.5SP1, but no MVC. So I deployed the System.Web.Mvc dll in the bin folder.
Here's my Code (I've omitted the views and models as they are not needed here):
[MyAppAuthorizationFilter] public class MainController : Controller { // // GET: / [code]......
I've an Admin area and I want only Admins to enter the area. I considered adding the Authorized attribute to every controller in the Admin area. Isn't there an elegant solution or is this feature not there in the framework itself?
EDIT:
I should to have mentioned this before. I'm using a custom AuthorizedAttribute derived from AuthorizeAttribute.
was wondering how do I make it so when a user goes to a page its only displayed if he is logged in and secure, but if he is not logged in he is redirected to the login page?
Iam using forms authentication in asp.net Application,i want to make pages accessible depending upon roles defined in database. for eg there are three rolesdefined in database salary admin, manager, Clerk. i want a page salary.aspx can be accessed only by salary admin and not any other roles.
I have a problem using windows authentication and the authorization-tag in web.config for my asp.net application. When I host the application in IIS (both in IIS 6 and IIS 7) the authorization-tag is ignored. When I run the application in asp.net development server that comes with visual studio 2010, it works perfect.
I have the usual requirement of implementing Authentication and Authorization. I used to implement it using custom code where I have Users, Roles, Role_Pages, User_Pages, and User_Roles. So this way we can give a certain user roles (that group multiple pages) and/or directly define access to certain pages. All that with the ability to specify fine grained permissions like the ability to Add/Edit/Delete records in those pages.
My question: How easy is it to implement this using Forms Authentication and what advantage does that give over implementing a custom solution. I am also concerned with knowing if there would be any advantage when it comes to securing from session hijacking and against spoofing where an attacker could replay requests and impersonate legit users. Would Forms Authentication have any advantage there, or is it only SSL that can secure against that (which makes both approaches equal in that regard).
What is the authentication mode available in ASP.NET? How do you set authentication mode in the ASP.NET application? How do you provide secured communication in ASP.NET? List out the difference between windows authentication and form authentication. ?
'm using Visual studio 2005 with C# on .NET framework 2.0.. I am implementing forms authentication in this project but the problem is when I'm on registration form ( outside login) and try to open any window on that form using java script (window. open) it redirects me to login page. How should i tackle this problem?
We know that authorization's stuff is a cross cutting concern, and we do anything we could to avoid merge business logic in our views. But I still not find an elegant way to filter UI components (e.g. widgets, form elements, tables, etc) using the current user roles without contaminate the view with business logic. same applies for model binding.
Example Form: Product Creation Fields: Name Price Discount Roles: Role Administrator
Is allowed to see and modify the Name field Is allowed to see and modify the Price field Is allowed to see and modify the Discount
Role Administrator assistant
Is allowed to see and modify the Name Is allowed to see and modify the Price
Fields shown in each role are different, also model binding needs to ignore the discount field for 'Administrator assistant' role.
I am using forms authentication in my ASP.NET MVC application. I want to the signup page from the authorization process. I know I can add a location tag in my main web.config file or create a new web.config inside the specific folder. But I just to exclude one specific action in the User controller. How do I do it?
I am using forms authentication with ASP.NET MVC. Within web.config at application level I can set the paths that I require authentication to as follows;
subdir1 is folder name within the Views folder. This works for the web page routing as [URL] However, if my subdir1 is under another dynamically created route, this setting does not work. For instance; [URL] does not request authentication. dynamic is created at runtime and web.config does not know about it at application start but it should not care about it, I just want it to ask for authentication whenever there is an access to subdir1 route. Is there any way that I can set the location's path attribute for this case? or do you have any other way to solve this issue?
I want to make a redirect to the specified page if authorization failed. And this is not general page. I want to make a specific redirect based the page user wants to open. How it can be done?
My website is open only for authorized users, so I denied the anonymous users. but the problem is the style is corrupted because it's not allowed to anonymous users to access to the Style folder.How can I except the style folder from the Authorization ?