Does Security Trimming Work With Web Forms Routing?
May 31, 2010
In my web.config I have configured a SiteMapProvider with securityTrimmingEnabled="true" and on my main master page is an asp:Menu control bound to an asp:SiteMapDataSource. In addition I have configured restricted access to all pages in a subfolder "Admin" (using another web.config in this subfolder).
... it seems that security trimming does not work: The menu item is visible for all users. (Access to the page is still restricted though, so selecting the menu item by non-Admin users does not navigate to the restricted page.)
Question: Is there any setting I've missed so far to make security trimming working with URL routing in ASP.NET 4.0 Web Forms? Did I do something wrong? Is there any work-around?
I am using URL routing in asp.net application (not MVC) . I have Admin folder in my aaplication which has admin related aspx pages with seperate web.config. I have seperate login form for admin users which is placed in admin folder itself. My issue is whenever I hit [URL] (which I want to go to login form for admin)- it tries to authenticate and goes to login url mentioned in web.config of root folder.
Note: Admin folder has anonymous access in root config file. Also I have set default document in config of Admin folder. I have added following line in global.asax so that routing doesnt work for files in admin folder;
routes.Add(new Route("admin/{*resource}", new StopRoutingHandler()));
I am really confused what is the issue? What I am missing?
I understand that we can easily secure the menu pages by enabling SecurityTrimming and putting role information in web.sitemap.
But my problem is that we have to use a 3rd party authentication piece. The ASP.NET application gets the UserId and roles from the authentication module.
I need to show/hide ASP.NET pages based on the incoming user's roles.
Is it possible somehow to use web.sitemap with these roles?
Or should I come up with my own way to map a web page to role/s?
I have a site map with a node and two inner nodes. The inner nodes have the same url but a different querystring parameter. I want the users with role "User" to see only the second of these links in their menu.
This is my siteMap:
[Code]....
This is the configuration of the web.config:
[Code]....
As a result, the users with role "User" can see only the second link (Search) which is fine, but they get an Access Denied when they navigate to it which is logic since they don't have access to that page, but it's not really fine for me.
We're writing an app that has a requirement for allowing/disallowing access based on user role.In a traditional .net app of course you set the security trimming attribute in the web.config and set the nodes in the web.sitemap file and you were set.
I'm using routing from System.Web.Routing without MVC in a standard ASP.Net Web Application Project application. This is mostly done to get neater urls in the portal we are developing (instead of ~/default.aspx?contentid=123 we have ~/{contentsubject}. The portal is not authorized and all info is in the url so in a caching scenario we can cache complete pages.
When I tried to enable output caching I noticed that no caching was done. It seems that the outputcache page directive is completely ignored. Is this true or am I missing something? Can this be fixed?
I made a small test app (I uploaded it to [URL] that just contains a page, Webform1.aspx, that uses a master page and a user control. All three output the current date and time.
When I request http//localhost/OutputcacheTest/Webform1.aspx the 10 second caching works as expected, i.e. the shown time only updates every 10 seconds.
The app also defines a wildcard route that catches all requests and returns the same Webform1.aspx as a handler. So when requesting http//localhost/OutputcacheTest/myroute the same page is executed but now the caching doesn't work, i.e. the current time is shown on every request.
Note: When using the built-in development web server both scenarios work, only IIS seems to have this problem.
Does anyone have a a solution or work around for how to enable output caching in this scenario?
ASP.NET 3.5 SP1 with Web Forms Routing thru Global.asax (System.Web.Routing and RegisterRoutes)IIS 7
Everything is working fine in my local machine, but it gives the following error in my hosting environment:
Could not load file or assembly 'System.Web.Routing, Version=3.5.0.0, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.
I did everything inside my web.config file mentioned in the following link:
I have a Web application where i have added a reference to a RESTful WCF. I got the WCF url Routing to work in my webapplication by adding Inherits="RestService.Global" to the Web applications Global.asax.
But then i tried to create url Routing for the Web application and it does not work with the Inherits="RestService.Global" in the Global.asax. If i take it away it works fine. Is there a correct way to do this.
I'm trying to create my own CMS and I've gotten a little bit stuck at the stage of URL routing.
I want clean URLs without extensions and I'd like to be able to create and modify them in a web based interface without any messing around with IIS or actual files.
I've seen how to create a static route, but for that I need to go into my Global.asax file and manually add it.I would like to have all of these routes stored in a database so that I can easily modify them later.
Does anyone know how this can be achieved?
Just for extra information, I will be attempting to create a feature so that if a path exists, but is later changed, a 301 redirect is created to the new URL, is this also possible? (My first problem is the main issue, but thought I might ask this as well just in case it makes a difference)
I've a string builder, and I need to convert it to a string, and then trim any commas if there are any there (I need to get rid of them because I'm building an sql query).
Here's what I'm doing:
myStringBuilder.ToString().TrimEnd(',');
Why isn't this working??? It's not trimming any commas at the end!
using vb.net/asp.net 2005 and sql server 2005. I'm querying the database and returning text which I am then adding to a string. I'm creating a crystal report with the text however this is not a crystal report question, its about the string data. what I"m noticing is that when I show the string on the pdf that there are some strange characters at the end of the string. I am both trimming the string and taking out null characters however the strange text shows up like this:
strangeText> SÙÇ TÙçy|Ü DÙÇ $ÛÇ </strangeText>
does anyone know what these characters are and how to get rid of them?
The GridView in ASP.NET 2.0 is trimming the leading spaces from data coming from a SQLServer database. I have yet to find a way to keep it from doing that. The data in this particular view is being edited to remove such spaces, but only upon editing the row can any leading spaces be seen, meaning, at present, each row will have to be touched. With 12,000+ rows, that's a little much.
What little I've found on Google has mainly be concerned with trimming leading spaces. Is there a way to force GridView to show the data exactly as it is in the database, leading spaces and all?
I am observing a rather strange behavior. I have a procedure which selects a field from a matching record and returns it. The procedure works as expected returning proper values, when I execute the procedure from Visual Studio Server Explorer tab. The procedure is
[Code]....
This is being called from the DAL as follows:
[Code]....
The problem is if @ReturnValue is EAE then cmd.Parameter[outputParameterKey].Value is giving the value "E". If @ReturnValue is "Sassyboy" it is giving "S". why this behavior?
I have a string coming from a stored procedure looks like '001234567'.
sqlCommand = new SqlCommand("csp_Bbp_OBN_GetBasePageList", BBConnection); sqlCommand.CommandType = System.Data.CommandType.StoredProcedure; sqlCommand.Connection.Open(); // Run the SQL statement, and then get the returned rows to the DataReader. accReader = sqlCommand.ExecuteReader();............
In my case, from the stored procedure I am returning the varchar, after executing and reading it I am getting the value to basePage.GrouNum which is a string. So, I don't see where it is trimming the leading zeros.
Example: GroupNumber in the table is : "001234567" BasePage.GroupNum after reading from DataReader : "1234567"
But, I do not want the leading zeros being trimmed.
What function do I use to reduce all entries in a database field to a maximum length. The field is 100 characters wide and I need to chop all existing entries in the field down to 20 characters. I prefer not to redefine the field to 20 wide to lose the data and then redefine back to 100.
UPDATE CmpyInfo SET ( ShortName to 20 characters max ) WHERE ShortName.Length > 20
I currently have a web application deployed on our intranet and it uses Active Directory to authenticate the user.It all works fine. But now im asked to somehow grant access to the application for outside vendors that are not part of AD, but they still need to keep the functionality of the AD as they dont want to manage all the users that currently use the application.Is this possible in some way?Currently users dont need to enter a password or username as they are part of AD, but users who are not get the " You are not authorized to view this page..."message. Is there any way to avoid that message and allow them to login using their own password?
How to handle asp.net mvc routing along with asp.net webform routing. I have merged my mvc app into my existing web application. In my web application i have implement routing as below:
routes.Add("View Product Details", new Route("Product/{City}/{Manufacturer}/{Name}/{ProductID}/{*ProductType}"));
Similarly i have implemented routing in mvc as below
i am having trouble running my application on iis when i enable rolemanagement. It works fine in the visual studio development server.
Is there anything i need to configure in iis to make that work?
This is the error page:
Server Error in '/testapp' Application.
Object reference not set to an instance of an object. Description: An unhandled exception occurred during the execution of the current web request. review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.
Source Error:
[Code]....
Stack Trace:
[Code]....
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1
i use visual studio 2010, SQL express 2008 on win server 2008
after running the wizard of security (created single user, set permissions like deny anonymous and allow the created user) and pressing F5 --> the site works just fine.
when i move the folder to IIS 7 and "convert to application" the login page appears but it wont accept the password i provided.
i was told that only Stackoverflow geniuses will answer this question.
i am using .Net 4, manged pipleine mode --> inegrated
IIS settings:
Anonymous Auth. --> Enabled Forms Auth. --> Enabled ASP.Net Impersonation, Basic Auth, Digest Auth, Windows Auth--> Disabled
This question is somewhat of a follow up to How serious is this new ASP.NET security vulnerability and how can I workaround it? So if my question seems to be broken read over this question and its accepted solution first and then take that into the context of my question.Can someone explain why returning the same error page and same status code for custom errors matters? I find this to be immaterial especially if this is advocated as part of the work around to it.Isn't it just as easy for the script/application to execute this attack and not specifically care whether or not it gets a http status code and more on the outcome? Ie doing this 4000 times you get redirected to an error page where on 4001 you stay on the same page because it didn't invalidate the padding?
I see why adding the delay to the error page is somewhat relevant but doesn't this also just add another layer to fool the script into thinking the site is an invalid target?What could be done to prevent this if the script takes into account that since the site is asp.net it's running the AES encryption that it ignores the timing of error pages and watches the redirection or lack of redirection as the response vector? If a script does this will that mean there's NO WAY to stop it?Edit: I accept the timing attack reduction but the error page part is what really seems bogus. This attack vector puts their data into viewstate. There's only 2 cases. Pass. Fail.
Either Fail, they're on a page and the viewstate does not contain their data. No matter what you do here there is no way to remove the fail case because the page just will never contain their inserted data unless they successfully cracked the key. This is why I can't justify the custom errors usage having ANY EFFECT AT ALL.Or Pass, they're on a page and the viewstate contains their inserted data.Summary of this vulnerability
The cipher key from the WebResoure.axd / ScriptResource.axd is taken and the first guess of the validation key is used to generate a value of potential key with the ciphered text.This value is passed to the WebResource.axd / ScriptResource.axd at this point if the decryption key was guessed correctly their response will be accepted but since the data is garbage that it's looking for the WebResource.axd / ScriptResource.axd will return a 404 error.If the decryption key was not successfully guessed it will get a 500 error for the padding invalid exception. At this point the attack application knows to increment the potential decryption key value and try again repeating until it finds the first successful 404 from the WebResource.axd / ScriptResource.axd
