how to implement page level and control level security in MVC applications. Also I would like to know the definition for Page Level and Control Level Security in MVC. Please refer me if any third party tools avilable to implement security in MVC.
View 1 Replies
I would like to control the menu display (show/hide menu items) in my ASP.NET 3.5 website based on the user's AD group and also control the functionality within a page using user's active directory group membership. how to do this? menu is stored in an xml file and bound to a control. all the examples I see on the web are related to forms authentication. this is an intranet website with integrated windows authentication and both authentication and authorization should be controlled using user's active directory groups.
View 1 RepliesI have to handle error related to web application. I am not sure how its works. I am thinking that I will add an error page (error.aspx) and in global.asax ,application_onError, I will redirecting the user to error page and that should be enough ! i mean it will handle error automatically.
View 4 RepliesI have a site We have different Pages under one folder. we have stored these pages information in a database table with pageid. Then we have User access table. there we store userid and pageid , for which pages user has access. Now I need to provide access to that pages only .
View 8 RepliesI have a summary page that has an Add New Record button, andEdit Record butto and a Delete Record button.Every user has ReadOnly access.However, only users with administrators Access Level can add, edit, delete, view.Users with Staffers Access Level can only Add records but cannot delete or edit.So, basically, 2 access Levels, Administrators, Staffers.Administrators can view, add, delete, update records.The rest, Staffers, can only view and Add records.I am struggling to figure this out.I have done this a ton of times using Classic ASP, something like:
If AccessLevel <> "Administrator" Then
Response.Redirect"login.asp" 'so if user has admin password, s/he ccan log in with that.
End if
[code]...
4 different groups will be using the system, each will be redirected to their own summary page based on their groupNumber.All I just want now is to ensure that a user from a particular group is redirected to his/her summary page, then that user is checked again against AccessLevel (view, edit, delete, update).
i am working in asp.net and csharp, we have 10 user, but certain user only need to put dataentry. how to enable and disable based on the user to access certain form ,like add, modify view options.
View 1 Repliesi had created a login page by using login control in VS 2008..
the register,login all wrkg very well...
in web adminstrator tool also i had created three user: admin,employee,manager...
the prob is...i dnt knw how to link the user to different page base on level...
example:
admin to admin.aspx
employee to employee.aspx
manager to manager.aspx
I am trying to use SqlCacheDependency in my web site.I got in touch with my hosting compnay and they said that they support cache but they set the trust level to medium and what I try to do needs full trust level whihch they cannot provide for me.
can someone show me a way or a code samples that use SqlCacheDependency with medium level trust?
the broker is enabled in the hosting sql server
this code raise the error that the hosting providers said that they cannot support in medium level:
System.Data.SqlClient.SqlDependency.Start(ConfigurationManager.ConnectionStrings("myConnectionString").ConnectionString)
I have the tables needed in my developer SQL server , but I don't know how or if I can set it in the hosting SQL server db
and this is my code to get the data from cache or from DB that works on my developer station:
If Cache("allitems") Is Nothing Then
I download a webchart.dll file and used it in my application. Everything went right on my local machine. But issue came when i uploaded the file on the server. I am getting trust level medium issue. The assesmbly doesnot run on medium trust level. How can i run assembly in medium trust level.
View 1 RepliesI am about to deploy an ASP .NET application (developed with LINQ-to-SQL). I have taken following precautions: Database access via user with limited access, however, since application is to access the sensitive data, I can't deprive this limited access user from it Database server is not exposed to external network - is hiding behind DMZ and all external ports are blocked I have done thorough security testing of the web-application; SQL Injections, rights management, illegal data access (via post/get data tempering) Application is operating on SSL
1 - I am using ASP .NET authorization API; any recommendation for avoiding session hijacking (in case someone some-how gets to know the session key). Is there are way to change the authentication cookie less prone to threats? Say like, changing it after every request? (I know I am get very conscious about this particular item)
2 - Data in the database is not encrypted. To make things ultra-secure, I am thinking about implementing transparent data encryption. Can someone share his/her experience or a link about implementing data level encryption with SQL Server 2008 along with pros-and-cons?
3 - Recommendation for storing connection string in web.config. Is using integrated security better then using encrypted database connection string?
I am trying to implement forms authentication in my application. It has a folder named
User and an .aspx Page named Welcome.aspx. I am trying to restrict Access to this page by directly typing address in the browser. For this I have done following setting in web.config:
<location path="User">
<system.web>
<authentication
mode="Forms">
<forms
loginUrl="Login.aspx"
name=".ASPXFORMSAUTH"></forms>
</authentication>
<authorization>
<deny
users="?"/>
</authorization>
</system.web>
</location>
It works fine for the first time and redirects to Login page when I type the URL directly in browser. But when I press back button in browser and again try to redirect, this time it redirects to Welcome.aspx. How can I avoid such a situation (Don;t want to disable back button). Also If i try to Set Location Path="User", it gices error i.e. I am not able to set folder level security
i wrote all my code on my computer so i had a high trust level, after ftping my site and database to godaddy.com i realized they have a medium level trust enviroment.... i called the tech support and they said they were sorry but they couldnt change it for me... heres my code. any idea how to get it to work in medium level trust? I am trying to create a new directory where all of a users upload goes. The folder is created dynamically when the upload page loads.
string username = User.Identity.Name;
string UpPath;
UpPath = "~\Users\UserUploads\" + username + "\";
if (!Directory.Exists(UpPath))
{
Directory.CreateDirectory("~\Users\UserUploads\" + username + "\");
}
how to get this working in medium level security?
Following is my directory structure of my web application which is also configured in IIS as virtual directory
Web Site Root
|MasterPage (file)
|Web Config (file)
|Public Contents (directory)
|ShowNewWallpapers.aspx
|Admin (directory)
| Login.aspx
|WebSiteStat.aspx
|WebConfig file (need form security here)
How is configure my both web configs to solve my issue. currently i am getting following error
It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS.
my root web config has default settings and my Admin directory has following settings
<system.web>
I want to be able specify to do the following: Specify configuration settings such as appSettings and connectionStrings for multiple web apps in IIS7 No editing Machine.config or the machine-level web.config Web apps are distinct web sites in IIS (not subfolder apps) Is this possible without just duplicating the configs for each app?
View 1 RepliesI have role assignments on both the first and second level of my menus within my sitemap file. The first level works fine, and I only see items assigned to my role. But roles assignments seem to have no effect on the second level. It seems like if you have access to the first level, you have access to everything on the second level. Is this correct?
From my sitemap (either a SalesRep or an Administrator can see everything underneath):
<siteMapNode title="Administration" roles="SalesRep,Administrator" description="Admin" >
<siteMapNode title="CompanyMaintenance" roles="SalesRep" url="~/Admin/CompanyManagement.aspx" />
<siteMapNode title="Initialize Roles" roles="Administrator" url="~/Admin/Roles.aspx"/>
</siteMapNode>
Presently i am working on bulk Sms module in Asp.net.In this i am using a window Api "WinINet"
Cls_StrRptDlrEndUsrBalDtl clsStrRptDlrEndUsrDtl = new Cls_StrRptDlrEndUsrBalDtl();
I need to implement field level security based on the roles. I have a page Employee.aspx . In that i have ten controls. If i am enter as admin role i need to show all the controls. If i am enter as user have to show only five controls. How to design the appplication for control level security?
View 5 RepliesError Description while browsing the website under IIS "The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file." Initially I deleted the virtual directory, created again, set the permission to anonymous, set the browse and execute permissions, no solution. Then after doing many trials, I found out the basic problem reading the error "not allowed by the security policy". In web configuration file if we set the security policy to Fully Trusted, then problem solved and application working fine. or Set the trust level to the main configuration file in he "C:WINDOWSMicrosoft.NETFrameworkv2.0.50727CONFIGweb.config"
View 1 RepliesI have a page with the following caching defined:
<%@ OutputCache Duration="60" VaryByParam="None" %>
I have a user control inside that page that i don't want cached. How can I turn it off just for that control?
I am attempting to access a textbox control on a master page from a code behind base class but having problems. I have 3 levels of master pages. m1.master is the master page for m2.master which is the master page for m3.master.m3.master has a textbox as shown below
<%Master
Language="C#"
MasterPageFile="~/m2.master"
AutoEventWireup="true"
CodeFile="M3.master.cs"
Inherits="M3"
%>
<asp:Content
ID="Content5"
ContentPlaceHolderID="M2"
Runat="Server">
<asp:TextBox
ID="text1"
runat="server"
></asp:TextBox>
<asp:ContentPlaceHolder
ID="M3"
runat="Server"></asp:ContentPlaceHolder>
</asp:Content>
I have a content page c1.aspx that uses m3.master as its master page as shown below:
@
Page
Title=""
Language="C#"
MasterPageFile="~/m3.master"
AutoEventWireup="true"
CodeFile="c1.aspx.cs"
Inherits="_c1".................
There seems to be an issue with the "Trust" level when executing within a "Cloud" environment. In order for the following app to work it needs a trust level of at least "Medium." This web app is developed using VB.NET 3.5, and Visual Studio 2008. The app works perfectly on my local sever but when deployed/published to the "Cloud" it returns the error: System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. I have added all 4 required values, ConsumerKey, ConsumerSecret, OAuthToken, and OAuthTokenSecret to the web.config file in the "appSettings" section of the "configuration"
[Code]....
If found that by going to [URL] and signing into the account that is using the application, then go to the "Settings" page, go to the bottom of the page and click on the "API" menu option. Once the API page appears you will clik on the button "2", Register An App. On the right side on the new page, you will see a button "View Your Applications." If you have previously registered your app, click this button, If not fill out the appliction for a new app. Now at the View your Applications page, select the app you want to get the authorization keys for where is says "Edit Details". Now click on the button to the right that says, "Application Detail." Here you will find your Consumer Key and your Consumer Secret Key. On the right side of this page you will see the menu option "My Access Token", click it and you will find your oauth_token and your oauth_token_secret keys! Not that you have all the keys, put them in the "appSettings" section of the web.config file. Add "Dim twConn As New TwitterVB2.TwitterAPI" at the top of the page.
I then created a subroutine where I pass in the Tweet:
[Code]....
This code works great in an enviornment that allows at least a "Medium" trust level. However it appears that many of the "new" hosting envrionments such as "Cloud Hosting" and others do not allow this trust level automatically!However if the trust level is less than "Medium" on your host you will likely receive the error message: "Twitter Returned: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed." If anyone has found a fix for this "Trust Level"
I've exempted the irrelevant bits of code. Essentially, I am trying to change the URL of an image control inside of an update panel inside of a custom user control from a function called inside an update panel from my main page. Using UpdatePanel.Update() isn't working: I end up waiting for the next full page POST to occur before all the updates I make to CustomControl from buttons within the main page's update panel are visible. I verified that Update() was being called via the debugger: there are no issues in that department.
Here, you can see Custom Control and the Button declared. The button is in an update panel to avoid giving a full POST and causing the whole page to reload.
<cust:CustomControl runat="server" ID="CustomControl1">
<asp:UpdatePanel runat="server" ID="UpdatePanel1"> <ContentTemplate>
<asp:Button id="Button1" runat="server" OnClick="DoStuff" />
</ContentTemplate> </asp:UpdatePanel>
This control stores images within their own seperate update panels because rerendering the images is very slow (it requires processing arrays of millions of datapoints) and the user only ever needs to modify one image at a time. I'm using Image1 as an example.
[Code]....
we have about 4 web applications in our company with seprated login pages, is it available to have a unique login page and after login let user choose what application he/she needs ?
View 4 RepliesIf I disable ViewState at Page level, will it be remembered for GridView inside the page?
View 1 RepliesI want to capture errors on a per-page level. I've added the following code to my code behind page:
public void Page_Error(object sender, EventArgs e)
{
Response.Write("Unhandled error on the page.");
}
I have also ensures that AutoEventWireup="true".
I have some gridviews on this webpage that use a SQLDataSource. I'm hoping to use this error message (which will be better when I get it working, response.write is mostly just to test) to cover up those errors with something more user friendly. Yet when I have an error ("Cannot open database" for instance), Page_Error never fires and I get the ugly yellow screen of death instead.
