Security :: Restricting Access To One Page Not The Whole Website?
Jan 29, 2011
I'm trying to restrict access to one page on my website. However, the code I'm using doesn't seem to work for this purpose. I can get the code to work by removing the following out of the web.config.
This works fine by preventing access to the page unless a password is entered. However, I've realised that if I type the page name into the browser this will by-pass the login page and allow access to the page I want to lock down.
i have an image (say abc.gif) that i would like to allow the user to "view" only if he is logged in to my system. Currently i am checking whether he is logged on to my system using session variables.
I have an application where in the User Authentication is from the AD useing Directory services.
If i type in the address of a valid page from the application into the Address Bar, it throws me to the Login Page.
However if i am logged in and i type in the address of a valid webpage, the application takes me to the page. Is there any way that this can be restricted.
If i type in the URL into the address bar the application should throw me to the Home page of the application.
I'm using user membership and roles. Below is my web.config for subfolder restriction.
[Code]....
The way I have above, no one can access this folder, mySub, except Administrators, Editors, and Members. However, here's what I want. I want to allow all and any user to the default.aspx page of this mySub folder and denied any other pages if they're not Administrators, Editors, and Members. One last thing, also denied access to addWord.aspx if they're not Administrators and Editors. I know I can list all the pages and give them various permission but I do not want to list all the pages. What's the best and easist way to accomplish this?
I have a folder that cannot be accessed by anyone except the management role of my web site. But, I added a folder to this and it can be accessed by anyone.
Of course, I can explcitly set the access to only a specific role(s) but I would like to know if I can tell set it so that even folders nested inside a restricted folder can take on the same permissions settings as the folder in which it is nested.
I have seen an existing post which explains how you can restrict access to an ASPX page using:
[Code]....
This works as in it keeps those who are not a member of Administrators AD Group from being able to view the webform but for some reason when I implement the above it locks even the Administrator user out which is not what I wanted at all.My web.config is as:
[Code]....
As you can see I have tried to restict it also through the web.config file but neither approach has worked.
I have a simple online store where there are products that can be put into a cart and purchased. There is a admin page that can be logged into so that new products can be added or existing products can be removed or edited. To get to the admin area I need to put a /admin/index after the main page loads up. If I want to give my friends (from any location) the ability to add new products should I create a link to the admin area on the main page (like at the bottom) of the main page or should I just tell them to type in /admin/index after they go to the webpage?
Per different user mode, some pages should not be accessible by users unless they have a valid session key.In your opinions -- would it be better to have a list of acceptable pages in the master page, and check if the current page is valid for the current user? Or handle this on every child page?I'm thinking master page, just want to hear what your input would be.
I am sending the following xml to access a website and getting the error with the stack. I have spent weeks on it and getting no where. I am willing to pay for the advice as well, as I am getting sick of this!
I have a simple intranet site. It has a role based authorization in the web.config file.
Any user's in a specific role called as "Apr-Sales-Writers" will be authorized to use those pages. If not, they will not be authorized. So far so good. Works fine. But we added additional functionality where a new active directory group (means new role) has to be added and user's belonging to this new AD group should be given access to only specific .aspx pages on the intranet site. I am using a web.sitemap and it looks like this.
If the user's belong to say AD group "Apr-Sales-Writers", they should access only default.aspx and salesData.aspx pages. User's belonging to new AD group (which I did not include in the web.config file below), should have access to other .aspx pages.
I need to restrict access to my website by physical PC. When a user signs up I want to be able to restrict access to one machine for that account so it cannot be shared round, if, for example, somebody else in the same office wanted to access the system on their PC they would need a seperate sign in.
I have done some investigation and I "think" the only way is installing an ActiveX component (which isn't an issue that is restricts to IE only) and then read the users MAC address. Am I trying to over complicate things or is that the only way? I realise that MACS can be spoofed but this is not much of an issue.
My scenario is i have 4 tabs, under every tab there are five cascadded combo. So for page load itself it calling webservice at last and populate all parent cascaded dropdowns in all the four tabs.
now I have made changes but still now its not working. By defeault [ScriptMethod(UseHttpGet = false)], so i made it [ScriptMethod(UseHttpGet = true)]. now on tab change i added that function and it is calling the web methods when changing the tab. But after the loading its again call the webservice and this time as the get is true so its not getting any value. And in the dropdown its showing "error 12030".
I have implemented role based security in my asp.net 2.0 vb.net application using windows authentication and the windowstokenroleprovider and limiting access to certain pages using the location tag to specific active directory groups.
The issue is that when a user tries to access a page they are not authorized to view it brings up a login prompt and when it does not pass it takes them to the default page that tells them they are not authorized to view the page. I am wondering if there is a way to throw up a custom page that tells them they are not athorized to view the page that I can incorporate into the site itself with the header and so forth? if this page could come up in lieu of the sign in box popping up as well.
We have been using AzMan in development and all was going well until we tried using it our QA website (Windows 2008 Enterprise SP2) and I get: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)) --- End of inner exception stack trace --- at System.RuntimeType.InvokeDispMethod(String name, BindingFlags invokeAttr, Object target, Object[] args, Boolean[] byrefModifiers, Int32 culture, String[] namedParameters) at System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams) at System.Web.Security.AuthorizationStoreRoleProvider.CallMethod(Object objectToCallOn, String methodName, Object[] args) at System.Web.Security.AuthorizationStoreRoleProvider.GetClientContext(String userName) at System.Web.Security.AuthorizationStoreRoleProvider.GetRolesForUserCore(String username) at System.Web.Security.AuthorizationStoreRoleProvider.GetRolesForUser(String username) at OurApp.login.ValidateAgainstSpecificADProvider(ActiveDirectoryMembershipProvider provider) at OurApp.login.AutoValidateForAllADProviders() at OurApp.login.Btn_Login_Click(Object sender, EventArgs e) at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
This is when the call to GetRolesForUser(username) is made to the AuthorizationStoreRoleProvider. The website is running under it's own machine service account and when I look at the Security tab in AzMan.msc I can see the service account has Administrator access to the store. I've tried adding to the Reader rights but this doesn't do anything.
This error has not shown up in development on Windows 7 Workstation and interestingly the local store was created in the same way from the website code, so the website service account has full access. I've checked file permissions and played around with the security settings in AzMan.msc and I cannot get it going. At one stage the error changed to "Invalid Handle". There is nothing in the event log so it's very tough to troubleshoot an obscure COM error like this. I guess it could be anything! :)
I also tried impersonating a domain account for the call based on some other posts I read on the net but this didn't work for me. The other interesting thing to note is that the website creates the store (first time) and it actually mnages to create the store without any problems at all. It's just this call to GetRolesForUser that blows out.
Have a project where I need to access a RSS feed. The issue is this RSS feed, you need to be logged in as a user. They have a simple web form (login + password).
1) Post a web form with my login and password
2) Maintaining Session (w/successful login), do an additiional GET to retrieve the RSS feed.
I am doing this in an ASP.Net page so it all happens server side in VB.Net
when a website is entered in a browser it should take to a login page (in localhost) and if the login succeed then the site should be loaded else an error page should be displayed. the login page will be connected to local database. how to do this?
I created a page containing a drop downlist wich is a list of all users and a gridview that shows all the dates that the user selected had connected (user,12/03/2009,email) the default membership generated by ASP.NET has just a lastlogindate so i insert manually the date login each time the user conect the code is (in the login page not in the page of acces log)
Protected Sub Login1_Disposed(ByVal sender As Object, ByVal e As System.EventArgs) Handles Login1.Disposed
I have a website with many pages and many level of user accounts, i want to give a limited access for each roles... So i was thinking of doing it this way, but I'm not sure if it's secure or if there are better ways to do it.
I will create a DB with two columns, user level (admin..) and page file name (test.aspx), and each time a page is opened it checks the db against the logged in user and the current page url.
I have the following pages structure in my asp.net 3.5 website. i want if anybody directly access any page of my site as [URL] then it will automatically redirected to [URL] How to do this using vb.net, asp.net
I am trying to create a login page on my website. When I view the page in a browser and enter the login name and password, I receive the following error message:
Server Error in '/membership' Application.
Cannot open database "aspnetdb" requested by the login. The login failed. Login failed for user 'NT AUTHORITYNETWORK SERVICE'.
Description:
An unhandled exception occurred during the execution of the current web request. review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Cannot open database "aspnetdb" requested by the login. The login failed. Login failed for user 'NT AUTHORITYNETWORK SERVICE'.
Source Error:
[Code]....
Stack Trace:
[Code]....
I was able to connect to the aspnetdb database using the Web Site Administration Tool. The aspnetdb database is not in the App_Data directory.
I am currently designing an ASP.Net web site where does not required any user login on the page. However, I do need to put an Admin page up along with this web page for my client use to manage the content on the page (e.g.: Change Pictures, Updating News). For security reason, I do not want to include a separate page sit reside in the site, so nobody can even try access to the page [URL]
