Where can I find a good tutorial on setting up roles and authorizing them? I'm using Windows Authentication for an intra-net based app and need to figure out how to grant the users access to the various pages.
View 5 RepliesI am going through the Security Tutorials here on ASP.Net. I am currently working on the last part of the Membership - User-Based Authorization. The tutorial covers restricting access to specific pages or to directories using a second Web.Config file. I am running into a problem with the myLogin page DestinationPageURL. Here is what is happening: 1. When the website starts, the Login page opens. 2. If I log in with an existing user, I am sent to the Default.aspx page. That is what is in the yLogin.DestinationPageURL for the login page.
View 1 RepliesI have been using the following tutorial and had to convert the code to C# for my project, now i cant get the code to work, im getting red line under the word "in" in the UpdateRolesFromList,
i tried to add a datasource on page load for the checkboxlist like so RoleList.DataSource = PopulateRoleList(User.Identity.Name.ToString());and gives me error saying cannot implictly convert type 'void' to 'object'
[URL]What am i missing, that when i load the page or even do a search it never displays the checkbox list as it shows in the tutorial?
[Code]....
We're writing an app that has a requirement for allowing/disallowing access based on user role.In a traditional .net app of course you set the security trimming attribute in the web.config and set the nodes in the web.sitemap file and you were set.
View 2 RepliesI'm trying to use a custom Principal (with custom Identity) for security. This all works fine for logging in, out etc. I am now trying to limit access to unauthorised users within my code as follows:
[Code]....
Again, all is fine there. Except I need some more complicated rules, something along the lines of "Allow Admins. Allow Buyers, provided they have the correct department ID and are allowed to see this customer's credentials". All of that information exists within a database.
I have a client asp.net website that uses ASP.Net Membership, Roles and Profile providers and Login controls. I need to expand the application so was going to use WCF Workflows, the ASP.Net website will be hosted on a different server than the WCF Services so what I want to do is get the ASP.Net Website to auth via the WCF Service. So process will go:
ASP.Net Website ------------------> WCF Service ------------------> SQL Database (Membership, Roles, Profile, Workflow Persistence Data and Business Data)
I tried creating a custom Membership and Role providers but I have had problems managing the users (Membershipuser class) saying null when a vaild user has been return by the WCF Service as can access the properies but not the methods.
I am using ASP.NET MVC 3 and am trying to do something that should be really straight forward...
My application uses Forms authentication and that is working perfectly for controllers/actions. For example if I decorate either a controller or an action with the attribute below only members of the administrators group can view them:
[Authorize(Roles="Administrators")]
However I have a folder under the default Scripts folder called Admin. I only want members of the Administrators group to be able to access scripts within this directory so I created a new web.config in the directory with the following inside:
[code]....
However no matter whether a user is a member of the Administrators group or not they receive a 302 Found message and are then redirected to the login page.
If I change the web.config to allow user="*" then it works. It also works if I add an allow users="Username" for a specific user I am testing with.
I am "DomainMyDomainUserName" If I do this:
[Code]....
I can access the website I've created on my local machine in debug mode; and with my domain account as a local administrator, if I do this:
[Code]....
I can still access the website; and with my domain account in a Domain Group named "DomainDomainLocalSecurityGroup", if I do this:
[Code]....
I can still access the website; HOWEVER, if I create a Local Group on my machine named "LocalMachineGroup" and I add "DomainMyDomainUserName" to this group and I do this:
[Code]....
I get an Access Denied error trying to access the website. What I want to do is, have a group on my local machine (for testing), on a test web server, and on a production web server named "MyWebsiteUserAccess" with the same Domain Group (filled with Domain Users allowed access to the site) in all of these local groups; so that when I test the web application on my local machine, on my test web server and on my production web server, I don't have to change the Web.config file to have it work on each AND if the Domain Group name ever has to change, it won't affect access to the website.
What am I overlooking or is this even possible to do this way? I understand that there is a way to do Role Management through ASP.NET but I don't understand that well enough yet to implement that (and will probably go that route once I've done the research on how to best implement it for purpose of access control of this intranet site).
Is it possible to specify that multiple roles are required inside the authorization element of the web.config file? I currently have this block in one web.config of my site for a specific directory:
<authorization>
<allow roles="Global, Region" />
<deny users="*" />
</authorization>
I've just identified a special case where a person with two lower-level permissions than Global and Region should also have access to this directory. Roughly, I want something like this:
<authorization>
<allow roles="GlobalManager, RegionManager, SiteManager && FooSite" />
<deny users="*" />
</authorization>
I realize I probably should have a new role for this scenario, but I'd like to avoid that.
I am building a subscription based web site, which currently has three subscription levels, i.e. Horses, Soccer, and Horses and Soccer. I was thinking of implementing standard role based authorization, where a Horses subscriber would get roles including those to use the Horses section, etc.
Should I use a standard role provider, and when a member subscribes to the site, assign roles for his subscription to him, or use a hierarchical role provider, that when asked for the roles for a member, only then uses the member's subscription level to 'calculate' a set of roles for the member.
Is there to implement roles authorization on those ActionLinks?
View 5 RepliesI'm having trouble setting up a custom NEW User Screen. Here is my situation, I have a Request for Access Screen that uses the CreateNewUser Wizard Control. I want to leave the Question and Answer for this, however I also want a custom NEW User Setup which I build myself to allow the system administrators to setup users, but for this setup I don't want the administrators to have to pick the question and answer for the NEW user, so I would like to bypass this for this setup. However, my Membership.CreateUser keeps asking for it. How can I accomplish this? I've included a copy of my current web.config file. You will notice a AspNetAdminMemberhip which I use to allow the System Administrators to reset passwords.
<?
<
<
<
<
<
<
<
<
</
</
</
</
<
<
<
<
</
<
<
<
<
xml
version="1.0"?><configuration>configSections>sectionGroup
name="system.web.extensions"
type="System.Web.Configuration.SystemWebExtensionsSectionGroup,
System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">sectionGroup
name="scripting"
type="System.Web.Configuration.ScriptingSectionGroup,
System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">section
name="scriptResourceHandler"
type="System.Web.Configuration.ScriptingScriptResourceHandlerSection,
System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
requirePermission="false"
allowDefinition="MachineToApplication"/>sectionGroup
name="webServices"
type="System.Web.Configuration.ScriptingWebServicesSectionGroup,
System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">section
name="jsonSerialization"
type="System.Web.Configuration.ScriptingJsonSerializationSection,
System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
requirePermission="false"
allowDefinition="Everywhere"/>section
name="profileService"
type="System.Web.Configuration.ScriptingProfileServiceSection,
System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
requirePermission="false"
allowDefinition="MachineToApplication"/>section
name="authenticationService"
type="System.Web.Configuration.ScriptingAuthenticationServiceSection,
System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
requirePermission="false"
allowDefinition="MachineToApplication"/>sectionGroup>sectionGroup>sectionGroup>configSections>connectionStrings>add
name="LBX_ChangeControlConnectionString"
connectionString="Data
Source=10.31.30.26;Initial Catalog=LBX_ChangeControl;Persist Security Info=True;User ID=sa;Password=wstinol"
providerName="System.Data.SqlClient"/>remove
name="LocalSqlServer"/>add
name="LocalSqlServer"
connectionString="Data
Source=10.31.30.26;Initial Catalog=LBX_ChangeControl;Persist Security Info=True;User ID=sa;Password=wstinol"
providerName="System.Data.SqlClient"/>connectionStrings>system.web>membership>providers>add
name="AspNetAdminMembership"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="LocalSqlServer"
applicationName="/"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
enablePasswordRetrieval="false"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="8"
minRequiredNonalphanumericCharacters="1"
/>
</
</
<
<
<
<
<
<
<
<
providers>membership>roleManager
enabled="true"/>authentication
mode="Forms"/>profile
enabled="true">properties>add
name="FirstName"
type="string"/>add
name="LastName"
type="string"/>add
name="Gender"
type="string"/>add
name="ProfileImageID"
type="string"/>add
name="Department"
type="string"/>add
name="PhoneNumber"
type="string"/>properties>profile>pages>controls>add
tagPrefix="asp"
namespace="System.Web.UI"
assembly="System.Web.Extensions,
Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>controls>pages>
Set compilation debug="true" to insert debugging
symbols into the compiled page. Because this affects performance, set this value to true only during development.
<
<
<
<
<
<
</
<
<
-->compilation
debug="true">assemblies>add
assembly="System.Web.Extensions,
Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>add
assembly="System.Design,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>add
assembly="System.Web.Extensions.Design,
Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>add
assembly="System.Windows.Forms,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/><add
assembly="CrystalDecisions.CrystalReports.Engine,
Version=10.2.3600.0, Culture=neutral, PublicKeyToken=692fbea5521e1304"/><add
assembly="CrystalDecisions.ReportSource,
Version=10.2.3600.0, Culture=neutral, PublicKeyToken=692fbea5521e1304"/><add
assembly="CrystalDecisions.Shared,
Version=10.2.3600.0, Culture=neutral, PublicKeyToken=692fbea5521e1304"/><add
assembly="CrystalDecisions.Web,
Version=10.2.3600.0, Culture=neutral, PublicKeyToken=692fbea5521e1304"/><add
assembly="CrystalDecisions.ReportAppServer.ClientDoc,
Version=10.2.3600.0, Culture=neutral, PublicKeyToken=692fbea5521e1304"/><add
assembly="CrystalDecisions.Enterprise.Framework,
Version=10.2.3600.0, Culture=neutral, PublicKeyToken=692fbea5521e1304"/><add
assembly="CrystalDecisions.Enterprise.InfoStore,
Version=10.2.3600.0, Culture=neutral, PublicKeyToken=692fbea5521e1304"/></assemblies>compilation>httpHandlers>remove
verb="*"
path="*.asmx"/>add
verb="*"
path="*.asmx"
validate="false"
type="System.Web.Script.Services.ScriptHandlerFactory,
System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>add
verb="*"
path="*_AppService.axd"
validate="false"
type="System.Web.Script.Services.ScriptHandlerFactory,
System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>add
verb="GET,HEAD"
path="ScriptResource.axd"
type="System.Web.Handlers.ScriptResourceHandler,
System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
validate="false"/>add
verb="GET"
path="CrystalImageHandler.aspx"
type="CrystalDecisions.Web.CrystalImageHandler,
CrystalDecisions.Web, Version=10.2.3600.0, Culture=neutral, PublicKeyToken=692fbea5521e1304"/></httpHandlers>httpModules>add
name="ScriptModule"
type="System.Web.Handlers.ScriptModule,
System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>httpModules>system.web>system.webServer>validation
validateIntegratedModeConfiguration="false"/>modules>add
name="ScriptModule"
preCondition="integratedMode"
type="System.Web.Handlers.ScriptModule,
System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>modules>handlers>remove
name="WebServiceHandlerFactory-Integrated"/>add
name="ScriptHandlerFactory"
verb="*"
path="*.asmx"
preCondition="integratedMode"
type="System.Web.Script.Services.ScriptHandlerFactory,
System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>add
name="ScriptHandlerFactoryAppServices"
verb="*"
path="*_AppService.axd"
preCondition="integratedMode"
type="System.Web.Script.Services.ScriptHandlerFactory,
System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>add
name="ScriptResource"
preCondition="integratedMode"
verb="GET,HEAD"
path="ScriptResource.axd"
type="System.Web.Handlers.ScriptResourceHandler,
System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>handlers>system.webServer>location
allowOverride="true"
inheritInChildApplications="true">appSettings>add
key="CrystalImageCleaner-AutoStart"
value="true"
/>add
key="CrystalImageCleaner-Sleep"
value="60000"
/>add
key="CrystalImageCleaner-Age"
value="120000"
/>appSettings>location>system.net>mailSettings>smtp
from="Lockbox@tdbanknorth.com">network
host="ME6AWMAIL01.bkng.net"
password=""
userName=""
/>smtp>mailSettings>system.net>configuration>
I have a multi level application that I am developing and need to block multiple rows from being joined. I know how to hide one role but I cannot figure out how to hide multiple.
Here is my current code
[Code]....
Our team has recently implemented a role permission based authorization so that we can have granular control. This is similar to what Rockford Lhotka suggests herehttp://www.lhotka.net/weblog/PermissionbasedAuthorizationVsRolebasedAuthorization.aspx I have also read about the Claims based authorization which to me looks very similar to what we have. Can some one put in simple terms what the advantages of claims based authorization are.
View 1 RepliesNewb question: what is the standard practice for assigning roles to newly signed-on members. Is it usually manual or is there a way of automatically assigning roles. Being completely new to this, I am confronted by the issue of my site having three different roles that new members could fall into, but am unsure about how to assign each a role. I can't imagine having to go through the process manually if I have thousands of members.
View 6 RepliesI'm looking for a website or a tutorial of some kind to help me get started on this part of my project. I need my intranet website to use the already in place active directory. However, I have never done this before and have no idea where to start.
View 3 RepliesI am creating an application hosted on GoDaddy.com. The base files are kept in a folder called /sky while the Admin files and User files are kept in /sky/Admin and /sky/User respectively. I'm having difficulty configuring the security so that when a user tries to access Admin or User files they should be redirected to the login.aspx file in the /sky folder. I keep getting an error that its trying to access sky/sky/login.aspx instead of just sky/login.aspx.
Here are the relevant sections of my web.config file.
<?xml version="1.0"?>
<configuration>
...
<location path="sky/admin">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="user">
<system.web>
<authorization>
<allow roles="Admin,User" />
<deny users="*"/>
</authorization>
</system.web>
</location>
<system.web>
<customErrors mode="Off" />
<authentication mode="Forms">
<forms name="login" loginUrl="login.aspx" />
</authentication>
...
</system.web>
...
</configuration>
Can someone point me to articles or provide assistance with the proper configuration?
[ASP.NET 3.5, FormsAuthentication, SQL Server]
In the Roles table there is Role, and RoleType.
I have 3different roles, 2 of which have sub-roles.
Example
Role----------------------Type
Adminstrator
Subscriber---Basic
Subscriber---Business
I need to implement Code Access Security, and URL based security using the roles & types...
For instance, the (Subscriber/Basic) would need to view a different set of pages, and have different access to things then a (Subscriber/Business).
I think I can handle the Code Access security with a custom attribute, but I am unsure to how enforce a User be apart of 2 roles in the URL Authorization.
I am currently using the web.config to deny/allow access to the directories/pages.
e.g.
/Areas/Admin/web.config
[Code]....
Is it possible to force the user to be apart of 2 roles with this technique?
I've been working through the ASP.NET Security Tutorial 12, seen here:
http://www.asp.net/%28S%28pdfrohu0ajmwt445fanvj2r3%29%29/learn/security/tutorial-12-cs.aspx
Part of this tutorial entails setting up a GridView which is bound to the collection of UserAccounts, and then enabling paging on the GridView. There are the usual four links for First, Prev, Next, and Last pages, which should work because I have twelve users defined, and the pagesize of my GridView set to 5. I've set up the code to enable or disable the paging links depending on what section of the entire UserGrid is currently visible.
So when I first run the website and go to the ManageUsers.aspx page, I would expect to see only the first five users in my collection. But it shows all twelve.
I must have overlooked something, but I can't find it in the text and examples.
What is the authentication mode available in ASP.NET? How do you set authentication mode in the ASP.NET application? How do you provide secured communication in ASP.NET? List out the difference between windows authentication and form authentication. ?
View 3 RepliesI'm using Forms authentication in ASP.NET MVC website and I store user account login name in AuthCookie like this: FormsAuthentication.SetAuthCookie(account.Login, false); I want to ask if there is a possibility that user on client side will somehow manage to change his login name in AuthCookie and thus he will be for example impersonated as someone with higher privileges and authorized to do more actions than he is normally supposed to have. Also is it better to save in this cookie user account login name or user account ID number?
View 3 RepliesI'm using Visual studio 2005 with C# on .NET framework 2.0.. I am implementing forms authentication in this project but the problem is when I'm on registration form ( outside login) and try to open any window on that form using java script (window. open) it redirects me to login page. How should i tackle this problem??
View 1 RepliesI have an ASP.NET application that can be installed with either Forms Authentication or Windows Authentication. All of my customers install using Windows Authentication. I use Forms Authentication in-house as it is easier for me to work with different clients. But enough about that.
I have a module as part of my application for Mobile Users. It displays a very simple HTML interface for low bandwith phones and air cards. It seems that some phones when going to this type of site that is Windows Authentication, it throws an error saying that you aren't authorized to view the page. From a computer, it will ask for credentials.
What I would like to do is use Windows Authentication Or Forms for my Main Application, but in the MOBILE folder, it would be nice if I could use FORMS Authentication. Can I mix the two? Can I just add a Web.Config to the folder for the Mobile Files and put FORMS Authentication?
The only other way I thought of doing this is:
1) create a seperate installable application that is always FORMS Authentication that is not part of the main application. Which sucks, as I now have to manage two applications.
2) In the main Web.Config I can set that folder to have no authentication and it will be avail to anyone, and then enforce my own authentication on the few pages it contains.
I'm using a Custom Role Provider for authorization.
There are 2 roles: "VIEWER" and "SYSTEM_ADMINISTRATOR".
I have set up my role for my account as "VIEWER".
Roles.GetRolesForUser(this.User.Identity.Name) returns "VIEWER"
User.IsInRole("SYSTEM_ADMINISTRATOR") returns false
Web.Config contains below:
<location path="Administration">
<system.web>
<authorization>
<allow roles="SYSTEM_ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
However, I can still access the ~/Administration pages.
Even if I change the web.config to:
<location>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
I can still access any of the pages, but I shouldn't be able to access any page when this is set. Correct?
I'm pretty sure my Role Manager is working fine (see above calls to User and Roles), but here's the config:
<roleManager enabled="true" defaultProvider="MyRoleProvider" >
<providers>
<clear/>
<add type="MyNamespace.MyRoleProvider" name="MyRoleProvider"/>
</providers>
</roleManager>
I'm testing this on my local dev environment using Cassini and on a test web server running IIS 6. Both systems/sites work the same way and allow anyone access to any page. Both systems/sites also return correct data when programmatically checking Roles.GetRolesForUser and User.IsInRole.
Trivial question:
Noticed the following error whilst trawling the logs:
Authorization rule names cannot contain the '*' character
I have the code:
[Code]....
Does that mean I don't need to make and authorisation rules - I had used:
[Code]....
Now - is that completely redundant? Also, is * wrong syntactically?