I'm testing this on my local dev environment using Cassini and on a test web server running IIS 6. Both systems/sites work the same way and allow anyone access to any page. Both systems/sites also return correct data when programmatically checking Roles.GetRolesForUser and User.IsInRole.
look at the attached web.config? The last part doesn't seem to work although the path is correct. I've tried logging on the site with a use which is in no groups, but it can still access the page...
In my web.config file, I have an authorization section that is supposed to deny all users EXCEPT for those included in the group specified. However, my login form doesn't allow these users to proceed to the next page - the login form just reappears as if the user has been denied. Code:
[Code]....
I have a user named 'test' that is in the Student Council group. I've tried 'allow users' and 'allow roles' with no success. I've also confirmed that the user is able to log into any workstation in my domain.
I am using ASP.NET MVC 3 and am trying to do something that should be really straight forward...
My application uses Forms authentication and that is working perfectly for controllers/actions. For example if I decorate either a controller or an action with the attribute below only members of the administrators group can view them:
[Authorize(Roles="Administrators")]
However I have a folder under the default Scripts folder called Admin. I only want members of the Administrators group to be able to access scripts within this directory so I created a new web.config in the directory with the following inside:
[code]....
However no matter whether a user is a member of the Administrators group or not they receive a 302 Found message and are then redirected to the login page.
If I change the web.config to allow user="*" then it works. It also works if I add an allow users="Username" for a specific user I am testing with.
I can access the website I've created on my local machine in debug mode; and with my domain account as a local administrator, if I do this:
[Code]....
I can still access the website; and with my domain account in a Domain Group named "DomainDomainLocalSecurityGroup", if I do this:
[Code]....
I can still access the website; HOWEVER, if I create a Local Group on my machine named "LocalMachineGroup" and I add "DomainMyDomainUserName" to this group and I do this:
[Code]....
I get an Access Denied error trying to access the website. What I want to do is, have a group on my local machine (for testing), on a test web server, and on a production web server named "MyWebsiteUserAccess" with the same Domain Group (filled with Domain Users allowed access to the site) in all of these local groups; so that when I test the web application on my local machine, on my test web server and on my production web server, I don't have to change the Web.config file to have it work on each AND if the Domain Group name ever has to change, it won't affect access to the website.
What am I overlooking or is this even possible to do this way? I understand that there is a way to do Role Management through ASP.NET but I don't understand that well enough yet to implement that (and will probably go that route once I've done the research on how to best implement it for purpose of access control of this intranet site).
I hv Declared two Master page one Is Base and Derived.. Base Page Load is working but when i hv written load controls in Derived Page Load Using C# it's not working..
A few years ago I worked with a team that developed what we thought, at the time, was a unique security model for a company ecommerce site. We wrapped every object (that we cared about) with a authorization / role check. So internal and external would use the same site but what fields, buttons, links etc. that they saw varied with their authorization / role assignments. I know .NET now has some RAD (Rapid App Dev) tools for security / authentication / authorization. Everything I have been reading is based upon securing pages / folders / areas of a site but nothing about the level of granularity we took it to so:
1. Was this not such as good way to go back when we did it?
2. I thought Microsoft had an entire security "plug-in" (Not Windows Authentication). Database, roles, etc.
(Don't get me wrong they have made life a ton easier with what they have given us)
3. What is the current method / practice in use for reasonably high security ecommerce environments. Cookieless Forms Auth? Something new altogether?
Currently, when the authorization fails, it redirects to the login page by default. However if the user is logged in, it makes no sense to be redirected to the login page. I would like it to be redirected to an eror page instead.
Our team has recently implemented a role permission based authorization so that we can have granular control. This is similar to what Rockford Lhotka suggests herehttp://www.lhotka.net/weblog/PermissionbasedAuthorizationVsRolebasedAuthorization.aspx I have also read about the Claims based authorization which to me looks very similar to what we have. Can some one put in simple terms what the advantages of claims based authorization are.
I have a problem using windows authentication and the authorization-tag in web.config for my asp.net application. When I host the application in IIS (both in IIS 6 and IIS 7) the authorization-tag is ignored. When I run the application in asp.net development server that comes with visual studio 2010, it works perfect.
The url format is somewhat like: [URL] To allow users to visit the login and recovery page, I've added the following entries to my web.config:
[code]....
Is there a form of notation so that I can skip the en-GB part and replace it with a wildcard? I want the login and recovery page etc. to be available regardless of the culture.
I have the following authorization rules in my web.config:
[code]....
Except for the path attribute these two rules are the same. Is there a way to combine these two rules into one like path = Register.aspx, ForgotCredentials.aspx.
To test I have been using "Administrators" which is a valid role so should allow me access and "TEST" which isnt. This works fine when using the above attribute however when I comment that out and use this in my Web.Config file:
Why is it that I can run my website in vs 2005 and bs 2008 but it won't work on this live hosting site? I'm told there is a invalid character right where my connection string begins.
This is madness. I have never had this issue before. I looked at my web.config in internet exploer. IE has an add on to validate xml. It gives the error message:
The XML page cannot be displayed
Cannot view XML input using XSL style sheet. Please correct the error and then click the Refresh button, or try again later.
A name was started with an invalid character. Error processing resource 'file:///C:/zlinkexchange/web.config'. Line 55, Po... <add name="sqlConnectionString" connectionString="Data Source=localhost;Initial Catalog=Linkexchanger;Integrated Sec..
Anyone have some connection strings that work? I followed the example on Arvixe hosting website but it doesn't work...
I want to call a javascript method during page load. I am using application.master of the sharepoint server 2007 as the master page . In the content page i want to call a custom method named OnLoadFun() during loading the content page. I have written the function inside script tag in the PlaceHolderAdditionalPageHead id section of the content page.
[Code]....
How do i call the OnLoadFun method so the i is being called onload time. i tried putting window.onload=OnLoadFun surrounded by script tag within the PlaceHolderMain content section.
On page load is there a way to enumerate all the nest user controls for that specific page load?
I'd like to be able to enumerate all the user controls that implement an interface, and call the interface method for the controls before asp.net passes control to thier page_load events.
The problem is from the master page level, any page in the app could be loading, and each of them could have any random user control, and I need the type reference to determine if they implement the interface, and to call the method.
Is it possible to have location authorization nodes in a web.config be external?
Such that I could take all of the nodes simlar to
[code]....
And move them outside of the web.config or something simlar? I find these nodes at an extreme amount of noise to a web.config when they're relatively static. Normally my approach would be to config source something like this but since it falls under the root node I'm not sure of it's possible with these nodes.
Is it possible to specify that multiple roles are required inside the authorization element of the web.config file? I currently have this block in one web.config of my site for a specific directory:
I've just identified a special case where a person with two lower-level permissions than Global and Region should also have access to this directory. Roughly, I want something like this: