VS 2010 - Combining Web Config Role Authorization With Web Sitemap?

Jun 13, 2012

I have a sitemap defined in a web.sitemap file and I'm also doing role-based authorization for locations using web.config. I'm using the web.sitemap to generate a menu structure on a Master page, and I wanted to somehow hook the role-based auth from web.config into my menu to hide links to pages that would be denied access from the roles auth.

Is it possible to read the list of <location path=""> and associated role authorizations (allow or deny) from web.config so I can check that against the web.sitemap when generating the menu structure?

View 8 Replies


Similar Messages:

Roles Authentication Works Using Authorization Attribute But Not Via Authorization In Web.config?

Mar 29, 2011

I am using ASP.NET MVC 3 and am trying to do something that should be really straight forward...

My application uses Forms authentication and that is working perfectly for controllers/actions. For example if I decorate either a controller or an action with the attribute below only members of the administrators group can view them:

[Authorize(Roles="Administrators")]

However I have a folder under the default Scripts folder called Admin. I only want members of the Administrators group to be able to access scripts within this directory so I created a new web.config in the directory with the following inside:

[code]....

However no matter whether a user is a member of the Administrators group or not they receive a 302 Found message and are then redirected to the login page.

If I change the web.config to allow user="*" then it works. It also works if I add an allow users="Username" for a specific user I am testing with.

View 1 Replies

Security :: Claims Based Authorization VS Role Permission Based Authorization?

Apr 26, 2010

Our team has recently implemented a role permission based authorization so that we can have granular control. This is similar to what Rockford Lhotka suggests herehttp://www.lhotka.net/weblog/PermissionbasedAuthorizationVsRolebasedAuthorization.aspx I have also read about the Claims based authorization which to me looks very similar to what we have. Can some one put in simple terms what the advantages of claims based authorization are.

View 1 Replies

Web Forms :: Parser Error Message - XML Sitemap Config File Web.sitemap Could Not Be Loaded

May 11, 2010

We are getting this error message when we try to click the link in the menu to go to Report Server:

Source Error:
Line 31: <siteMapNode title="Reports" description="Reports">
Line 32:
Line 33: <siteMapNode url="https://ffxsqldgc01.ffx.co.fairfax.va.us/Reports/Pages/Folder.aspx?ItemPath=%2fDPZ&ViewMode=List" title="View Reports"
description="Click here to view the reports" />
Line 34: </siteMapNode>
Line 35:

I tried to add after the &, as it was suggested on one of the forum but it did not work. Any other ideas.

View 5 Replies

VS 2008 Creating Role Based Authorization?

Feb 9, 2011

I have seen articles on Role Based Authorization in MS-Sql server-Asp.net but i did not find any article in MySql-ASP.net/vb.net, i am acheived this concept using session user name i am enabling certain parts of website to group A and certain parts of site to Group B but when i have more groups i cannot use this method.

Myrequirement is:

In Web applications, typically there exist certain parts of the site that only certain folks, or groups of persons can access. For example, imagine Web site used to administer the content on a company's public Internet Web site, where the public Web site lists products sold by the company. From the administrative site, all company employees might be able to make minor changes to the products' descriptions, quantity, and other such non-essential information. However, perhaps only a subset of trusted employees might be able to change the products' prices. And even a smaller subset of employees would be able to add new products or delete existing products from the database I would be delighted if any one provide the solution

View 9 Replies

C# - Get List Of Users Belonging To A Role Using Authorization Manager

Apr 8, 2010

Using ASP.NET (C#) I have set up Authorization Manager to allow me to handle roles on a website. Added users to roles is simple Roles.AddUserToRole("DOMAIN\UserName", "role"). However I want to list the users belonging to a role, but since they are stored as SID's, displaying them would not be that helpful. To get the users, I am thinking XML would have to be used, although is it possible to use COM Interop to both do that and get the user name? Either way, how can I get the users belonging to a role?

The table to manage roles would basically be like this:

Role User
---- ----
admin DOMAINUserName [delete]
DOMAINUserName2 [delete]
[add user text box]
news DOMAINUserName3 [delete]
[add user text box]

View 2 Replies

Authentication With ActiveDirectory And Authorization With Custom Role Provider

Feb 21, 2010

I've just started a small ASP.NET web application. In this project, I need to authenticate the users with Active Directory. I managed to authenticate the users successfully with Active Directory. But with Authorization with Custom Role Provider, I'm so confused. You see, the user name and password are stored in AD. So, my approach is that after the LoggedIn event of the Login Control, I check if UserName is not yet stored in the Users table yet, then I will store the UserName there. Finally, I have all the UserName of the AD users store in the Users table so I can assign Roles to the users. see my tables diagram below:

Let's say I assign UserA to RoleOne. After he logs in successfully, I do some query to look for his Roles.

Where do I keep the Role ticket? In the Cookie or in the session? How does the authorization of ASP.NET role provider work? I want to store the authorization ticket like ASP.NET role prover does too.

View 1 Replies

VS 2008 - Role Based Authorization For ASPX Pages

Aug 2, 2011

I am having a very simple intranet site. I took the sample for my project from [URL] ....

I have integrated windows authentication with Role based authorization. There are only 3 .aspx pages and I have a tree view control on the master page. depending on the choices that the user's make on the tree view control the .aspx pages gets displayed.

There are only 2 active directory groups. Sales and Marketing. My network id is not in Sales AD group.So obviously it prompts me to put userid and password and it throws not authorized error when i try to access PortfolioData.aspx page. So far so good.

But I am a member of AD group MARKETING. I should be able open the page Schedules.aspx (please see the config file below). But I still get the Error message 401.2.: Unauthorized: Logon failed due to server configuration.

Code:

<!--
<authorization>
<allow roles="domainADGROUP_SALES"/>
<deny users="*"/>
</authorization>

[Code] .....

View 2 Replies

Security :: Authentication With ActiveDirectory With Authorization With Custom Role Provider?

Feb 21, 2010

I've just started a small ASP.NET web application. In this project, I need to authenticate the users with Active Driectory. I managed to authenticate the users successfully with Active Directory. But with Authorization with Custom Role Provider, I'm so confused.You see, the user name and password are stored in AD. So, my approach is that after the LoggedIn event of the Login Control, I check if UserName is not yet stored in the Users table yet, then I will store the UserName there. Eventually, I have all the UserName of the AD users store in the Users table so I can assign Roles to the users.

Let's say I assigned UserA to RoleOne. After he logs in successfully, I do some query to look for his Roles.

Where do I keep the Role ticket? In the Cookie or in the session? How does the authorization of ASP.NET role provider work? I want to store the authentication ticket like ASP.NET role prover does too.

View 1 Replies

Security :: Finding Guideline For 'Role-based Authentication/authorization'?

Aug 26, 2010

In my asp.net website in VS-2005 with SQL-Server 2005 as db, I need to implement role-based Authentication/Authorization.

I am familiar to the practises used in role-based authentication..as I have previously worked on projects that used this method. However, my project lead used to design the database. Now I have an existing website where authentication has been set to anonymous by setting 'allow users="?"' in the authentication tags in web.config.

If I use the createUserWizard control and use the Membership.creatUser(.....) method in code behind will the asp.net security tables, like users, roles, userinrole etc get created on its own?

View 3 Replies

Security :: Role Based Authorization Using Froms Authentication Fails?

Oct 5, 2010

I am trying to implement a simple role based authorization using forms authentication in ASP.net. It works perfectly fine in my local system but fails when I deploy in production (shared hosting). Whenever I try to log in, rather than taking me to the default page in specified directory it throws me back to the login page. I suspect that there is some issues with the configuration but not sure where the problem is. The code is provided below:

Web.config (root):

[Code]....

Web.config (Member directory):

[Code]....

Login.aspx:

[Code]....

Global.asax:

[Code]....

Works fine in local machine but shared hosting is not taking the authenticated user to the pages inside the secured folders. What can be the issue?

View 1 Replies

Web Forms :: Role Based Authorization And Page Access Using Session?

Jun 16, 2015

i am developing the web application in Asp.net i hav many .aspx pages in the project some of belongs to Admin and some some of to Customer so how can i divide that and how to access admin pages to admin login and customer pages to customer login.  

View 1 Replies

Web Forms :: Sitemap: Can't Sub Nodes Further Restrict Role Access

Sep 24, 2010

I have a menu in my application (created from the sitemap) which I want available to two user roles. However, there are items on that menu, I want available only to one role or the other. So I have created the following in my sitemap.

[Code]....

Essentially, I want employees with the "TimeUser" role to see the "My Profile" link that goes to the EmpProfile.aspx page, but not the link to the client profile page. However, when an employee logs in, they see both. I am guessing this may be because the "My Account" node which contains them allows both roles. Is there a way around this without duplicating the "My Account" node?

View 2 Replies

Web Forms :: Menu - Role Security Not Working On Second Level Of Sitemap

Sep 24, 2010

I have role assignments on both the first and second level of my menus within my sitemap file. The first level works fine, and I only see items assigned to my role. But roles assignments seem to have no effect on the second level. It seems like if you have access to the first level, you have access to everything on the second level. Is this correct?

From my sitemap (either a SalesRep or an Administrator can see everything underneath):
<siteMapNode title="Administration" roles="SalesRep,Administrator" description="Admin" >
<siteMapNode title="CompanyMaintenance" roles="SalesRep" url="~/Admin/CompanyManagement.aspx" />
<siteMapNode title="Initialize Roles" roles="Administrator" url="~/Admin/Roles.aspx"/>
</siteMapNode>

View 3 Replies

Dynamically Modify Role Permissions And Also Generate The Appropriate Sitemap / Menus?

Jun 28, 2010

I'm doing some research on security and sitemaps in ASP.net and am unfortunately running short on time. I have not worked too much with ASP.net security so I'm not completely sure if I'm heading in the right direction.

Here is my problem:

I have a public website (i.e. on the internet) that will allow any user to sign up to. The website will be developed using ASP.net webforms. These users may create other users and assign these users different roles.

Different roles have different restrictions and the menu is displayed appropriately. For example, a user acting as an administrator can see all menu options. Whereas a limited user will only see some of these menu items.

There needs to be the ability for users on our end to modify what pages certain roles can access. For example, if Role1 can do task X, we would like to be able at some point modify Role1 to no longer do task X. This would be done using an application built in-house.

User types (roles) are to be saved in the database. User permissions (what pages each type can have access to) are also to be saved saved in the database.

Here is something I am thinking of doing:

Implement the authorization and authentication set up built in to ASP.net using the web.config fileUse Sitemaps to dynamically create menus/breadcrumbs from the database

I believe it is possible to do the second one using custom providers (please correct me if I'm wrong). But I am not entirely sure if it's possible to configure the web.config file dynamically.

I suppose this is really more of a yes/no answer but I would just like to make sure I'm not going in the wrong direction. I will be using VS2008 and .net 3.5 framework.

View 1 Replies

Web Forms :: Add Update Delete SiteMap Role Attribute Programmatically Using C#

May 7, 2015

I am using this article for hide and show the menu in specific user only. My question is on how can I Add, Delete and View the Roles in specific menu.

View 1 Replies

Security :: Lock Down Certain Sitemap Menu Items Based On The Users Role ?

Jan 21, 2010

My web app has 3roles, I need to lock down certain sitemap menu items based on the users role and what I'm using isn't working.

my roles are Supervisor, manager, and User.

[Code]....

I only want those roles to see those menu options, I do not want someone with a user role to see those options at all. Currently if I log into my site with a user role, I'm seeing everything on the menu (via the sitemap).

View 5 Replies

IIS Ignores Authorization In Web.config?

Sep 2, 2010

I have a problem using windows authentication and the authorization-tag in web.config for my asp.net application. When I host the application in IIS (both in IIS 6 and IIS 7) the authorization-tag is ignored. When I run the application in asp.net development server that comes with visual studio 2010, it works perfect.

Why will it not work in IIS? And how to solve it?

[code]....

View 1 Replies

Web.config - Wildcards In Location And Authorization?

Dec 7, 2010

In my ASP.Net application I'm using URL routing.

The url format is somewhat like: [URL] To allow users to visit the login and recovery page, I've added the following entries to my web.config:

[code]....

Is there a form of notation so that I can skip the en-GB part and replace it with a wildcard? I want the login and recovery page etc. to be available regardless of the culture.

View 3 Replies

Web.config - How To Combine The Authorization Rules

Jan 28, 2010

I have the following authorization rules in my web.config:

[code]....

Except for the path attribute these two rules are the same. Is there a way to combine these two rules into one like path = Register.aspx, ForgotCredentials.aspx.

View 3 Replies

Using Multiple Authorization Elements In Web.config?

Feb 4, 2011

Is it possible to use multiple authorization elements in a single web.config to allow additional users access to one file?

E.g., I would like to allow User1 access to the whole application (including Page1.aspx), and User2 access to only Page1.aspx:

[code]....

View 2 Replies

Web Config - How To Apply The Authorization In Two Different Folders

Feb 18, 2011

I have two folders in my asp.net website namely VENDORS and ADMIN

i want when any user access any of the page inside the ADMIN folder it redirects to Admin/login.aspx until they login ....

i want when any user access any of the page inside the VENDORS folder it redirects to Vendors/login.aspx until they login ....

How to do that using web.config authorization ....

View 2 Replies

.net - Cannot Set Authorization Rules In Web.config For WCF Service

Feb 9, 2011

I read on a post that you can use ASP.Net authorization in the web config to control access to a WCF web service to replace the following attribute:

[PrincipalPermission(SecurityAction.Demand, Role="Administrators")]

To test I have been using "Administrators" which is a valid role so should allow me access and "TEST" which isnt. This works fine when using the above attribute however when I comment that out and use this in my Web.Config file:

<authentication mode="Windows" />
<authorization>
<allow roles=".TEST"/>
<deny roles="*"/>
</authorization>

It still allows me access.

So I was wondering if I have just got something wrong in the web.config or whether what I read was wrong saying to use that.

Just for reference this is the post I looked at:

Using Windows Role authentication in the App.config with WCF

and the following is my web.config:

<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Windows" />
<authorization>
<allow roles=".TEST"/>
<deny users="*"/>
</authorization>
</system.web>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpEndpointBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="WcfService1.ServiceBehaviour1" name="WcfService1.Service1">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="BasicHttpEndpointBinding"
name="BasicHttpEndpoint" contract="WcfService1.IService1">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="WcfService1.ServiceBehaviour1">
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>

View 1 Replies

Security :: Web.Config Authorization Not Working At All?

Sep 30, 2010

I'm using a Custom Role Provider for authorization.

There are 2 roles: "VIEWER" and "SYSTEM_ADMINISTRATOR".

I have set up my role for my account as "VIEWER".

Roles.GetRolesForUser(this.User.Identity.Name) returns "VIEWER"
User.IsInRole("SYSTEM_ADMINISTRATOR") returns false

Web.Config contains below:

<location path="Administration">
<system.web>
<authorization>
<allow roles="SYSTEM_ADMINISTRATOR"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

However, I can still access the ~/Administration pages.

Even if I change the web.config to:

<location>
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>

I can still access any of the pages, but I shouldn't be able to access any page when this is set. Correct?

I'm pretty sure my Role Manager is working fine (see above calls to User and Roles), but here's the config:

<roleManager enabled="true" defaultProvider="MyRoleProvider" >
<providers>
<clear/>
<add type="MyNamespace.MyRoleProvider" name="MyRoleProvider"/>
</providers>
</roleManager>

I'm testing this on my local dev environment using Cassini and on a test web server running IIS 6. Both systems/sites work the same way and allow anyone access to any page. Both systems/sites also return correct data when programmatically checking Roles.GetRolesForUser and User.IsInRole.

View 1 Replies

Security :: Login Authorization In The Web.config?

Jul 2, 2010

Trivial question:

Noticed the following error whilst trawling the logs:

Authorization rule names cannot contain the '*' character

I have the code:

[Code]....

Does that mean I don't need to make and authorisation rules - I had used:

[Code]....

Now - is that completely redundant? Also, is * wrong syntactically?

View 2 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved