Roles Authentication Works Using Authorization Attribute But Not Via Authorization In Web.config?

Mar 29, 2011

I am using ASP.NET MVC 3 and am trying to do something that should be really straight forward...

My application uses Forms authentication and that is working perfectly for controllers/actions. For example if I decorate either a controller or an action with the attribute below only members of the administrators group can view them:


However I have a folder under the default Scripts folder called Admin. I only want members of the Administrators group to be able to access scripts within this directory so I created a new web.config in the directory with the following inside:


However no matter whether a user is a member of the Administrators group or not they receive a 302 Found message and are then redirected to the login page.

If I change the web.config to allow user="*" then it works. It also works if I add an allow users="Username" for a specific user I am testing with.

View 1 Replies

Similar Messages:

Requiring Multiple Roles In Web.config Authorization?

Apr 29, 2010

Is it possible to specify that multiple roles are required inside the authorization element of the web.config file? I currently have this block in one web.config of my site for a specific directory:

<allow roles="Global, Region" />
<deny users="*" />

I've just identified a special case where a person with two lower-level permissions than Global and Region should also have access to this directory. Roughly, I want something like this:

<allow roles="GlobalManager, RegionManager, SiteManager && FooSite" />
<deny users="*" />

I realize I probably should have a new role for this scenario, but I'd like to avoid that.

View 1 Replies

Security :: Web.config Authorization Roles With Local Groups With Domain Groups In Them

Sep 29, 2010

I am "DomainMyDomainUserName" If I do this:


I can access the website I've created on my local machine in debug mode; and with my domain account as a local administrator, if I do this:


I can still access the website; and with my domain account in a Domain Group named "DomainDomainLocalSecurityGroup", if I do this:


I can still access the website; HOWEVER, if I create a Local Group on my machine named "LocalMachineGroup" and I add "DomainMyDomainUserName" to this group and I do this:


I get an Access Denied error trying to access the website. What I want to do is, have a group on my local machine (for testing), on a test web server, and on a production web server named "MyWebsiteUserAccess" with the same Domain Group (filled with Domain Users allowed access to the site) in all of these local groups; so that when I test the web application on my local machine, on my test web server and on my production web server, I don't have to change the Web.config file to have it work on each AND if the Domain Group name ever has to change, it won't affect access to the website.

What am I overlooking or is this even possible to do this way? I understand that there is a way to do Role Management through ASP.NET but I don't understand that well enough yet to implement that (and will probably go that route once I've done the research on how to best implement it for purpose of access control of this intranet site).

View 2 Replies

Authorization - Why Does Authorization Boot The User To The Login Screen

Jun 28, 2010

When a user attempts to directly visit the url admin.aspx, and they are not an admin, they are redirected to the login page. However, the user then attempts to visit ViewWeek.aspx, it indicates that they are still logged in. Why does this ASP.NET authorization boot the user to the login screen, yet keep the user logged in? I'd rather it just direct the user to the default URL specified in the forms tag.

Here's my Forms Authentication:

<authentication mode="Forms">
<forms name=".ASPXFORMSAUTH" defaultUrl="ViewWeek.aspx" timeout="50000000" />

View 1 Replies

MVC :: Security Trimming/Roles Authorization?

Feb 28, 2011

We're writing an app that has a requirement for allowing/disallowing access based on user role.In a traditional .net app of course you set the security trimming attribute in the web.config and set the nodes in the web.sitemap file and you were set.

View 2 Replies

MVC :: Bit Lost On First Custom Authorization Attribute?

Mar 2, 2010

I want to create a single custom authorization attribute to be added to controller actions that require authenticated users.

My first shot at this, so I may have it all wrong

Got 3 Roles which corresponds to 3 Areas in my application (Client app, so I'll just call them RoleOne, RoleTwo, RoleThree and AreaOne, AreaTwo, AreaThree).

Each area have similiar (to a point) views and actions, like Sign Up, Area specific home, etc.

In the attribute I want to determine the current area, controller and action. Then I just add code like:

If not logged in, and in AreaOne, go to AreaOne Signup (etc)If logged in as RoleOne, and AreaOne Home is requested, go there, but if AreaTwo Home is requested ,go to AreaTwo Signup So in my attribute class I need to determine the current area, controller and action, and see what kind of user we have logged in (if any)

Using ActionExecutingContext it seems I can determine the contoller and action method names, however I cannot find the Area name, and altered the attribute to be called like this:


View 4 Replies

Authorization - How To Handle Membership Levels With Roles

Mar 21, 2011

I am building a subscription based web site, which currently has three subscription levels, i.e. Horses, Soccer, and Horses and Soccer. I was thinking of implementing standard role based authorization, where a Horses subscriber would get roles including those to use the Horses section, etc.

Should I use a standard role provider, and when a member subscribes to the site, assign roles for his subscription to him, or use a hierarchical role provider, that when asked for the roles for a member, only then uses the member's subscription level to 'calculate' a set of roles for the member.

View 2 Replies

MVC :: 3 Hyperlink - Implement Roles Authorization On ActionLinks?

Mar 14, 2011

Is there to implement roles authorization on those ActionLinks?

View 5 Replies

Security :: Roles Setup And Authorization Tutorial?

Aug 12, 2010

Where can I find a good tutorial on setting up roles and authorizing them? I'm using Windows Authentication for an intra-net based app and need to figure out how to grant the users access to the various pages.

View 5 Replies

Security :: Authorization Against Roles And Additional Info?

Oct 21, 2010

I'm trying to use a custom Principal (with custom Identity) for security. This all works fine for logging in, out etc. I am now trying to limit access to unauthorised users within my code as follows:


Again, all is fine there. Except I need some more complicated rules, something along the lines of "Allow Admins. Allow Buyers, provided they have the correct department ID and are allowed to see this customer's credentials". All of that information exists within a database.

View 2 Replies

Security :: Get The Website To Authorization Via The WCF Service And Membership - Roles And Profile

Jan 16, 2010

I have a client website that uses ASP.Net Membership, Roles and Profile providers and Login controls. I need to expand the application so was going to use WCF Workflows, the ASP.Net website will be hosted on a different server than the WCF Services so what I want to do is get the ASP.Net Website to auth via the WCF Service. So process will go:

ASP.Net Website ------------------> WCF Service ------------------> SQL Database (Membership, Roles, Profile, Workflow Persistence Data and Business Data)

I tried creating a custom Membership and Role providers but I have had problems managing the users (Membershipuser class) saying null when a vaild user has been return by the WCF Service as can access the properies but not the methods.

View 5 Replies

MVC :: Custom Authorization Attribute Throws Security Exception

Mar 4, 2010

I have a custom authorization attribute, that basically check if the current user's role is equals to the current area name, and if not, redirect them to the signup view in that requested area. (dummy role provider at this this stage, therefor check it against the user's name at the moment)

It runs fine (IIS) but when I debug it I can see a Security Exception are being thrown by the code

The code:


View 2 Replies

C# - How To Do Authorization And Authentication

Jan 31, 2011

was wondering how do I make it so when a user goes to a page its only displayed if he is logged in and secure, but if he is not logged in he is redirected to the login page?

View 4 Replies

Authorization And Authentication?

Apr 3, 2011

Iam using forms authentication in Application,i want to make pages accessible depending upon roles defined in database. for eg there are three rolesdefined in database salary admin, manager, Clerk. i want a page salary.aspx can be accessed only by salary admin and not any other roles.

View 1 Replies

IIS Ignores Authorization In Web.config?

Sep 2, 2010

I have a problem using windows authentication and the authorization-tag in web.config for my application. When I host the application in IIS (both in IIS 6 and IIS 7) the authorization-tag is ignored. When I run the application in development server that comes with visual studio 2010, it works perfect.

Why will it not work in IIS? And how to solve it?


View 1 Replies

Authentication And Authorization Options?

Sep 4, 2010

I have the usual requirement of implementing Authentication and Authorization. I used to implement it using custom code where I have Users, Roles, Role_Pages, User_Pages, and User_Roles. So this way we can give a certain user roles (that group multiple pages) and/or directly define access to certain pages. All that with the ability to specify fine grained permissions like the ability to Add/Edit/Delete records in those pages.

My question: How easy is it to implement this using Forms Authentication and what advantage does that give over implementing a custom solution. I am also concerned with knowing if there would be any advantage when it comes to securing from session hijacking and against spoofing where an attacker could replay requests and impersonate legit users. Would Forms Authentication have any advantage there, or is it only SSL that can secure against that (which makes both approaches equal in that regard).

View 2 Replies

Security :: Authentication And Authorization?

Apr 21, 2010

What is the authentication mode available in ASP.NET? How do you set authentication mode in the ASP.NET application? How do you provide secured communication in ASP.NET? List out the difference between windows authentication and form authentication. ?

View 3 Replies

Forms Authentication And Authorization?

Feb 16, 2010

'm using Visual studio 2005 with C# on .NET framework 2.0.. I am implementing forms authentication in this project but the problem is when I'm on registration form ( outside login) and try to open any window on that form using java script (window. open) it redirects me to login page. How should i tackle this problem?

View 1 Replies

Web.config - Wildcards In Location And Authorization?

Dec 7, 2010

In my ASP.Net application I'm using URL routing.

The url format is somewhat like: [URL] To allow users to visit the login and recovery page, I've added the following entries to my web.config:


Is there a form of notation so that I can skip the en-GB part and replace it with a wildcard? I want the login and recovery page etc. to be available regardless of the culture.

View 3 Replies

Web.config - How To Combine The Authorization Rules

Jan 28, 2010

I have the following authorization rules in my web.config:


Except for the path attribute these two rules are the same. Is there a way to combine these two rules into one like path = Register.aspx, ForgotCredentials.aspx.

View 3 Replies

Using Multiple Authorization Elements In Web.config?

Feb 4, 2011

Is it possible to use multiple authorization elements in a single web.config to allow additional users access to one file?

E.g., I would like to allow User1 access to the whole application (including Page1.aspx), and User2 access to only Page1.aspx:


View 2 Replies

Web Config - How To Apply The Authorization In Two Different Folders

Feb 18, 2011

I have two folders in my website namely VENDORS and ADMIN

i want when any user access any of the page inside the ADMIN folder it redirects to Admin/login.aspx until they login ....

i want when any user access any of the page inside the VENDORS folder it redirects to Vendors/login.aspx until they login ....

How to do that using web.config authorization ....

View 2 Replies

.net - Cannot Set Authorization Rules In Web.config For WCF Service

Feb 9, 2011

I read on a post that you can use ASP.Net authorization in the web config to control access to a WCF web service to replace the following attribute:

[PrincipalPermission(SecurityAction.Demand, Role="Administrators")]

To test I have been using "Administrators" which is a valid role so should allow me access and "TEST" which isnt. This works fine when using the above attribute however when I comment that out and use this in my Web.Config file:

<authentication mode="Windows" />
<allow roles=".TEST"/>
<deny roles="*"/>

It still allows me access.

So I was wondering if I have just got something wrong in the web.config or whether what I read was wrong saying to use that.

Just for reference this is the post I looked at:

Using Windows Role authentication in the App.config with WCF

and the following is my web.config:

<?xml version="1.0"?>
<compilation debug="true" targetFramework="4.0" />
<authentication mode="Windows" />
<allow roles=".TEST"/>
<deny users="*"/>
<binding name="BasicHttpEndpointBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
<service behaviorConfiguration="WcfService1.ServiceBehaviour1" name="WcfService1.Service1">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="BasicHttpEndpointBinding"
name="BasicHttpEndpoint" contract="WcfService1.IService1">
<dns value="localhost"/>
<behavior name="WcfService1.ServiceBehaviour1">
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true"/>
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false"/>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
<modules runAllManagedModulesForAllRequests="true"/>

View 1 Replies

Security :: Web.Config Authorization Not Working At All?

Sep 30, 2010

I'm using a Custom Role Provider for authorization.

There are 2 roles: "VIEWER" and "SYSTEM_ADMINISTRATOR".

I have set up my role for my account as "VIEWER".

Roles.GetRolesForUser(this.User.Identity.Name) returns "VIEWER"
User.IsInRole("SYSTEM_ADMINISTRATOR") returns false

Web.Config contains below:

<location path="Administration">
<deny users="*"/>

However, I can still access the ~/Administration pages.

Even if I change the web.config to:

<deny users="*"/>

I can still access any of the pages, but I shouldn't be able to access any page when this is set. Correct?

I'm pretty sure my Role Manager is working fine (see above calls to User and Roles), but here's the config:

<roleManager enabled="true" defaultProvider="MyRoleProvider" >
<add type="MyNamespace.MyRoleProvider" name="MyRoleProvider"/>

I'm testing this on my local dev environment using Cassini and on a test web server running IIS 6. Both systems/sites work the same way and allow anyone access to any page. Both systems/sites also return correct data when programmatically checking Roles.GetRolesForUser and User.IsInRole.

View 1 Replies

Security :: Login Authorization In The Web.config?

Jul 2, 2010

Trivial question:

Noticed the following error whilst trawling the logs:

Authorization rule names cannot contain the '*' character

I have the code:


Does that mean I don't need to make and authorisation rules - I had used:


Now - is that completely redundant? Also, is * wrong syntactically?

View 2 Replies

Copyrights 2005-15, All rights reserved