VS 2008 - Restricting Access To Web Pages (on Intranet Site) Based On Role Based Authorization
Jul 12, 2011
I have a simple intranet site. It has a role based authorization in the web.config file.
Any user's in a specific role called as "Apr-Sales-Writers" will be authorized to use those pages. If not, they will not be authorized. So far so good. Works fine. But we added additional functionality where a new active directory group (means new role) has to be added and user's belonging to this new AD group should be given access to only specific .aspx pages on the intranet site. I am using a web.sitemap and it looks like this.
If the user's belong to say AD group "Apr-Sales-Writers", they should access only default.aspx and salesData.aspx pages. User's belonging to new AD group (which I did not include in the web.config file below), should have access to other .aspx pages.
I am having a very simple intranet site. I took the sample for my project from [URL] ....
I have integrated windows authentication with Role based authorization. There are only 3 .aspx pages and I have a tree view control on the master page. depending on the choices that the user's make on the tree view control the .aspx pages gets displayed.
There are only 2 active directory groups. Sales and Marketing. My network id is not in Sales AD group.So obviously it prompts me to put userid and password and it throws not authorized error when i try to access PortfolioData.aspx page. So far so good.
But I am a member of AD group MARKETING. I should be able open the page Schedules.aspx (please see the config file below). But I still get the Error message 401.2.: Unauthorized: Logon failed due to server configuration.
Our team has recently implemented a role permission based authorization so that we can have granular control. This is similar to what Rockford Lhotka suggests herehttp://www.lhotka.net/weblog/PermissionbasedAuthorizationVsRolebasedAuthorization.aspx I have also read about the Claims based authorization which to me looks very similar to what we have. Can some one put in simple terms what the advantages of claims based authorization are.
I have seen articles on Role Based Authorization in MS-Sql server-Asp.net but i did not find any article in MySql-ASP.net/vb.net, i am acheived this concept using session user name i am enabling certain parts of website to group A and certain parts of site to Group B but when i have more groups i cannot use this method.
In Web applications, typically there exist certain parts of the site that only certain folks, or groups of persons can access. For example, imagine Web site used to administer the content on a company's public Internet Web site, where the public Web site lists products sold by the company. From the administrative site, all company employees might be able to make minor changes to the products' descriptions, quantity, and other such non-essential information. However, perhaps only a subset of trusted employees might be able to change the products' prices. And even a smaller subset of employees would be able to add new products or delete existing products from the database I would be delighted if any one provide the solution
i am developing the web application in Asp.net i hav many .aspx pages in the project some of belongs to Admin and some some of to Customer so how can i divide that and how to access admin pages to admin login and customer pages to customer login.
In my asp.net website in VS-2005 with SQL-Server 2005 as db, I need to implement role-based Authentication/Authorization.
I am familiar to the practises used in role-based authentication..as I have previously worked on projects that used this method. However, my project lead used to design the database. Now I have an existing website where authentication has been set to anonymous by setting 'allow users="?"' in the authentication tags in web.config.
If I use the createUserWizard control and use the Membership.creatUser(.....) method in code behind will the asp.net security tables, like users, roles, userinrole etc get created on its own?
I am trying to implement a simple role based authorization using forms authentication in ASP.net. It works perfectly fine in my local system but fails when I deploy in production (shared hosting). Whenever I try to log in, rather than taking me to the default page in specified directory it throws me back to the login page. I suspect that there is some issues with the configuration but not sure where the problem is. The code is provided below:
Web.config (Member directory):
Works fine in local machine but shared hosting is not taking the authenticated user to the pages inside the secured folders. What can be the issue?
I have an asp.net application. This is a role based authorization. Basically, if the user's are in a specific AD group, it should allow them to look at the webpage. Otherwise it should error out saying "not authorized".
In the web.config file, I have the following lines of code. I made sure I am in the Apr-Sales-Writers AD group.
Issue: when I go to default.aspx page, it prompts for a userid and password and even though I put correct password and userid, it says "not authorized error".
Code: Access is denied. Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.
In the IIS project (on IIS server), I configured it to be a "Integrated windows authentication".
How to access datas based on user roles in asp.net ? For example : i have two admins (admin1, admin2). In the frontend ,admin1 has full access to datas(view,add,edit,delete all datas) while admin2 has limited access to datas(view,add,edit,delete certain datas alone and not all datas)
I want to display a menu (which will be strongly typed with it's own unique model) across all pages only if a user is logged in.What menu items are available depend on the user's role and also I'll need to hit the repository to get numbers like "x Messages", etc
Been scratching my head for a simple solution here. Don't want to create something that need changes all over the place.All my controllers derive from a BaseController, all my Models from BaseViewModel....probably where I'll be implementing functionality for this.
I have developed an application in ASP.NET 3.5 which utilizes the Membership and Roles Providers and Forms Authentication to manage user access and profiles.
There are various area's of this application that are only to be used by an admin users whom login using their email and password and the rest of the users log in using their telephone number and password via their iPhone.
For simplicities sake, I would like to have two different login pages, one that is formatted for the iPhone and performs the correct validation for users adding a telephone number and the other for the application administrators.
I want to redirect the user to their respective login page based on which folder they are attempting to access. For example say I have an application structure like this
I'm using user membership and roles. Below is my web.config for subfolder restriction.
The way I have above, no one can access this folder, mySub, except Administrators, Editors, and Members. However, here's what I want. I want to allow all and any user to the default.aspx page of this mySub folder and denied any other pages if they're not Administrators, Editors, and Members. One last thing, also denied access to addWord.aspx if they're not Administrators and Editors. I know I can list all the pages and give them various permission but I do not want to list all the pages. What's the best and easist way to accomplish this?
I have implemented role based security in my asp.net 2.0 vb.net application using windows authentication and the windowstokenroleprovider and limiting access to certain pages using the location tag to specific active directory groups.
The issue is that when a user tries to access a page they are not authorized to view it brings up a login prompt and when it does not pass it takes them to the default page that tells them they are not authorized to view the page. I am wondering if there is a way to throw up a custom page that tells them they are not athorized to view the page that I can incorporate into the site itself with the header and so forth? if this page could come up in lieu of the sign in box popping up as well.
I am going through the Security Tutorials here on ASP.Net. I am currently working on the last part of the Membership - User-Based Authorization. The tutorial covers restricting access to specific pages or to directories using a second Web.Config file. I am running into a problem with the myLogin page DestinationPageURL. Here is what is happening: 1. When the website starts, the Login page opens. 2. If I log in with an existing user, I am sent to the Default.aspx page. That is what is in the yLogin.DestinationPageURL for the login page.
An abstract high level idea of where to begin as I am totally clueless at this point.
I am setting up an intranet site (ASP .NET) where users from our local user group (who are also added in our user table) will have access to web applications they are given access to. Right now I am developing from my PC and using SQL Server 2005 Express as the database, but the final site will be hosted on an application server with IIS 6.0 and the database on an instance of SQL Server 2005. I am a .NET newbie and it's a daunting task, but the experience is worth a million dollars.
We are using Windows Athentication for our intranet site. Therefore I am not using ASP .NET's membership data sources. Rather all the user information will be stored in two tables tblEmployee (all employees in my company) and tblUser (all users of the intranet site).
(I have set up these tables and I can change them any time).
What I need to accomplish - When an user goes to the intranet site, I can get his/her domain username. I need to check if this user exists in tblUser (domain username is same as UserID in tblUser). If user exists, we display all the applications he/she has access to, else display a "no access" page.
What are some of the things I need to "learn"? (as I said before, I am a .NET newbie, but a fast learner too) I need to use URLAuthorizationModule for validating a page request. How do I hide the username from the URL? I was thinking along the lines of using a session ID... but then how do I know who the user is? I am sure these is a way to encrypt the UserID, just can't find it.
1) I'm currently working for HR application with security roles
2) for that I created dynamic menu and set data source to sitemapprovider control with "AspNetSqlSiteMapProvider"
Now my client requirement is to change menu's based on drop down selection so that menus will be minimum and quite user friendly.for that I did following steps:-
Created Drop Down contains list of all Roles provided him in Master Page In Menu1_MenuItemDataBound event I grabbed the roles for that node and compared with role selected in drop down and deleted that node now what i need is on drop down_selected index change I want to recreate menu.
How can I implement role based security that would show the admin tab if the user was logged in as a admin by using (ul-li) like the below code as a simple example. I do not want to use the menu control is this possible ?
I have developed an ASP.NET MVC 2 application on Framework 4. I have an 'Administration' link on the home page. My query is, what is the best approach of displaying the 'Administration' link only to the users in the role administrator and hiding it from others keeping in mind the Seperation of Concern bit.
I am building an ASP.NET 3.5 Web Application and I am NOT using the membership provider for security. In the application I have a role named Admin and all the files for this role are inside the Security folder in the project. Currently for all the pages inside the security folder I am checking to see if the logged in user's role is an Admin or not. This to me seems very redundant, can do something like "If the user is requesting a page inside the security folder then check his role".
I want to know how can i redirect a user to a different page when he tries to access a page restricted to another role?
The scenario is as follows:
I have a folder "Gestao" that only allows users in role "Administrator"
If an anonymous user tries to access that folder he is redirected to the login page, but if a logged in user whose role is "friend" tries to access this folder he is also redirected to the login page. I want to redirect him to a page showing a message that he has no permission to access that page/area.
How can I do that? Should i have code on the Page_load event of the login page checking the user role and then redirect him to the correct page? Or is there some otherway to do this?