authorization problems
From: Sascha Ellerhoff (sellerhoff@itbnet.de)
Date: 11/28/02
- Next message: Pierre Bisaillon: "Re: WWW-Authenticate"
- Previous message: nu-k-ar: "Re: Design for ASP.Net w/ ComponentServices"
- Next in thread: Jason Chiu: "Re: authorization problems"
- Reply: Jason Chiu: "Re: authorization problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Sascha Ellerhoff" <sellerhoff@itbnet.de> Date: Thu, 28 Nov 2002 09:59:29 +0100
hello newsgroup!
I try to have a secure web. I use the asp.net security feature 'forms
authentification' and the 'url authorization'
forms authenfication does a correct job with cookies etc. But I think
authorization caused problems.
Situation:
i have a public web site with secure subdirs.
If a user choose one of the secure dirs the login.aspx will open. this is
right.
user with correct credentials and rights to enter the directory will
redirect to the right website.
problem:
User with correct credentials but without rights do NOT get http 401 access
denied message.
(In MSDN of Microsoft it is descibed that user will get this error)
Instead of this users will stay authenficated (but without autorization) on
login page with no information what happend.
Question: Does the authorization act wrong? Has my configuration in
web.config mistakes?
web.config:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<compilation defaultLanguage="vb" debug="true" />
<customErrors mode="Off" />
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
<authentication mode="Forms">
<forms path="/" name="WeckeAuth" loginUrl="login.aspx">
<credentials passwordFormat="Clear">
<user name="admin1" password="geheim" />
<user name="admin2" password="geheim" />
</credentials>
</forms>
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<location path="admindir1">
<system.web>
<authorization>
<allow users="admin1" />
<deny users="*" />
</authorization>
</system.web>
</location>
<location path="admindir2">
<system.web>
<authorization>
<allow users="admin2" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
only admin1 has access zu admindir1
only admin2 has access zu admindir2
If admin2 use his credentials in admindir1 he does not get an error message.
he stay on login page.
Does someone know my problem?
Is the protection of the subdirs wrong?
thx 4 help
Sascha
- Next message: Pierre Bisaillon: "Re: WWW-Authenticate"
- Previous message: nu-k-ar: "Re: Design for ASP.Net w/ ComponentServices"
- Next in thread: Jason Chiu: "Re: authorization problems"
- Reply: Jason Chiu: "Re: authorization problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
