authorization not working correctly...

From: Howard Dierking (h.dierking@geac.com)
Date: 12/23/02


From: "Howard Dierking" <h.dierking@geac.com>
Date: Mon, 23 Dec 2002 10:55:16 -0600


I have an admin subfolder of my web application. In my config file, I have
the following block...

<location path="admin">
 <system.web>
  <authorization>
   <deny users="*"/>
   <allow roles = "Administrators"/>
  </authorization>
 </system.web>
</location>

I have an HttpModule that hooks into the AcquireRequestState event in the
processing pipe and restores the roles for a user from the session cache.

As you can guess, this current configuration is not working. When the deny
element is in the config file, no users can access the admin subfolder, and
when it is not there, all users can access the subfolder.

My guess is either 1) I am missing something in the config files or 2) the
AcquireRequestState event happens too late in the processing pipe and the
flag for the FormsAuthenticationModule indicating success or failure has
already been set. The only problem if my issue is #2 is that I would like
to cache this data, so if this is the problem, further suggestions as to a
caching strategy would also be helpful.

TIA,

_howard