Re: authorization not working correctly...

From: Lorne Brinkman (Lorne@TheRemoveObjectRemoveGuy.com)
Date: 12/23/02 

From: "Lorne Brinkman" <Lorne@TheRemoveObjectRemoveGuy.com>
Date: Mon, 23 Dec 2002 20:34:02 GMT

The AcquireRequestState event does not happen too late in the process.
I think your problem is simply one of ordering... first use allow, then
deny, as in:

<allow roles="Administrators" />
<deny users="*" />

Also, take a look at the HttpModule implemetation for handling role-based
security that I've made available at www.TheObjectGuy.com/rolebasedsecurity

- Lorne

"Howard Dierking" <h.dierking@geac.com> wrote in message
news:eQDnMQqqCHA.1080@TK2MSFTNGP10...
> I have an admin subfolder of my web application. In my config file, I
have
> the following block...
>
> <location path="admin">
> <system.web>
> <authorization>
> <deny users="*"/>
> <allow roles = "Administrators"/>
> </authorization>
> </system.web>
> </location>
>
> I have an HttpModule that hooks into the AcquireRequestState event in the
> processing pipe and restores the roles for a user from the session cache.
>
> As you can guess, this current configuration is not working. When the
deny
> element is in the config file, no users can access the admin subfolder,
and
> when it is not there, all users can access the subfolder.
>
> My guess is either 1) I am missing something in the config files or 2) the
> AcquireRequestState event happens too late in the processing pipe and the
> flag for the FormsAuthenticationModule indicating success or failure has
> already been set. The only problem if my issue is #2 is that I would like
> to cache this data, so if this is the problem, further suggestions as to a
> caching strategy would also be helpful.
>
> TIA,
>
> _howard
>
>