Re: authorization not working correctly...

From: Lorne Brinkman (Lorne@TheRemoveObjectRemoveGuy.com)
Date: 12/23/02


From: "Lorne Brinkman" <Lorne@TheRemoveObjectRemoveGuy.com>
Date: Mon, 23 Dec 2002 20:44:52 GMT


Actually, I need to correct myself... the AcquireRequestState does happen
too late to set the roles for a user. I use that event in order to set up a
dependency by which I can detect the end of a Session -- for cleaning up
cached roles.

In any case, check out the stuff I've made available online:
www.TheObjectGuy.com/rolebasedsecurity

- Lorne

"Lorne Brinkman" <Lorne@TheRemoveObjectRemoveGuy.com> wrote in message
news:_qKN9.12279$P36.243530@twister.rdc-kc.rr.com...
> The AcquireRequestState event does not happen too late in the process.
> I think your problem is simply one of ordering... first use allow, then
> deny, as in:
>
> <allow roles="Administrators" />
> <deny users="*" />
>
> Also, take a look at the HttpModule implemetation for handling role-based
> security that I've made available at
www.TheObjectGuy.com/rolebasedsecurity
>
> - Lorne
>
>
> "Howard Dierking" <h.dierking@geac.com> wrote in message
> news:eQDnMQqqCHA.1080@TK2MSFTNGP10...
> > I have an admin subfolder of my web application. In my config file, I
> have
> > the following block...
> >
> > <location path="admin">
> > <system.web>
> > <authorization>
> > <deny users="*"/>
> > <allow roles = "Administrators"/>
> > </authorization>
> > </system.web>
> > </location>
> >
> > I have an HttpModule that hooks into the AcquireRequestState event in
the
> > processing pipe and restores the roles for a user from the session
cache.
> >
> > As you can guess, this current configuration is not working. When the
> deny
> > element is in the config file, no users can access the admin subfolder,
> and
> > when it is not there, all users can access the subfolder.
> >
> > My guess is either 1) I am missing something in the config files or 2)
the
> > AcquireRequestState event happens too late in the processing pipe and
the
> > flag for the FormsAuthenticationModule indicating success or failure has
> > already been set. The only problem if my issue is #2 is that I would
like
> > to cache this data, so if this is the problem, further suggestions as to
a
> > caching strategy would also be helpful.
> >
> > TIA,
> >
> > _howard
> >
> >
>
>