Re: secure paths in web.config file
From: Javier Miranda (jamiranda@lycos.com)
Date: 03/20/03
- Next message: chn: "How to use md5 ??"
- Previous message: Javier Miranda: "Re: Custom Permission"
- In reply to: Terry: "Re: secure paths in web.config file"
- Next in thread: Terry: "Re: secure paths in web.config file"
- Reply: Terry: "Re: secure paths in web.config file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Javier Miranda" <jamiranda@lycos.com> Date: Wed, 19 Mar 2003 21:08:49 -0400
I have tryied changing applications mapping to the application directory.
ASP file access redirect fine if I am not authenticated, but page itself
gives me an error. I will continue searching how to do that. Meanwhile
take a look at this:
http://www.dotnetcoders.com/web/Articles/ShowArticle.aspx?article=43
"Terry" <NTuser_Man@msn.com> wrote in message
news:55ea4867.0303190951.5271b9b0@posting.google.com...
> Javier,
>
> My situation is that I'm mananging an intranet site for several
> departments and sub contractors to the company. I have to accept
> content from the various deparments and their web developers have
> different skill sets. Not all of them are on board with .Net. Hence
> the classic ASP creeping in.
>
> My users are not all on the corporate domains so my site requires
> simple forms authentication. I store user roles as a comma separated
> string in the user data area of the forms authentication ticket. For
> my classic asp documents I decided to have my login script also write
> the user data string to a classic asp cookie.
>
> My ASPX documents will use a function in the
> Application_AuthenticateRequest area of my global.asax to split the
> user data for use with the GenericPrinciple. Here is how it goes:
>
> <%@ Import Namespace="System.Security.Principal" %>
>
> <SCRIPT language="VB" runat="server">
>
> Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
> EventArgs)
> If (Not (HttpContext.Current.User Is Nothing)) Then
> If HttpContext.Current.User.Identity.AuthenticationType = "Forms"
> Then
> Dim id As FormsIdentity
> Dim tkt As FormsAuthenticationTicket
> id = HttpContext.Current.User.Identity
> tkt = id.Ticket
> Dim authcookie As HttpCookie
> authcookie = Request.Cookies(FormsAuthentication.FormsCookieName)
> tkt = CType(FormsAuthentication.Decrypt(authcookie.Value),
> FormsAuthenticationTicket)
> Dim strUserData As String = tkt.UserData
>
> dim Role() = split(tkt.UserData, ",")
>
> Dim principal = new GenericPrincipal(id, role)
> Context.User = principal
> End If
> End If
> End Sub
>
>
> Page level user authentication is very simple after that.
>
> For my classic asp documents I use a function from an include and a
> page level test:
>
> <%
> 'Function from include
> strRole = Request.Cookies("USERcookie")("strRole")
>
> Dim arrRole
> arrRole = split(strRole,",")
>
> Function CheckRole(thistest)
> tempcheckrole = False
> For i = 0 to Ubound(arrRole)
> If arrRole(i) = thistest then
> CheckRole = True
> End If
> Next
> tempcheckrole = CheckRole
> End Function
>
> LoginID = Request.Cookies("UserDatacookie")("LoginID")
> UserID = arrRole(0)
> LoginGroup = arrRole(1)
>
> %>
>
>
> <!--#INCLUDE VIRTUAL = "/Components/function.inc"-->
> <%
> 'Check on the page:
> If not (CheckRole("Developer") and CheckRole("Admin")) then
> Response.Redirect("http://home/Login.aspx")
> end if
> %>
>
> Well, that's my off the cuff work around. My task is simplified by
> being on an intranet with no connection to the Internet.
>
> My coding is all "learn by doing" so I'm sure there is a better way to
> handle this sort of thing.
>
> --Terry
>
> "Javier Miranda" <jamiranda@lycos.com> wrote in message
news:<eLAM86Y7CHA.1808@TK2MSFTNGP11.phx.gbl>...
> > You are right; ASP.NET secures only registered ASP.NET ISAPI extensions.
> > ASP file are NOT handled by ASP.NET, but by IIS. I have not tried to
> > configure ASP.NET to handle ASP pages, but let us know how it works for
you.
> > Hope it helps!
> >
> >
> >
> > "Terry" <NTuser_Man@msn.com> wrote in message
> > news:55ea4867.0303180816.60bc3681@posting.google.com...
> > > Howdy,
> > >
> > > The secure paths in my web.config file prevent users from loading aspx
> > > documents without first logging in. However the secure paths do not
> > > prevent users from loading asp documents without first logging in. Is
> > > that how the secure paths are supposed to work or am I doing something
> > > incorrectly?
> > >
> > > Thanks,
> > >
> > > --Terry
> > >
> > > Attached: samples from my web.config file.
> > >
> > > <!-- This one works as expected. -->
> > > <location path="Administrator/default.aspx">
> > > <system.web>
> > > <authorization>
> > > <allow roles="Admin, Developer" />
> > > <deny users="*" />
> > > </authorization>
> > > </system.web>
> > > </location>
> > >
> > > <!-- This one lets users in without first logging in. -->
> > > <location path="Administrator/default.asp">
> > > <system.web>
> > > <authorization>
> > > <allow roles="Admin, Developer" />
> > > <deny users="*" />
> > > </authorization>
> > > </system.web>
> > > </location>
- Next message: chn: "How to use md5 ??"
- Previous message: Javier Miranda: "Re: Custom Permission"
- In reply to: Terry: "Re: secure paths in web.config file"
- Next in thread: Terry: "Re: secure paths in web.config file"
- Reply: Terry: "Re: secure paths in web.config file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
