Re: allow groups with Forms Authentication
From: Brad (nospam_at_co.lane.or.us)
Date: 12/19/03
- Next message: Tim Mackey: "3des encryption question"
- Previous message: Paul Hodgson: "Forms Authentication without Login Page"
- In reply to: rmac: "Re: allow groups with Forms Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 19 Dec 2003 08:16:46 -0800
Your example of
<allow users="domain\group">
<deny users="*" />
Should be
<allow roles="domain\group">
<deny users="*" />
FYI - You can also look at "Configure ASP.NET Settings" of the following
MSDN topic
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch08.asp
It's from the book "Building Secure Microsoft ASP.NET Applications", which I
highly reccomend.
Brad
"rmac" <anonymous@discussions.microsoft.com> wrote in message
news:0b9e01c3c638$8d1fb700$a101280a@phx.gbl...
> Brad,
>
> I have tried the method you mentioned. I am not able to
> check the roles. If I put in code on the requested page to
> check for the group I come up empty. Ex:
>
> If context.User.IsInRole("domainname\group") = True Then
> lblName.Text = "Hello " +
> Context.User.Identity.Name & "."
> End IF
>
> The label text is empty.
>
> If I do this and deny unathenticated users in the
> web.config:
>
> If Request.IsAuthenticated = True Then
> lblName.Text = "Hello " + Context.User.Identity.Name
> & "."
> End If
>
> the label shows the user name.
>
> In my web.config file if I do this:
>
> <allow users="domain\group"
> <deny users="*" />
>
> I cannot login no matter what account I use.
>
> Am I missing something?
>
> Thanks
> rmac
>
> >-----Original Message-----
> >You would want to change the <deny users="?"> to <deny
> users="*">
> >Role checks are top down. If the first check passes
> they're in. In your
> >example any authenticated user would also pass the next
> test <deny
> >users="?"> just deny's unauthenticated users.
> >By changing to <deny users="*">, if they don't pass the
> first test they
> >won't get in because the * says deny everyone. They will
> get a network
> >login dialog box but no matter what they enter into the
> login dialog it will
> >fail with an access denied....well, this is unless they
> enter a login that
> >is a member of the group you allow in.
> >
> >Also - If you wanted to provide a "polite" access denied
> result, i.e. send
> >them somewhere else such as your own error page you could
> alternately just
> >set <deny users="?"> (removing your current allow test)
> and then in your
> >global.asax code do a test if the user is in a permitted
> role else send them
> >somewhere else.
> >
> >Example
> > Sub Application_AuthenticateRequest(ByVal sender As
> Object, ByVal e As
> >EventArgs)
> > If Request.IsAuthenticated AndAlso
> >Context.User.IsInRole("domainname\group") = false then
> > If Request.Url.ToString.IndexOf
> ("mynoaccesspage") > 0 Then
> > Response.Redirect("mynoaccesspage")
> > End If
> > End If
> > End Sub
> >
> >
> >Hope this helps some
> >
> >Brad
> >
> >
> >"rmac" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:046e01c3c419$9b1afed0$a101280a@phx.gbl...
> >> I am testing forms authentication against Active
> >> Directory. I want to limit access to the site based on
> >> Windows groups. The app is working but it allows anyone
> >> with a domain account access which is undesirable. I
> >> followed the Microsoft KB article 326340. Here is the
> >> entry in my web.config:
> >>
> >> <authorization>
> >> <allow roles="domainname\group" />
> >> <deny users="?" />
> >> </authorization>
> >>
> >> Does anyone know how to accomplish this?
> >>
> >> Thanks
> >> rmac
> >
> >
> >.
> >
- Next message: Tim Mackey: "3des encryption question"
- Previous message: Paul Hodgson: "Forms Authentication without Login Page"
- In reply to: rmac: "Re: allow groups with Forms Authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
