securing directories with role-based forms authentication

From: tafs7 (tafs7_at_yahoo.com)
Date: 04/30/04 

Date: 30 Apr 2004 07:24:00 -0700

I have an ASP.NET application that uses forms authentication. I
rolled my own CustomPrincipal class for role-based authentication, and
wired the Application_AuthenticateRequest() event on my global.asax.
All is working great.
 
Now my new requirement is that I make a role on my SQLServer db that
is a "low level" user. This role will only have access to ONE
specific folder on my application, and nothing else outside of it.
Other roles can access other folders including this one. I should
also note that there is no anonymous access on this application.
Everything is password protected, so when the first request fires, the
user is automatically redirected to the login page, then, once
authenticated, he/she is taken to the default.aspx on the root.
 
Everyone uses the same login page, but if the user name is in the
"low-level" role, I need to automatically redirect to the special
folder, while all other users get taken to my root's default.aspx (if
no other return url string is specified).
 
This is a snippet of my web.config on the root directory:
<authentication mode="Forms">
  <forms name=".ELITECTSUSERAUTH" loginUrl="~/login.aspx"
     protection="All"
     timeout="30"
     slidingExpiration="true"
     path="/" />
</authentication>
<authorization>
  <deny users="?" roles="5" /> <!-- Deny anonymous users and low-level
roles-->
  <allow users="*" />
</authorization>
 
As you can see, this denies access to anonymous users and users in the
role "5", which is my "low-level" user.
So the question is this: (1) how to make the application kick the
low-level user to the special folder once he/she is authorized and a
principal has been generated for them, without ever going to the root
default.aspx.
 
I also thought I should include either a location section in my root
web.config that allows role 5 into the special folder, or add a new
web.config to that special folder allowing authenticated users and all
roles, overriding the root web.config.
 
Does anybody have any suggestions to this problem?

Relevant Pages

  • Re: Can I force 401 error when user not authenticated?
    ... on your Login page, check if the request is authenticated, and if so, ... I have an ASP.NET application that uses forms authentication. ... he/she is taken to the default.aspx on the root. ... web.config that allows role 5 into the special folder, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Logon Window Appears on siblings of authenticated directories
    ... Windows Auth, and a physical directory under root. ... authentication when my user identity was recognized on the machine -- which ... when virtual directories and authentication are ...
    (microsoft.public.inetserver.iis)
  • Re: Forms Authentication - Cookie not being generated...
    ... It was very interesting and I learnt plenty from just taking ... Never thought I could secure a directory from one root ... The login page is ... > access with Forms authentication so your login page (and all protected ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: [kde-linux] Problem logging in as non-root user [SOLVED]
    ... I installed KDE 3.5.6 and I am able to successfully launch the KDE session when I issue startx from a root session. ... while loading shared libraries: libICE.so.6: cannot open shared object ... failed Authentication Rejected, ... kdeinit: DCOPServer could not be started, ...
    (KDE)
  • Re: pubkey works for user: why not root ?
    ... AND to add the line "AllowUsers sean root" (multiple users can be allowed, ... debug1: Connection established. ... debug2: fd 3 setting O_NONBLOCK ... debug1: Next authentication method: publickey ...
    (SSH)