Re: Role-based authentication and Forms and System.UnauthorizedAccessException
From: Dominick Baier [DevelopMentor] (dbaier_at_pleasepleasenospamdevelop.com)
Date: 08/19/05
- Next message: Dominick Baier [DevelopMentor]: "Re: Rendering in-memory images from UNC file share"
- Previous message: Dominick Baier [DevelopMentor]: "Re: IIS 6 and ASP.NET security"
- In reply to: wrecker: "Role-based authentication and Forms and System.UnauthorizedAccessException"
- Next in thread: wrecker: "Re: Role-based authentication and Forms and System.UnauthorizedAccessException"
- Reply: wrecker: "Re: Role-based authentication and Forms and System.UnauthorizedAccessException"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Aug 2005 23:43:45 -0700
Hello wrecker,
i doubt your code is working fine. In AuthenticateRequest you don't have
access to the Session as the SessionModule runs after this event....
The common approach is to store the roles in the cookie. I have a sample
on my blog for doing this:
http://www.leastprivilege.com/DevWeek2005PostConference.aspx
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
> Hi all,
>
> I'm trying to implement role-based authentication for the following
> directory structure in my ASP.NET app.
>
> login.aspx
> Admin/
> Members/
> The web.config in my Admin directory is as follows
>
> <configuration>
> <system.web>
> <authorization>
> <allow roles="Admin"/>
> <deny users="*"/>
> </authorization>
> </system.web>
> </configuration>
> When the user logs in using authentication mode set to Forms, they are
> authenticated against a SQL table and then assigned a role
>
> Dim roles() As String
> If CurrentUser.IsAdministrator Then
> roles = New String() {"Admin", "Member"}
> Else
> roles = New String() {"Member"}
> End If
> Where the roles string array is stored in the Session (although I've
> also tried storing it in the cache object as well to try and solve my
> problem)
>
> In Global.asax Application_AuthenticateRequest I have
>
> If (Not (HttpContext.Current.User Is Nothing)) Then
> If HttpContext.Current.User.Identity.AuthenticationType =
> "Forms" Then
> Dim id As System.Web.Security.FormsIdentity
> id = HttpContext.Current.User.Identity
> HttpContext.Current.User = New _
>
> System.Security.Principal.GenericPrincipal(id, roles)
> ' roles extracted from session
> End If
> End If
> My problem is that after a user having Administrator privelages logs
> in and they try to access a page in the Admin directory they get a
> System.UnauthorizedAccessException exception. I've debugged this and
> the roles array does indeed have "Admin" and "Members" in it, but the
> HttpContext.Current.User doesn't seem to contain this information,
> even after assigning it the new principal (I can't find it in any
> fields that are visible to the debugger) I've checked the permissions
> on the directory and the ASP machine account has access to this
> directory. I've been reading quite a few articles on role based
> security (expecially the ones from the Rolla guys) and they all seem
> to use this approach. Why is this not working???
>
> My test system is IIS5.1 on XP Pro using version 1.1 of the framework.
>
> Thanks
>
- Next message: Dominick Baier [DevelopMentor]: "Re: Rendering in-memory images from UNC file share"
- Previous message: Dominick Baier [DevelopMentor]: "Re: IIS 6 and ASP.NET security"
- In reply to: wrecker: "Role-based authentication and Forms and System.UnauthorizedAccessException"
- Next in thread: wrecker: "Re: Role-based authentication and Forms and System.UnauthorizedAccessException"
- Reply: wrecker: "Re: Role-based authentication and Forms and System.UnauthorizedAccessException"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
