Re: Role-based authentication and Forms and System.UnauthorizedAccessException

From: Pat (naijacoder_at_hotmail.com)
Date: 08/29/05 

Date: Mon, 29 Aug 2005 17:01:07 +1000

But as it changed in ASP.NET 2.0?

"Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com>
wrote in message news:766747632601259878413456@news.microsoft.com...
> Hello wrecker,
>
> in 1.1 - FormsAuth is totally dependent on cookies...
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hi Dominick,
> >
> > Thanks for you help. Now I'm wondering if there is anyway to access a
> > users roles if they have cookies disabled? I suppose that I could
> > pass roles on the query string and check them on page load but there
> > must be a more elegant way. For now I'll follow your suggestion and
> > store the roles in a cookie.
> >
> > Thanks again
> >
> > On Thu, 18 Aug 2005 23:43:45 -0700, Dominick Baier [DevelopMentor]
> > <dbaier@pleasepleasenospamdevelop.com> wrote:
> >
> >> Hello wrecker,
> >>
> >> i doubt your code is working fine. In AuthenticateRequest you don't
> >> have access to the Session as the SessionModule runs after this
> >> event....
> >>
> >> The common approach is to store the roles in the cookie. I have a
> >> sample on my blog for doing this:
> >> http://www.leastprivilege.com/DevWeek2005PostConference.aspx
> >>
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com
> >>> Hi all,
> >>>
> >>> I'm trying to implement role-based authentication for the following
> >>> directory structure in my ASP.NET app.
> >>>
> >>> login.aspx
> >>> Admin/
> >>> Members/
> >>> The web.config in my Admin directory is as follows
> >>> <configuration>
> >>> <system.web>
> >>> <authorization>
> >>> <allow roles="Admin"/>
> >>> <deny users="*"/>
> >>> </authorization>
> >>> </system.web>
> >>> </configuration>
> >>> When the user logs in using authentication mode set to Forms, they
> >>> are
> >>> authenticated against a SQL table and then assigned a role
> >>> Dim roles() As String
> >>> If CurrentUser.IsAdministrator Then
> >>> roles = New String() {"Admin", "Member"}
> >>> Else
> >>> roles = New String() {"Member"}
> >>> End If
> >>> Where the roles string array is stored in the Session (although I've
> >>> also tried storing it in the cache object as well to try and solve
> >>> my
> >>> problem)
> >>> In Global.asax Application_AuthenticateRequest I have
> >>>
> >>> If (Not (HttpContext.Current.User Is Nothing)) Then
> >>> If HttpContext.Current.User.Identity.AuthenticationType =
> >>> "Forms" Then
> >>> Dim id As System.Web.Security.FormsIdentity
> >>> id = HttpContext.Current.User.Identity
> >>> HttpContext.Current.User = New _
> >>> System.Security.Principal.GenericPrincipal(id, roles)
> >>> ' roles extracted from session
> >>> End If
> >>> End If
> >>> My problem is that after a user having Administrator privelages logs
> >>> in and they try to access a page in the Admin directory they get a
> >>> System.UnauthorizedAccessException exception. I've debugged this
> >>> and
> >>> the roles array does indeed have "Admin" and "Members" in it, but
> >>> the
> >>> HttpContext.Current.User doesn't seem to contain this information,
> >>> even after assigning it the new principal (I can't find it in any
> >>> fields that are visible to the debugger) I've checked the
> >>> permissions
> >>> on the directory and the ASP machine account has access to this
> >>> directory. I've been reading quite a few articles on role based
> >>> security (expecially the ones from the Rolla guys) and they all seem
> >>> to use this approach. Why is this not working???
> >>> My test system is IIS5.1 on XP Pro using version 1.1 of the
> >>> framework.
> >>>
> >>> Thanks
> >>>
>
>
>

Relevant Pages

  • Re: Securing static files
    ... Dominick Baier - DevelopMentor ... they are kicked back to the login page. ... The user may log in with other credentials. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: How to determine if the logged on user is in a group
    ... Dominick Baier - DevelopMentor ... I found that you to reboot the SERVER after you create a new group and put users in it so that the new group and the users appear in the whoami list on the server. ... although he is a member of these groups. ...
    (microsoft.public.dotnet.security)
  • Re: HOWTO: Prevent Dynamic Loading of internal Types
    ... Dominick Baier - DevelopMentor ... Henning Krause ... I could get the public key from the entry assembly via ...
    (microsoft.public.dotnet.security)
  • Re: How to call Web Service Securely
    ... which .net version - which type of authentication (username/password against a db??) ... Dominick Baier - DevelopMentor ... make a web method via dialup to my IIS Web Service. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: ASP.NET 2.0 Authorization Roles..Got Solution.
    ... the only difference is see with the provider and a normal WindowsPrincipal is, that the machine name for local groups gets stipped out. ... Dominick Baier - DevelopMentor ... I never used WindowsTokenRoleProvider earlier. ...
    (microsoft.public.dotnet.framework.aspnet.security)