RE: ASP.NET 2.0 Authorization based on Combination of Allow/Deny Users/Roles.
- From: wawang@xxxxxxxxxxxxxxxxxxxx (Walter Wang [MSFT])
- Date: Thu, 15 Feb 2007 06:01:48 GMT
Hi Douglas,
The roles attribute in <siteMapNode> is used to expand the allowable users,
not to restrict them. This is designed so because Sitemap already
integrates with authentication. In other word, it's the <authorization>
rules in web.config determines which sitemap node will be displayed to user
when a user with specific role logs in. Normally you only need to use roles
attribute on a sitemap node that doesn't have an url attribute. For
example, add roles="*" when the node is a parent type node without actual
url.
I understand that the issue here is that <authorization> rules doesn't
permit AND, OR combination of different roles. The <allow> or <deny> rules
are evaluated from top to down, whenever a rule succeeds, remaining rules
will not be evaluted.
To learn how a HttpModule could be built to handle these authorization
rules, you might want to use Reflector
(http://www.aisto.com/roeder/dotnet/) to view the implementation of
System.Web.Security.UrlAuthorizationModule.
Hope this helps.
Sincerely,
Walter Wang (wawang@xxxxxxxxxxxxxxxxxxxx, remove 'online.')
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications. If you are using Outlook Express, please make sure you clear the
check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
promptly.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- References:
- ASP.NET 2.0 Authorization based on Combination of Allow/Deny Users/Roles.
- From: Douglas J. Badin
- ASP.NET 2.0 Authorization based on Combination of Allow/Deny Users/Roles.
- Prev by Date: Re: Impersonating other domain user in ASP.Net
- Next by Date: Re: Impersonating other domain user in ASP.Net
- Previous by thread: ASP.NET 2.0 Authorization based on Combination of Allow/Deny Users/Roles.
- Next by thread: Impersonating other domain user in ASP.Net
- Index(es):
Relevant Pages
|
