Re: ASP.NET Role Authorization Override

Thanks Jesse, your advice seems to have gotten me past this hurdle. It's odd,
because I could have sworn that I had tried this already. Below is the
updated <location> element that appears to have done the trick:

<location path="Users/EditUser.aspx">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/> <!-- this resets the parent role auth, I
guess? -->
</authorization>
</system.web>
</location>

Thanks once again to Jesse and Joe for their help.

-Mike

"Jesse Houwing" wrote:

Hello Mike,

Add a specific Allow users tag to the location specific rule, otherwise there's
only deny rules in the whole set that applies to this location.

Jesse

Joe,

Thanks for the suggestion. The markup from the web.config file is as
follows:

<!-- site-wide authorization: only allow Administrators access -->
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH"
slidingExpiration="true" protection="All" />
</authentication>
<authorization>
<allow roles="Administrators"/>
<deny users="*"/>
</authorization>
</system.web>
<!-- location override: let any authenticated user access the EditUser
page
-->
<location path="Users/EditUser.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>
As you can see, my approach was to limit access by role site-wide, but
then for the page I wanted an exclusion for, simply restrict anonymous
users from accessing it, which I thought would be logically equivalent
to allowing any authenticated user, irrespective of role, access it.
Perhaps this is not how ASP.NET interprets it, and this may be the
disjuncture. Maybe the <location> element isn't viewed as an override
on the <authorization> element, since it isn't explicitly specified.
That being the case, how does one turn it off in a sub-directory?

I'd like to establish this policy via configuration versus code, if
possible. I'd be quite surprised if there wasn't a way to achieve what
I'm trying to do, given how simple it seems: make every page in the
site require Administrators membership except for 1 page, which would
only require user authentication.

Thanks again,
-Mike
"Joe Kaplan" wrote:

Perhaps you could show the markup from the web.config? There may be
an error in your location tag usage that is preventing it from giving
you the desired results.

An alternate approach would be to handle the "Authenticate" event in
global.asax, check for a request for the specific excluded page and
use the SkipAuthorization property on HttpContext to override the
behavior of the UrlAuthorizationModule (the <allow><deny> tags in
web.config). This approach is a bit dangerous because you need to do
matching on the URL which can lead to security issues if you have any
problems with your string matching and it may be harder to maintain,
but sometimes you need the extra flexibility the code solution gives
you.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
"Mike" <Mike@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4103AFCE-E3D7-4B6B-BF4B-E231A1CFB370@xxxxxxxxxxxxxxxx
Hello,

I am having difficulty achieving a result I expected to be very easy
with
ASP.NET role authorization. I would like to set a site-wide
authorization
policy where only members of a certain role may access any page in
the
site,
but I would like suspend this authorization policy for *one* single
page
in
the site, so that any authenticated user may access the page, no
matter
which
role they are assigned to or even if they have no roles.
I have tried using a <location> element to turn off role
authorization for
the single page, but it doesn't seem to have any affect.
Authenticated
users
without the proper role that try to access the unrestricted page are
prompted
over and over again to log in, which indicates that a role is still
needed
for the page. How can I override the site-wide role authorization
requirement
and turn it off for the one page?
TIA,
-Mike
--
Jesse Houwing
jesse.houwing at sogeti.nl



.

Relevant Pages

  • asp.net vulnerability
    ... From: Windows NTBugtraq Mailing List ... More details on ASP.NET vulnerability ... There has been some confusion with the ASP.NET forms authentication issue ... authorization issue, not an authentication issue. ...
    (microsoft.public.sharepoint.portalserver)
  • Re: application pool custom identity
    ... Kerberos becomes a possibility when the web server is in a Domain, ... The problem happens when the browser/server selects Kerberos authentication, ... LocalSystem credentials will work for Kerberos; custom AppPool Identity ... Authorization. ...
    (microsoft.public.inetserver.iis)
  • Re: Kerberos OpenLDAP Frontend
    ... Jonathan Javier Cordoba Gonzalez wrote: ... but then you are mixing the authentication with the authorization. ... A KDC with passwords and LDAP ...
    (comp.protocols.kerberos)
  • Re: ASP.NET Authentication exception case
    ... It doesn't seem to like the authorization tag underneath the location tag ... This section sets the authentication policies of the application. ... <!-- SESSION STATE SETTINGS ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Brackets across includes
    ... I am trying to create a user authentication system, ... separate the authentication code into include files. ... separate concepts and should be implemented as separate procedures. ... Authorization could be ...
    (comp.lang.php)
Loading