ASP.NET Role Authorization Override

[Mike]

Hello,

I am having difficulty achieving a result I expected to be very easy with
ASP.NET role authorization. I would like to set a site-wide authorization
policy where only members of a certain role may access any page in the site,
but I would like suspend this authorization policy for *one* single page in
the site, so that any authenticated user may access the page, no matter which
role they are assigned to or even if they have no roles.

I have tried using a <location> element to turn off role authorization for
the single page, but it doesn't seem to have any affect. Authenticated users
without the proper role that try to access the unrestricted page are prompted
over and over again to log in, which indicates that a role is still needed
for the page. How can I override the site-wide role authorization requirement
and turn it off for the one page?

TIA,
-Mike

 

[Joe Kaplan]

Perhaps you could show the markup from the web.config? There may be an
error in your location tag usage that is preventing it from giving you the
desired results.

An alternate approach would be to handle the "Authenticate" event in
global.asax, check for a request for the specific excluded page and use the
SkipAuthorization property on HttpContext to override the behavior of the
UrlAuthorizationModule (the <allow><deny> tags in web.config). This
approach is a bit dangerous because you need to do matching on the URL which
can lead to security issues if you have any problems with your string
matching and it may be harder to maintain, but sometimes you need the extra
flexibility the code solution gives you.

 

[Mike]

Joe,

Thanks for the suggestion. The markup from the web.config file is as follows:

<!-- site-wide authorization: only allow Administrators access -->
<system.web>
<authentication mode="Forms">
<forms loginUrl="Login.aspx" name=".ASPXFORMSAUTH"
slidingExpiration="true" protection="All" />
</authentication>
<authorization>
<allow roles="Administrators"/>
<deny users="*"/>
</authorization>
</system.web>

<!-- location override: let any authenticated user access the EditUser page
-->
<location path="Users/EditUser.aspx">
<system.web>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
</location>

As you can see, my approach was to limit access by role site-wide, but then
for the page I wanted an exclusion for, simply restrict anonymous users from
accessing it, which I thought would be logically equivalent to allowing any
authenticated user, irrespective of role, access it. Perhaps this is not how
ASP.NET interprets it, and this may be the disjuncture. Maybe the <location>
element isn't viewed as an override on the <authorization> element, since it
isn't explicitly specified. That being the case, how does one turn it off in
a sub-directory?

I'd like to establish this policy via configuration versus code, if
possible. I'd be quite surprised if there wasn't a way to achieve what I'm
trying to do, given how simple it seems: make every page in the site require
Administrators membership except for 1 page, which would only require user
authentication.

Thanks again,
-Mike

 

[Jesse Houwing]

Hello Mike,

Add a specific Allow users tag to the location specific rule, otherwise there's
only deny rules in the whole set that applies to this location.

Jesse

 

[Mike]

Thanks Jesse, your advice seems to have gotten me past this hurdle. It's odd,
because I could have sworn that I had tried this already. Below is the
updated <location> element that appears to have done the trick:

<location path="Users/EditUser.aspx">
<system.web>
<authorization>
<deny users="?"/>
<allow users="*"/> <!-- this resets the parent role auth, I
guess? -->
</authorization>
</system.web>
</location>

Thanks once again to Jesse and Joe for their help.

-Mike