FormsAuthentication Roles Problem

J

James McFarland

I want to use FormsAuthentication and allow access based on role.

I have a /Admin directory on the web app, and want to allow role "admin",
but deny all other users.

/Web.config:
<authorization>
<allow users="*" /> <!-- Allow all users -->
</authorization>

/Admin/Web.config:
<authorization>
<allow roles="admin"/>
<deny users="*"/>
</authorization>

This setup prevents all users from accessing pages in the /Admin folder,
even users whose IPrincipal.IsInRole("admin") implementation returns true.

If I change /Amdin/Web.config to the below, it allows the "(e-mail address removed)"
user in:
<authorization>
<allow users="(e-mail address removed)" roles="admin"/>
<deny users="*"/>
</authorization>

Anyone ever seen this problem or have any idea what I am doing wrong?
All examples I have seen appear to use the <allow roles="admin"/> approach.

Thanks,
-james
 
M

[MSFT]

Hello James,

I think you should put the domain/machine name before "Admins". Also,
please pay attention to that these names (including the group name) are
case sensitive.

Hope this help,

Luke
 
J

James McFarland

Hello James,

I think you should put the domain/machine name before "Admins". Also,
please pay attention to that these names (including the group name) are
case sensitive.

Hope this help,

Luke
Click to expand...

Luke:
I checked the case, and that all matches.
Just to furhter clarify, I am not using AD or Windows Authentication, so the
domain name/machine name are not relevant in my case.
Does that make sense?

Thanks,
-james
 
M

[MSFT]

Since you use Form authentication, can you explain more about how you
implement IPrincipal.IsInRole and Application_AuthenticateRequest?
Normally, we need grant roles in Application_AuthenticateRequest like:

Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
EventArgs)
if (not(HttpContext.Current.User is Nothing)) then
if HttpContext.Current.User.Identity.AuthenticationType = "Forms" then
Dim id as System.Web.Security.FormsIdentity
id = HttpContext.Current.User.Identity

Dim MyRoles(2) As String
MyRoles(0) = "Manager"
MyRoles(1) = "Admin"
HttpContext.Current.User = new
System.Security.Principal.GenericPrincipal(id,MyRoles)
End if
End if
End sub


Luke
 
P

Patrick.O.Ige

I think try MSFT advice first and see....
And make sure u have Anonymous Access when using Forms Auth!
With Web.Config its case sensitive so be careful...
Enjoy!
Patrick
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

FormsAuthentication - Roles 3
Forms Auth/Membership & Roles Providers/Secured Directory 1
Role base security and RedirectUrl 3
Help - How to create new roles and assign users to each role 1
Custom RoleProvider + <allow roles> not working 3
Login Control Security HELP 1
How can the location roles be read from the web.config file? 0
My http request is working but not doing it correctly 0

Members online

No members online now.
Total: 2,843 (members: 0, guests: 2,843)
Robots: 159

Forum statistics

Threads
474,141
Messages
2,570,817
Members
47,364
Latest member
Stevanida

Latest Threads

Top