Help needed in Web.config

[Raghu Raman]

Hi,

My query.

I need to restrict invalid users of my **database**

I did..

i am creating an asp.net app in c#.net . some part of my websites
including the home page can be seen by any people . so that i checked
the anonymous users check box and removed all other authentications in
my directory settings of the virtual dir.

my web.config file has

for example , i want to restrict the user sa from accessing the
database. i did
------------------------------------------------------------------------
-------------
<authentication mode="Forms">
<forms loginUrl="webform1.aspx" name=".aspauth"/>
</authentication>
<authorization>
<deny users="sa" />
</authorization>
* no impersonation
------------------------------------------------------------------------
-------------
*If i run the app,

the default startup page will be "webform1.aspx" .on that form ,i 've a
command but which opens the connection.It opens the connection
eventhough the user id=sa;

What should i do, to restrict the user "sa"

Thanks in advance ,
Raghu

 

[ranganh]

Hi,

I really couldn't get what you are trying to do with a "command which opens
a connection" and forms authentication.

If you want to restrict the users, you can do it at the page level, say you
want to restrict "sa" to access the page webform1.aspx, you can do that.

Your initial requirement was to protect some pages and other pages are open
to everyone, if you want to restrict a specific page or pages you can use the
location path tag as follows:-

<location path="ProtectedPage.aspx">
<system.web>
<authorization>
<deny users="?" />
<deny users="sa" />
</authorization>
</system.web>
</location>

Or, if you have a bunch of pages, put them in a folder and put location
path="foldername" to restrict unauthorised users for the entire pages in that
folder.

If you still want to show the page and check whether the user is logged in
or he is "sa" on a button click, you need to write code for that as follows:-

button1_click ()

If(User.Identity.IsAuthenticated && User.Identity.Name != "sa");
{

//do whatever you want

}

else

{
Response.Redirect("loginpage.aspx");

}

Hope it helps.

 

[Raghu Raman]

Hi, thanks for that. but i did not get he result for that.it spits the
error for the <location > tag.

your suggestion
--------------------------
<location path="ProtectedPage.aspx">
<system.web>
<authorization>
<deny users="?" />
<deny users="sa" />
</authorization>
</system.web>
</location>
------------------------------

may be i am wrong in understanding of the web.config.
--------------------------------
let me clear on web.config
--------------------------------
1.the users tag in the web.config denotes the windows user account only
..
2. it does not denotes the any database users.

3. for 'forms' based authentication, since some of my pages of my web
has to be seen , i should go for Anonymous authentication alone (or
combined with Integrated windows Authentication) .

4.Now i need to do nothing with the web.config. am i right???

5.THEN HOW DO I RESTRICT THE DATABASE USERS.


***IS IT POSSIBLE TO RESTRICT DATABASE USERS IN WEB.CONFIG?**

With regards
Raghuraman

 

[ranganh]

Hi,

You need to put the locationpath tag outside the system.web tag in your
web.config.

your web.config stars like this

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>

// here you specify the authentication mode

</system.web>

//here you need to put the location path tag

<location path="ProtectedPage.aspx">
<system.web>
<authorization>
<deny users="?" />
<deny users="sa" />
</authorization>
</system.web>
</location>

Notice that the above tag set themselves have a system.web tag. so they
need to be outside the original <system.web>... </system.web> tags. in your
web.config file.

 

[Raghu Raman]

Hi, thanks for that . i ll try it and get u back.

but , u did'nt provide me the answer of the query.

** how can i restrict the db user in web.config?.please tolorate me.

with regards
Raghu