J
Jurjen de Groot
I have build an ASP.NET application and would like to protect various
folders containing aspnet pages for various usertypes.
/Admin
/Manager
/User
I've created a login on the default.aspx in the root of the project. After
typing username/password and hitting the login button the user is validated
against a USER/ROLE Table in the database and an object having the
IPrincipal interface (BusinessPrincipal) is created (with one role (in
uppercase) attached to it) and is put into the CurrentPrincipal.
In my /web.config I have :
....
<authentication mode="Forms" >
<forms name="Default" loginUrl="Default.aspx" protection="All"
timeout="60" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<!-- secure path Admin -->
<location path="Admin">
<system.web>
<authorization>
<allow roles="ADMIN" /> <!-- Allow all users have role ADMIN -->
<deny users="*" /> <!-- and DisAllow all other
users -->
</authorization>
</system.web>
</location>
I've also tried leaving out the last part '-- secure path admin --' and
putting it in a web.config within the Admin folder like this :
<configuration>
<location>
<system.web>
<authorization>
<allow roles="ADMIN" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
But it doesn't seem to work, if I login (having role ADMIN !!) I get
redirected to my login page with the returnUrl of Admin/Default.aspx
Can anyone enlighten me and/or give me some advice on this. I would like to
prevent a User from gaining access to Admin or Manager pages.
Jurjen.
folders containing aspnet pages for various usertypes.
/Admin
/Manager
/User
I've created a login on the default.aspx in the root of the project. After
typing username/password and hitting the login button the user is validated
against a USER/ROLE Table in the database and an object having the
IPrincipal interface (BusinessPrincipal) is created (with one role (in
uppercase) attached to it) and is put into the CurrentPrincipal.
In my /web.config I have :
....
<authentication mode="Forms" >
<forms name="Default" loginUrl="Default.aspx" protection="All"
timeout="60" />
</authentication>
<authorization>
<allow users="*" />
</authorization>
</system.web>
<!-- secure path Admin -->
<location path="Admin">
<system.web>
<authorization>
<allow roles="ADMIN" /> <!-- Allow all users have role ADMIN -->
<deny users="*" /> <!-- and DisAllow all other
users -->
</authorization>
</system.web>
</location>
I've also tried leaving out the last part '-- secure path admin --' and
putting it in a web.config within the Admin folder like this :
<configuration>
<location>
<system.web>
<authorization>
<allow roles="ADMIN" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
But it doesn't seem to work, if I login (having role ADMIN !!) I get
redirected to my login page with the returnUrl of Admin/Default.aspx
Can anyone enlighten me and/or give me some advice on this. I would like to
prevent a User from gaining access to Admin or Manager pages.
Jurjen.