authorising specific users to view certain pages (Web Config)

[davidrobin]

In 2310B course material (Developing MS ASP.NET apps using VS) it says.

The following code allows the user "Mary" access to a page

Code:

<location path=setup.aspx>
    <authorization>
        <allow users="Mary" />
    </authorization>
</location>

The text then states
Note It is not advisable to authorize users individually, because this process may disclose sensitive information if the Web.config file is stoled. In addition, hard coding users in the Web.config file is not a flexible approach because you cannot modify this information programmatically at runtime. Hard coding users in the Web.config file is suitable for testing purposes only.

So, If we have a page we only want one user to see how do we set up permissions to allow them.

[mendhak]

First, deny users="*"
then allow Mary.

[davidrobin]

So are we saying that we ignore the warning by Microsoft (it does seem a bit paranoid)

Note It is not advisable to authorize users individually, because this process may disclose sensitive information if the Web.config file is stoled. In addition, hard coding users in the Web.config file is not a flexible approach because you cannot modify this information programmatically at runtime. Hard coding users in the Web.config file is suitable for testing purposes only.

Is it possible to put both deny and allow statements in the same location section like so

Code:

<location path="setup.aspx">
    <authorization>
        <deny users="*" />
        <allow users="Mary" />
    </authorization>
</location>

Or should they be in seperate location sections.

[mendhak]

Yes, ignore it. And I made a mistake in my previous post. Do it like this:

<authorization>
<allow users="Mendhak"/>
<deny users="*"/>
</authorization>

HTH

[davidrobin]

Thank mendhak, I'll use it later.

[davidrobin]

Can anyone tell me how to secure a whole directory. I can't seem to get the syntax right.

[mendhak]

<location path="foldername">
.................................................

[DNA7433]

As a side question, is there a way to lock portions of a site based on what type of user has logged in (assuming we're using a custom login page and make that call I can't remember like Authorization.RedirectFromLogin()). For instance, can we use the custom login page for both administrators and regular members?

[davidrobin]

<location path="foldername">
.................................................

Thats what I thought but when I use

HTML Code:

  <location path="Admin">
		<authorization>
			<allow users="Admin" />
			<deny users="*" />
		</authorization>
	</location>

it I get the following error.

Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: Unrecognized configuration section 'location'

Source Error:


Line 55: (unauthenticated) users.
Line 56: -->
Line 57: <location path="Admin">
Line 58: <authorization>
Line 59: <allow users="Admin" />

I also tried

HTML Code:

  <authorization>
          <allow users="*" /> <!-- Allow all users -->

          <location path="Admin">
		<authorization>
			<allow users="Admin" />
			<deny users="*" />
		</authorization>
	</location> 
    </authorization>

and

HTML Code:

  <authorization>
          <allow users="*" /> <!-- Allow all users -->

          <location path="Admin">
		<allow users="Admin" />
		<deny users="*" />
	</location> 
    </authorization>

and error on the location line in the last two cases.

Authorization rule must have an <allow> or <deny> tag.

But still getting errors

[davidrobin]

As a side question, is there a way to lock portions of a site based on what type of user has logged in (assuming we're using a custom login page and make that call I can't remember like Authorization.RedirectFromLogin()). For instance, can we use the custom login page for both administrators and regular members?

That is what I am doin here.

I have searched the internet and found a way to do it.
The web.config file in the site root has the following.

HTML Code:

 <authentication mode="Forms" >
		<forms name="formlogin" loginUrl="Adminlogin.aspx"></forms>
    </authentication> 

    <!--  AUTHORIZATION 
          This section sets the authorization policies of the application. You can allow or deny access
          to application resources by user or role. Wildcards: "*" mean everyone, "?" means anonymous 
          (unauthenticated) users.
    -->
  
    <authorization>
          <allow users="*" /> <!-- Allow all users -->
            <!--  <allow     users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
                  <deny      users="[comma separated list of users]"
                             roles="[comma separated list of roles]"/>
            -->
    </authorization>

my adminlogin.aspx page is in the root of the site.
In the folder I want to be secure I put a web.config file with the contents as

HTML Code:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    
  <system.web>

  <authorization>
      <allow users="Admin"/>		
      <deny users="?"/>	
  </authorization>   
       
  </system.web>

</configuration>

So now if I navigate to a page in the root folder it redirects to the login page because I have denied anonymous users, and if login is successful it redirects me to the page in the secure folder I wanted.