.Net Security - Not 'all' pages

[Guest]

I am fighting with XP-Pro and VS.Net trying to allow some of the pages in my
application to be accessable by 'all' I am using <authentication
mode="Forms" /> and if I Login - everything works fine. My code comes from
a walkthrough (I am learning) and I am currently using
(User.Identity.IsAuthenticated) in the Login.aspx page to validate UserID
against my database (I like it).
What I need is a 'simple' method by which I can set some of the generic
pages to be accessable by 'all' visitors, even those Not LogedIn. Ken
Dopierala Jr. answered another post and suggested I use <location
path="directory"> to allow Role based access to some directories and then
just <allow users="*" />.
PLEASE - There must be a 'simple' way I can desiginate a page as generic and
not require authorization to access these generic pages.
Can anyone give me some 'detail' advice on how to accomplish this?
Thanks,
Paul

 

[Ken Dopierala Jr.]

Hi Paul,

I totally recommend against doing this and instead using a Roles based
security system. But here is a workaround. Create a class and add this
code:

Option Strict On
Option Explicit On

Imports System
Imports System.Web
Imports System.Web.UI

Public Class MyBasePage
Inherits System.Web.UI.Page

Protected Overrides Sub OnLoad(ByVal e As System.EventArgs)
If (User.Identity.IsAuthenticated = False) Then
Response.Redirect("Login.aspx")
End If
End Sub
End Class

Have every page that you want to have protected inherit from this page. For
every page that you want generic have it still inherit from
"System.Web.UI.Page". Now, if a user isn't authenticated, and this is a
protected page, they will be sent to Login.aspx. Remember to set your
<authentication> tag to allow everyone, you are no longer using the the
ASP.Net built in management for authentication. I wouldn't do it this way
and in the end you'll be totally screwing yourself over. But, this will at
least do what you want it to until you switch over to Roles based
authentication. Good luck! Ken.

 

[Guest]

Ken,
I am following an example from WebMatrix called MyPics - - it allows
authorized users to (Login with UserID & Password - verified against the User
database) and to Upload pictures - and I thought anyone could view the
pictures. I am trying to get a site up (for the practice & learning) that
will allow anyone to look around, but allow Logined users more access to
secure pages.
The Login.aspx.cs is:
using System;
using System.Collections;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Web;
using System.Web.Security;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;

namespace FGC
{
/// <summary>
/// Summary description for Login.
/// </summary>
public class Login : System.Web.UI.Page
{
protected System.Web.UI.WebControls.Label Label1;
protected System.Web.UI.WebControls.Label Label2;
protected System.Web.UI.WebControls.Label Msg;
protected System.Web.UI.WebControls.TextBox UserEMail;
protected System.Web.UI.WebControls.TextBox UserPass;
protected System.Web.UI.WebControls.Button Button2;
protected System.Web.UI.WebControls.LinkButton LinkButton1;
protected System.Web.UI.WebControls.HyperLink Hyperlink1;
protected System.Web.UI.WebControls.HyperLink Hyperlink2;
protected System.Web.UI.WebControls.HyperLink Hyperlink3;
protected System.Web.UI.WebControls.Button Button1;

private void Page_Load(object sender, System.EventArgs e)
{
// Put user code to initialize the page here
//if( !Page.IsPostBack )
//{
// Response.Redirect("Home.aspx");
// Response.Redirect("Default.aspx");
// return;
//}
UserEMail.Text = "(e-mail address removed)"; //TEMP
UserPass.Text = "password"; //TEMP
//Msg.Text = "Login - Page_Load - Message initialized.";
if (!Page.IsPostBack)
Msg.Text = "Login - Page_Load - First Load.";
//output.Write("Page has just been loaded");
else
//Msg.Text = Msg.Text;
Msg.Text = "Login - Page_Load - Page is PostBack.";
//output.Write("Postback has occured");
}

private void Button1_Click(object sender, System.EventArgs e)
{
if( !Page.IsValid )
{
Msg.Text = "Some required fields are invalid.";
return;
}

int intUserId = -1;
int intRoleId = -1;

if (SSDAL.ValidateUser(UserEMail.Text, UserPass.Text,
ref intUserId, ref intRoleId))
{
// TODO -- Add Session Handling
FormsAuthentication.SetAuthCookie(UserEMail.Text, false);

Session[AppGlobals.sessKeyUserId] = intUserId;
Session[AppGlobals.sessKeyRoleId] = intRoleId;

Session[AppGlobals.sessActualUserId] = UserEMail.Text;
Session[AppGlobals.sessActualRoleId] = UserPass.Text;

Msg.Text = "ReDirecting to MainPic.aspx";
//Response.Redirect("default.aspx");
Response.Redirect("MainPic.aspx");
}
else
{
Msg.CssClass = AppGlobals.errMsgCSS;
Msg.Text = AppGlobals.errMsgInvalidUser;
Response.Redirect("AddUser/AddUser.aspx");
}
}

#region Web Form Designer generated code
override protected void OnInit(EventArgs e)
{
//
// CODEGEN: This call is required by the ASP.NET Web Form Designer.
//
InitializeComponent();
base.OnInit(e);
}

/// <summary>
/// Required method for Designer support - do not modify
/// the contents of this method with the code editor.
/// </summary>
private void InitializeComponent()
{
this.UserEMail.TextChanged += new
System.EventHandler(this.UserEMail_TextChanged);
this.Button1.Click += new System.EventHandler(this.Button1_Click);
this.Button2.Click += new System.EventHandler(this.Button2_Click);
this.LinkButton1.Click += new System.EventHandler(this.LinkButton1_Click);
this.Load += new System.EventHandler(this.Page_Load);

}
#endregion

private void UserEMail_TextChanged(object sender, System.EventArgs e)
{

}

private void Button2_Click(object sender, System.EventArgs e)
{
Msg.Text = "ReDirecting to Default.aspx";
Response.Redirect("Default.aspx");
}

private void LinkButton1_Click(object sender, System.EventArgs e)
{
bool MyVar = true;
Msg.Text = "ReDirecting to Home.aspx";
Response.Redirect("Home.aspx",MyVar);
}

}
}

the LinkButton1 & 2 - don't work - they just re-load the Login page.....

=======================================================

a page that uses security is MainPic and the aspx.cs is:

using System;
using System.Collections;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Web;
using System.Web.Security;
using System.Web.SessionState;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;

namespace FGC
{
/// <summary>
/// Summary description for Default.
/// </summary>
public class MainPic : System.Web.UI.Page
{
protected System.Web.UI.WebControls.Label lblUserId;
protected System.Web.UI.WebControls.DropDownList cboImageGroups;
protected System.Web.UI.WebControls.DropDownList cboGridPages;
protected System.Web.UI.WebControls.TextBox txtUserAlias;
protected System.Web.UI.WebControls.TextBox txtUserPassword;
protected System.Web.UI.WebControls.Button btnLogin;
protected System.Web.UI.WebControls.Panel pnlLogin;
protected System.Web.UI.WebControls.Button btnLogout;
protected System.Web.UI.WebControls.HyperLink hlinkNewImage;
protected System.Web.UI.WebControls.Panel pnlLogout;
protected System.Web.UI.WebControls.DataGrid grdImages;

private void Page_Load(object sender, System.EventArgs e)
{
AdjustUI();
//txtUserAlias.Text = "(e-mail address removed)"; //TEMP
//txtUserPassword.Text = "password"; //TEMP
if ( !Page.IsPostBack )
{
LoadImageGroups();
LoadGridData();
LoadCboPages();
}
}

private void LoadGridData()
{
int intMinRoleId = 0;
if ( User.Identity.IsAuthenticated )
intMinRoleId =
Convert.ToInt32(Session[AppGlobals.sessKeyRoleId]);
//int groupId = 0;
//int groupId = int.Parse(cboImageGroups.SelectedValue);
//int groupIdA = int.Parse(cboImageGroups.DataTextField); //Bad
//int groupIdB = int.Parse(cboImageGroups.SelectedItem.Text); //Bad
//int groupIdC = int.Parse(cboImageGroups.SelectedItem.Value); //Bad
//int groupId = int.Parse(cboImageGroups.DataValueField); //mine Bad
DataView dv = new DataView(SSDAL.AllImages);
dv.RowFilter = "ImageGroupId = " + cboImageGroups.SelectedItem.Value; //
Mine
// dv.RowFilter = "ImageGroupId = " + cboImageGroups.SelectedValue;
grdImages.DataSource = dv;
grdImages.DataBind();
}
private void LoadImageGroups()
{
DataView dv = new DataView(SSDAL.ImageGroups);
// Perform Data Binding
if ( dv != null)
{
if ( User.Identity.IsAuthenticated )
dv.RowFilter = "MinRoleId <= " +
Session[AppGlobals.sessKeyRoleId].ToString();
else
dv.RowFilter = "MinRoleId = 0";
cboImageGroups.DataSource = dv;
cboImageGroups.DataValueField = "ImageGroupId";
cboImageGroups.DataTextField = "ImageGroup";
cboImageGroups.DataBind();
cboImageGroups.SelectedIndex = 0;
}
}

public void cboImageGroups_SelectedIndexChanged(object sender, EventArgs e)
{
grdImages.CurrentPageIndex = 0;
LoadGridData();
LoadCboPages();
}

public void grdImages_PageIndexChanged(object sender,
DataGridPageChangedEventArgs e)
{
grdImages.CurrentPageIndex = e.NewPageIndex;
LoadGridData();
}

public void grdImages_SelectedIndexChanged(object sender, EventArgs e)
{
grdImages.CurrentPageIndex = 0;
}
private void LoadCboPages()
{
DataView dv = (DataView)grdImages.DataSource;
int intRowCount = dv.Count;
int intPageSize = 5;
int intRemainder = intRowCount % intPageSize;
int intPages = ((intRowCount - intRemainder) / intPageSize);
if ( intRemainder > 0 )
intPages += 1;
if (intPages == 0)
intPages = 1; // deal with lower bound case
string[] pages = new string[intPages];
for (int i=0; i<intPages; i++)
pages = "Page " + (i+1).ToString();
cboGridPages.DataSource = pages;
cboGridPages.DataBind();
}

//void cboGridPages_SelectedIndexChanged(object sender, EventArgs e) {
// private void cboImageGroups_SelectedIndexChanged
// (object sender, System.EventArgs e) {
// string strSelected = cboGridPages.SelectedValue;
// grdImages.CurrentPageIndex =
// (Convert.ToInt32(strSelected.Substring(5)) - 1);
// LoadGridData();
// }
// }

public void cboGridPages_SelectedIndexChanged(object sender, EventArgs e)
{
//string strSelected = cboGridPages.SelectedValue;
string strSelected = cboGridPages.SelectedItem.Value; // Mine
grdImages.CurrentPageIndex =
(Convert.ToInt32(strSelected.Substring(5)) - 1);
LoadGridData();
}
protected string GetImageUrl(object dataItem, bool isThumbnail)
{
string imageUrl;
string qstring;

if (isThumbnail)
{
qstring = string.Format("Path={0}&MinRole={1}",
DataBinder.Eval(dataItem, "FullImageThumbPath"),
DataBinder.Eval(dataItem, "MinRole"));
imageUrl = "ShowImage.axd?" + qstring;
}
else
{
qstring = string.Format("Path={0}&MinRole={1}",
DataBinder.Eval(dataItem, "FullImagePath"),
DataBinder.Eval(dataItem, "MinRole"));
imageUrl = "ShowImage.aspx?" + qstring;
}

return imageUrl;
}
private void btnLogin_Click(object sender, System.EventArgs e)
{
int intUserId = -1;
int intRoleId = -1;

if (SSDAL.ValidateUser(txtUserAlias.Text, txtUserPassword.Text,
ref intUserId, ref intRoleId))
{
// TODO -- Add Session Handling
FormsAuthentication.SetAuthCookie(txtUserAlias.Text, false);

Session[AppGlobals.sessKeyUserId] = intUserId;
Session[AppGlobals.sessKeyRoleId] = intRoleId;

Session[AppGlobals.sessActualUserId] = txtUserAlias;
Session[AppGlobals.sessActualRoleId] = txtUserPassword;

//Response.Redirect("default.aspx");
Response.Redirect("MainPic.aspx");
}
else
{
lblUserId.CssClass = AppGlobals.errMsgCSS;
lblUserId.Text = AppGlobals.errMsgInvalidUser;
}
}
private void btnLogout_Click(object sender, System.EventArgs e)
{
if ( User.Identity.IsAuthenticated )
{
Session.Remove(AppGlobals.sessKeyUserId);
Session.Remove(AppGlobals.sessKeyRoleId);

// TODO -- Add Session Handling
FormsAuthentication.SignOut();

//Response.Redirect("default.aspx");
Response.Redirect("MainPic.aspx");
}
}
private void AdjustUI()
{
bool fUA = User.Identity.IsAuthenticated;
if ( fUA )
lblUserId.Text = User.Identity.Name;
else
lblUserId.Text = AppGlobals.infoMsgAnonymous;

lblUserId.CssClass = String.Empty;
pnlLogin.Visible = (!fUA);
pnlLogout.Visible = fUA;
}

#region Web Form Designer generated code
override protected void OnInit(EventArgs e)
{
//
// CODEGEN: This call is required by the ASP.NET Web Form Designer.
//
InitializeComponent();
base.OnInit(e);
}

/// <summary>
/// Required method for Designer support - do not modify
/// the contents of this method with the code editor.
/// </summary>
private void InitializeComponent()
{
this.btnLogin.Click += new System.EventHandler(this.btnLogin_Click);
this.btnLogout.Click += new System.EventHandler(this.btnLogout_Click);
this.Load += new System.EventHandler(this.Page_Load);

}
#endregion
}
}

==========================================================

I want to do it the 'right' way - but I am not sure I really want Role based
security (do I?) I like the User ability to 'Register' and then have access
to 'secure' functionality.

Thanks so much for your time.
Paul

===========================================================
===========================================================
===========================================================

 

[Ken Dopierala Jr.]

Hi Paul,

The response I gave you before will do the trick. I didn't know you were
using C#. Here is how to do it.

1) Create a class:

using System;
using System.Web;
using System.Web.UI;

public class MyBasePage : System.Web.UI.Page {

override void OnLoad(System.EventArgs e) {
if (User.Identity.IsAuthenticated == false) {
Response.Redirect("Login.aspx");
}
}

}

2) Declare protected pages like this:

public class ProtectedPage : MyBasePage {
}

3) Declare public pages like this:

public class PublicPage : System.Web.UI.Page {
}

If your user isn't logged in and goes to a protected page he will be
redirected to the login page. Any page that derives from System.Web.UI.Page
will let everyone see it. In your Web.config make sure your <authorization>
tag looks like this:

<authorization>
<allow users="*" />
</authorization>

Here is a tutorial on roles based:

http://www.xoc.net/works/tips/forms-authentication.asp

Roles based lets you protect entire folders based on user type. You still
have them sign up and when they do you assign them a role. With the code
above you can implement it the way they are doing it in your example. Good
luck! Ken.

 

[Guest]

I did exactly as you said - but I get the following errors:
CODE - in MyBasePage
override void OnLoad(System.EventArgs e)
{
if (User.Identity.IsAuthenticated == false)
{
Response.Redirect("Login.aspx");
}
}
ERROR - MyBasePage.OnLoad(System.EventArgs) : virtual or abstract members
cannot be private

CODE - in MyBasePage
public override void OnLoad(System.EventArgs e)
{
if (User.Identity.IsAuthenticated == false)
{
Response.Redirect("Login.aspx");
}
}
ERROR - MyBasePage.OnLoad(System.EventArgs) : cannot change access modifiers
when overriding 'protected' inherited member
'System.Web.UI.Control.OnLoad(System.EventArgs)

I like your suggestion - and I know we are close.
Thanks again,
Paul

==========================================================

 

[Ken Dopierala Jr.]

Hi Paul,

Try:

protected override void OnLoad(System.EventArgs e)

Instead of:

override void OnLoad(System.EventArgs e)

I think it needs to be that, this way derived classes can call it. You also
might need to put: MyBase.OnLoad(e) as the first line in the page load event
of your derived classes but I'm not totally sure. I'm also not sure if C#
uses MyBase or something else to reach it's parent class. Ken.