Web.Config Question

  • Thread starter Thread starter Craig Pearson
  • Start date Start date
C

Craig Pearson

Hi

I have a web site that uses forms authenication. Once a user is authenicated their role is writtern into the ticket (FormsAuthenticationTicket), then into a HttpCookie object.

I have set up the following in web.config
<customErrors defaultRedirect="GenericError.htm" mode="RemoteOnly">
<error statusCode="401" redirect="InsufficientAccess.apsx "/>
<error statusCode="403" redirect="InsufficientAccess.apsx "/>
</customErrors>

Further down in web config I have the following:

<location path="AdminPage.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow roles="Admin" />
</authorization>
</system.web>
</location>

How do I set up access permissions only allowing users in the admin role permission to AdminPage.aspx, and all other users are to be redirected to the page as indicated by the <error ... /> section?

Craig
 
Assuming you are using windows authentication.

<location path="AdminPage.aspx">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>

How this works is for page adminpage.aspx the application will allow users
in the Admin role to access the page, and then deny EVERYONE else.

The difference between the * and ? is * is ALL users. The ? is only
anonymous (or unauthenticated users).

Authoziation works top down, so it will look for a match in the order it is
listed. The allow must go before the deny everyone will be denied.

The way you had it would not allow any authenticated user to view the page,
then allow all users in the "admin" role to view the page, then allow
everyone else.

HTH,

bill

Hi

I have a web site that uses forms authenication. Once a user is
authenicated their role is writtern into the ticket
(FormsAuthenticationTicket), then into a HttpCookie object.

I have set up the following in web.config
<customErrors defaultRedirect="GenericError.htm" mode="RemoteOnly">
<error statusCode="401" redirect="InsufficientAccess.apsx "/>
<error statusCode="403" redirect="InsufficientAccess.apsx "/>
</customErrors>
Further down in web config I have the following:

<location path="AdminPage.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow roles="Admin" />
</authorization>
</system.web>
</location>
How do I set up access permissions only allowing users in the admin role
permission to AdminPage.aspx, and all other users are to be redirected to
the page as indicated by the <error ... /> section?

Craig
 
Back
Top