Web.Config Question

C

Craig Pearson

Hi

I have a web site that uses forms authenication. Once a user is authenicated their role is writtern into the ticket (FormsAuthenticationTicket), then into a HttpCookie object.

I have set up the following in web.config
<customErrors defaultRedirect="GenericError.htm" mode="RemoteOnly">
<error statusCode="401" redirect="InsufficientAccess.apsx "/>
<error statusCode="403" redirect="InsufficientAccess.apsx "/>
</customErrors>

Further down in web config I have the following:

<location path="AdminPage.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow roles="Admin" />
</authorization>
</system.web>
</location>

How do I set up access permissions only allowing users in the admin role permission to AdminPage.aspx, and all other users are to be redirected to the page as indicated by the <error ... /> section?

Craig
 
W

William F. Robertson, Jr.

Assuming you are using windows authentication.

<location path="AdminPage.aspx">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>

How this works is for page adminpage.aspx the application will allow users
in the Admin role to access the page, and then deny EVERYONE else.

The difference between the * and ? is * is ALL users. The ? is only
anonymous (or unauthenticated users).

Authoziation works top down, so it will look for a match in the order it is
listed. The allow must go before the deny everyone will be denied.

The way you had it would not allow any authenticated user to view the page,
then allow all users in the "admin" role to view the page, then allow
everyone else.

HTH,

bill

Hi

I have a web site that uses forms authenication. Once a user is
authenicated their role is writtern into the ticket
(FormsAuthenticationTicket), then into a HttpCookie object.

I have set up the following in web.config
<customErrors defaultRedirect="GenericError.htm" mode="RemoteOnly">
<error statusCode="401" redirect="InsufficientAccess.apsx "/>
<error statusCode="403" redirect="InsufficientAccess.apsx "/>
</customErrors>
Further down in web config I have the following:

<location path="AdminPage.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow roles="Admin" />
</authorization>
</system.web>
</location>
How do I set up access permissions only allowing users in the admin role
permission to AdminPage.aspx, and all other users are to be redirected to
the page as indicated by the <error ... /> section?

Craig
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

customerrors tag doesnt works 2
Question regarding detecting 404 Not Found 2
Custom Error Pages 2
customerrors page that errored and error? 1
web.config errors after adding <profile> section 1
encrypted connectionStrings web.config customErrors 2
Read <customErrors> element via VB.NET Code? 9
Incorrect Server Error in config file 3

Top