authorization based on url parameters

  • Thread starter Thread starter xke
  • Start date Start date
X

xke

Using web.config authorization settings, is it possible to allow my
users to access default.aspx but not default.aspx?action=edit ??

<location path="default.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>

Thanks

xke
 
If you don't want your users to use it, then why is it there?

If you mean that you only want a certain type of user to be able to use it,
then it seems to me that you need role-based authorisation. This is
probably most easily done by using forms authentication. Once you have
obtained the roles (from a database or whatever) for the user, you can use
attributes on your classes and/or methods to determine which types of user
can do what (e.g. you can use attributes to ensure that a user trying to
access the edit functionality is both logged in and a member of the "edit"
role (or whatever you might like to call it)). If they are not
authenticated, a SecurityException will be thrown - which you must make sure
to catch (probably in Global.aspx).

HTH


Peter
 
Hi Peter,

True, sorry, I only want users with certain roles to be able to access
the page.
So, only let's say, Role:Admin will be able to access default.aspx?
action=edit

I was wondering if this can be done only by using web.config settings,
something like

<location path="default.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>

<location path="default.aspx?action=edit">
<system.web>
<authorization>
<allow roles ="Admin" />
<deny users="?" />
</authorization>
</system.web>
</location>

About the last setting I've added of course it won't work, as path
attribute will only accept virtual paths with no querystring
parameters.

Thanks
 
You might be able to (although I can't see how the role information is being
transmitted), but the only sure way I know of, is to use Forms
authentication.

Others may know better.

Cheers


Peter
 
If you have a method that is calling the "edit" command based on what your
action querystring is equal to, you could just use:

If (Roles.IsUserInRole("Admin"))
{
\\ Do whatever it is that they have access to, get forwarded to, etc.

}

Else, leave the Visible=false set on those objects.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Blocking Direct URL Access through web config 1
location element in web.config 1
Protecting files 1
validaing security using AD groups... in web.config 2
Role authorization, if denied access, how NOT to kick back to login? 7
Role base security and RedirectUrl 3
Help with <location> element in web.config 2
customErrors mode="Off" 2

Back
Top