0

I need an area in my website where only certain users can view.

What I did was create a Video folder. Under that foler I have folders One called Login and the other called WatchVid. In the Login folder I have a page called Login.aspx. Once the user logins in they will then go to /WatchVid/Watch.aspx Below is a representation:

 Video Folder | | ----> Login Folder | | | | | ---> Login.aspx | ----> WatchVid Folder | | --->Watch.aspx

I have the following web config file in my WatchVid to only allow roles that have VidUser to view the page:

 <?xml version="1.0"?> <configuration> <system.web> <authorization> <allow roles="VidUser" /> <deny users="?" /> </authorization> </system.web> </configuration>

What I am finding is that even if I change:

 <allow roles="VidUser" /> To: <allow roles="VidUser1" />

I can still get to this the Watch.aspx page even though I do not have a role of VidUser1.

Am I doing something wrong?

Just as a reference below is the code I use once the user logins in with their userid, pwd:

 protected void btnLogin_Click(object sender, EventArgs e) { if (Roles.IsUserInRole(txtUserName.Text, "StreamingUser")) { const string url = "~/Video/WatchVid/Watch.aspx"; Response.Redirect(url); }

Stephan, I have the following in my root web.config page but still letting me get to the Watch.aspx page:

 <location path="Video/WatchVid"> <system.web> <authorization> <allow roles="StreamingUser1dfdfdfd" /> <deny users="?" /> </authorization> </system.web> </location>

Note how I created a dummy role of StreamingUser1dfdfdfd just to check it out. I am still able to get to the Watch.aspx page.

Mike:

I have the following under my WatchVid folder but getting access error when I do it with * - Any idea? : 

 <?xml version="1.0"?> <configuration> <system.web> <authorization> <allow roles="StreamingUser" /> <deny users="*" /> </authorization> </system.web> </configuration>

I get the following message: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.

Keep in mind that this still works:

 protected void btnLogin_Click(object sender, EventArgs e) { if (Roles.IsUserInRole(txtUserName.Text, "StreamingUser")) { const string url = "~/Video/WatchVid/Watch.aspx"; Response.Redirect(url); }

But now it will not let me through to the Watch.aspx page as I get an error.

Improve this question

2 Answers 2

Reset to default
0

You'll want to change

<deny users="?"/>

to

<deny users="*"/>

* means it is denied to everyone. Then your allow roles lets in the right roles.

? means it is denied to unauthenticated users. Since you are authenticated, you aren't denied.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

Thanks Mike. Where do I put my web.config. Can I put it in the WatchVid folder like have it now?
@NatePet that is a fine place to put it. I prefer doing it that way rather than to put it in root config with the location paths.
Mike, I am getting an error. I put some comments above next to your name above. Any idea why it is blocking me from viewing the page now. I get authentication error. Thanks
@NatePet In the button click function you show, you are not setting an authentication cookie... so the fix is going to depend on how you authenticate people and do role management... it could be as easy as doing FormsAuthentication.SetAuthCookie(txtUserName.Text, true).
@NatePet but the system is appropriately denying you access... so it means you aren't logged in or aren't in the right role.
|
0

Use a location tag at the outermost (root) web.config file.

EDIT to show a (adapted) working example from one of our applications:

<authorization> <allow users="?" /> </authorization> <location path="Login.aspx"> <system.web> <authorization> <allow users="*" /> </authorization> </system.web> </location> <location path="Videos/WatchVid"> <system.web> <authorization> <allow roles="VidUser" /> <deny users="?" /> </authorization> </system.web> </location>
Improve this answer

5 Comments

Thanks Stephan, I tried but still have not look. Please look above. I put comments above with your name to reference. Thanks for your help
hmm. I've copied this one from a working application. Do you have a generic authorization tag with deny users='?' missing?
Just so I am on the same page, I took away the web.config that was in my WatchVid and move the code I with the tweaks you mentioned to the root. I still have the <deny users="?" /> there as you can see. Please let me know if I am doing it right. As mentioned, as this point, I only have 1 web.config file that that one is in the root.
I've updated the answer to show more details on our (working) environment.
Thanks Stephan, Still not working - So you just have 1 web.config file in your root. None in your subfolder, huh? I would be interested to know if you changed what the allow roles were to something bogus if it would still work like it is for me. Thanks again.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.