locked
Web.config <allow roles="Admin"/> not working RRS feed

  • Question

  • User507956310 posted

    Hi Guys,
    I have done forms authentication a couples of times before but this time I cant get my head around something.
    Somehow altough the user authenticated, the destination page does not get this.
    The destination page is called Approval.aspx and is located in the /Admin directory which is secured
    by having its own web config with those settings:

    <configuration> 
    <system.web> 
          <authorization>
            <allow users="philip"/>
            <allow roles="Admin"/>
            <deny users="?" />
          </authorization> 
        </system.web> 
    </configuration>  



    If I remove the  <deny users="?" />, then everything works fine but obviously everyone has access to that page.
    I only want that the user of role Admin can access it. I have implemented the standard VS 2010 login control
    and the user gets to the destination page with a response redirect:

        Protected Sub TranferBasedOnRoles(ByVal sender As Object, ByVal e As System.EventArgs) Handles LoginUser.LoggedIn
            Dim UserName As String = LoginUser.UserName
            Dim Role = (Roles.GetRolesForUser(UserName)(0).ToString)
            Response.Redirect("~\Admin\Approval.aspx")
            'Server.Transfer("~\Admin\Approval.aspx")
        End Sub




    Why does the destination page not realize that the user is authenticated and does not treat the user
    as a user in role "Admin"?

        <authentication mode="Forms">
                <forms loginUrl="~/Account/Login.aspx" protection="All" timeout="10080" name=".ASPXFORMSAUTH" path="/FormsAuth" requireSSL="false" slidingExpiration="true" defaultUrl="default.aspx" cookieless="UseCookies" enableCrossAppRedirects="false"/>
            </authentication>



    While debugging the login page I can see that the user has the right role "Admin".

    Sunday, February 6, 2011 5:57 AM

All replies

  • User1682618242 posted

    If I remove the  <deny users="?" />,

    Replace it with this: <deny users="*"/>

    Sunday, February 6, 2011 6:53 AM
  • User507956310 posted

    Hello,

    sorry for the late reply but I actually had time to try it and it was no success.

    If I had the following in the web.config I was not able to get there
    after the login (just a redirect to the login).
    The URL becomes http://localhost:51797/Account/Login.aspx?ReturnUrl=%2fAdmin%2fApproval.aspx
    So its a redirect since I was not allowed to access the approval.aspx


    <configuration> 
    <system.web> 
          <authorization>
            <allow roles="Admin"/>
            <deny users="*"/>
          </authorization> 
        </system.web> 
    </configuration> 


    If I removed the <deny users="*"/> then everyone could access the page.
    Even if I include an  <allow users="myusername"/> it does not let me access the page in the
    secured directory.

    Regards,
    metalray

    Saturday, March 12, 2011 7:35 AM
  • User1682618242 posted

    Are you in the Admin role?

    Saturday, March 12, 2011 7:54 AM
  • User-1166871910 posted

    Hi Radu,
    Thanks for your input. You seem to be the top answerer on this discussion board :)
    Yes, and I am the user myusername so I tried it on two ways at least one should work, right?
    When I go to the Web Site Administration Tool and click on security then "Manage Users"
    and click on "Edit Roles" for this user (I only have one user) then it shows
    "Add "myusername" to roles: [x] Admin".

    Have a nice sunday,
    Bob

    Sunday, March 13, 2011 7:58 AM
  • User-2139489267 posted

    Could you post your URLAuthorization rule for root web.config and folder specific web.config?

    I suspect you must be having  <deny users="*"/> in your folder specific web.config.

    Please check out below links :

    http://www.asp.net/security/tutorials/user-based-authorization-cs

    http://www.asp.net/security/tutorials/role-based-authorization-cs

     

    Sunday, March 13, 2011 8:03 AM
  • User507956310 posted

    Hi nilsan,


    Thanks for the reply. Yes, in the folder specific
    web.config of the folder I want to protect I have
    written <deny users="*"/> . As soon as I take it out it works but
    I want to only allow access to the users in role admin and that causes problems
    (see above) :)

    Also thanks for the tutorial but I have read those a million times, that
    why I write in the forum.
    "Consequently, if you want to restrict access to one or more user accounts, it is imperative that you use a <deny> element as the last element in the URL authorization configuration"
    Thats what I am trying.

    I have not found a URL autorization rule in my root web.config but the following (dont know if that helps):

            <authentication mode="Forms">
                <forms loginUrl="~/Account/Login.aspx" protection="All" timeout="10080" name=".ASPXFORMSAUTH" path="/FormsAuth" requireSSL="false" slidingExpiration="true" defaultUrl="default.aspx" cookieless="UseCookies" enableCrossAppRedirects="false"/>
            </authentication>



    PS: @metalray works on the same project so excuse the confusion

    Sunday, March 13, 2011 8:58 AM
  • User-2139489267 posted

    Add  <allow roles="Admin"/> just before <deny users="*"/>. As you don't have URL Authorization rule in root web.config, this will be applied and checke with User in role Admin and do let us know. It should work without any issue.

    Sunday, March 13, 2011 12:36 PM
  • User-1166871910 posted

    Hi Nilsan.

    Thanks for that. I tried that already. see 5 post above.

    Regards

    Bob.

    Monday, March 14, 2011 5:01 PM
  • User-2007136072 posted

    I seem to have a similar issue as posted in this thread.

    I've been following the MSN tutorial on authentication and authorization using the sql membership and roles approach on a specific web site in development. Everything works through allowing specific users and adding/deleting users, roles and users in roles until I get to the Role-based Authorization tutorial (http://www.asp.net/security/tutorials/role-based-authorization-vb).

    An authenticated user with role of Admin is denied access despite using <allow roles="Admin"/> followed by <deny users="*"/>. Also, <allow users="0000001"/> (that's the authenticated Admin user) works fine whether I add it to the folder's or a specific location's rules. It seems as though the user is authenticated as reflected in a login control. The rules for the folder recognized the authorization. The management pages recognize the user in the Admin role using the UserInRoles method.

    The web.config authentication roles in the "roles" folder as follows:

    <configuration>
     <system.web>
      <authorization>
       <allow roles="Admin"/>
       <deny users="*"/>
      </authorization>
     </system.web>

     <!--Allow all users to visit RoleBasedAuthorization.aspx -->
     <location path="UsersAndRoles.aspx">
      <system.web>
       <authorization>
        <allow users="00000001"/>
        <deny users="*"/>
       </authorization>
      </system.web>
     </location>
    </configuration>

    I have no authorization rules in the root web.config file. The authentication and membership/role management sections of that file are as follows:

    <authentication mode="Forms">
     
    <forms loginUrl="~/secure/login.aspx"
       requireSSL="false"
       slidingExpiration="true"
       timeout="30"
       defaultUrl ="~/secure/LoginProfileData.aspx"
       name="finaid"/>
    </authentication>

    <!-- membership provider -->
    <membership defaultProvider="FinAidSqlMembershipProvider">
      <providers>
      <clear/>
      <!-- Add a customized SqlMembershipProvider -->
      <add name="FinAidSqlMembershipProvider"
        type="System.Web.Security.SqlMembershipProvider, System.Web, Version=1.2.3400.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
        connectionStringName="SFAConnectionString"
        enablePasswordRetrieval="false"
        enablePasswordReset="true"
        requiresQuestionAndAnswer="false"
        applicationName="/"
        requiresUniqueEmail="true"
        passwordFormat="Hashed"
        maxInvalidPasswordAttempts="5"
        minRequiredPasswordLength="7"
        minRequiredNonalphanumericCharacters="0"
        passwordAttemptWindow="10"
        passwordStrengthRegularExpression=""/>
    </providers>
    </membership>

    <!-- profile provider -->
    <profile enabled="true" defaultProvider="FinAidSqlProfileProvider"
      automaticSaveEnabled="true">
      <providers>
        <remove name="FinAidSqlProfileProvider"/>
        <add name="FinAidSqlProfileProvider"
          type="System.Web.Profile.SqlProfileProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
          connectionStringName="SFAConnectionString"
          applicationName="/" />
      </providers>
      <properties>
        ... removed for brevity
      </properties>
    </profile>

    <anonymousIdentification
      enabled="false"
      cookieName=".ASPXANONYMOUS"
      cookieTimeout="43200"
      cookiePath="/"
      cookieRequireSSL="false"
      cookieSlidingExpiration="true"
      cookieProtection="All"
      cookieless="UseCookies"/>

    <!-- role provider -->
    <roleManager enabled="true" defaultProvider="FinAidSqlRoleProvider"
      cacheRolesInCookie="true"
      createPersistentCookie="false"
      cookieProtection="All">
      <providers>
       <add name="FinAidSqlRoleProvider"
         type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
         applicationName="/"
         connectionStringName="SFAConnectionString"/>
       </providers>
    </roleManager>

    It would seem that this is the simple part. So what am I missing here? I'm using .net 3.5 and IIS7.

    Any thoughts would be helpful. Thanks.

    Thursday, June 9, 2011 11:25 AM
  • User-1247960265 posted
    Make sure to set runAllManagedModulesForAllRequests to true in addition to the location tag. 
     
    Full web.config change for enabling access to a test folder:
        <configuration>
        <system.web> 
                <authorization> 
                    <allow users="*" />
                    <deny users="?" />
                </authorization> 
        </system.web> 
        
        <location path="test”>
            <system.webServer>
                <security>
                    <authentication>
                        <anonymousAuthentication enabled="true" />
                    </authentication>
                </security>
            </system.webServer>
        </location>
        
        <system.webServer>
             <modules runAllManagedModulesForAllRequests="true" />
        </system.webServer>
        </configuration>
    Saturday, August 1, 2020 7:34 PM