locked
Login via roles RRS feed

  • Question

  • User-1767698477 posted

    I have spent hours reading articles on this. Scott Mitchell explains membership with his Security Tutorials article.  I did all this and I'm trying to get his code to redirect based on the ROLE of the user. I'm able to get the redirection, with the following:

    Partial Class Login
    Inherits System.Web.UI.Page

    Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
    If Not Page.IsPostBack Then
    If Request.IsAuthenticated AndAlso Not String.IsNullOrEmpty(Request.QueryString("ReturnUrl")) Then
    ' This is an unauthorized, authenticated request...
    Response.Redirect("~/UnauthorizedAccess.aspx")
    If Request.IsAuthenticated AndAlso Roles.IsUserInRole("Originator") = True Then
    Dim originator As Boolean = Roles.IsUserInRole("Originator")
    Response.Redirect("~/users/Default.aspx")
    Dim processor As Boolean = Roles.IsUserInRole("Processor") = True
    ElseIf Request.IsAuthenticated AndAlso Roles.IsUserInRole("Processor") = True Then
    Response.Redirect("~/users2/default.aspx")
    End If
    End If
    End If
    End Sub

    'Protected Sub LoginButton_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles LoginButton.Click
    ' ' Validate the user against the Membership framework user store
    ' If Membership.ValidateUser(UserName.Text, Password.Text) Then
    ' ' Log the user into the site
    ' FormsAuthentication.RedirectFromLoginPage(UserName.Text, RememberMe.Checked)
    ' End If

    ' ' If we reach here, the user's credentials were invalid
    ' InvalidCredentialsMessage.Visible = True
    'End Sub

    Protected Sub myLogin_Authenticate(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.AuthenticateEventArgs) Handles myLogin.Authenticate
    ' Get the email address entered
    Dim EmailTextBox As TextBox = CType(myLogin.FindControl("Email"), TextBox)
    Dim email As String = EmailTextBox.Text.Trim()

    ' Verify that the username/password pair is valid
    If Membership.ValidateUser(myLogin.UserName, myLogin.Password) Then
    If Roles.IsUserInRole(myLogin.UserName, "Originator") Then
    Response.Redirect("~/users/default.aspx")
    ElseIf Roles.IsUserInRole(myLogin.UserName, "Processor") Then
    Response.Redirect("~/users2/default.aspx")
    ' Username/password are valid, check email
    ' Dim usrInfo As MembershipUser = Membership.GetUser(myLogin.UserName)
    'If usrInfo IsNot Nothing AndAlso String.Compare(usrInfo.Email, email, True) = 0 Then
    ' Email matches, the credentials are valid
    e.Authenticated = True
    Else
    ' Email address is invalid...
    e.Authenticated = False
    End If
    ' Else
    ' Username/password are not valid...
    e.Authenticated = False
    End If

    End Sub

    Protected Sub myLogin_LoginError(ByVal sender As Object, ByVal e As System.EventArgs) Handles myLogin.LoginError
    ' Determine why the user could not login...
    myLogin.FailureText = "Your login attempt was not successful. Please try again."

    ' Does there exist a User account for this user?
    Dim usrInfo As MembershipUser = Membership.GetUser(myLogin.UserName)
    If usrInfo IsNot Nothing Then
    ' Is this user locked out?
    If usrInfo.IsLockedOut Then
    myLogin.FailureText = "Your account has been locked out because of too many invalid login attempts. Please contact the administrator to have your account unlocked."
    ElseIf Not usrInfo.IsApproved Then
    myLogin.FailureText = "Your account has not yet been approved. You cannot login until an administrator has approved your account."
    End If
    End If
    End Sub
    End Class

    And I have the following in the /users folder and /users2 folder.

    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
    <system.web>
    <authorization>
    <allow roles="Originator" />
    </authorization>
    </system.web>
    </configuration>

    Users2 folder

    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
    <system.web>
    <authorization>
    <allow roles="Processor" />
    </authorization>
    </system.web>
    </configuration>

    I tried adding

     <deny users="*" /> right below the allow roles="Processor"  and I would NOT get directed into the folder.

    So leaving things as they are without the <deny users="*" /> I can get into the folder and the system seems to recognize the user has the role, but if I go into my browser url window and remove the 2 from users2 and try to go into just /users, it lets me in!!! It's not supposed to do that....

    So why is this happening?

    Besides this issue, I have a separate Siteuser table in which I store the user name password and about 20 other fields including the active boolean field. This user doesn't get activated until the user clicks a link in the activation email that he receives. How should I integrate my existing Siteuser table with these membership and roles tables? I have spent lots of time coding my site. I really don't want to say that my table is "obsolete" because I'm using this sqlmembership thing. It should be able to work alongside my existing db.

    Also, Scott Mitchell in his tutorial checks the email address. Why does he do this?  In about 99 out of 100 websites which require authentication, it's just a username and password to login. I understand that it is added security but actually I think that might frustrate people to have to enter 3 pieces of information to login. Does anyone agree with me?

    Monday, May 4, 2020 1:27 AM

Answers

  • User-943250815 posted

    In Page_Load try this way

    If Not Page.IsPostBack Then
          If Request.IsAuthenticated AndAlso Not String.IsNullOrEmpty(Request.QueryString("ReturnUrl")) Then
            If Request.IsAuthenticated AndAlso Roles.IsUserInRole("Originator") = True Then
              Dim originator As Boolean = Roles.IsUserInRole("Originator")
              Response.Redirect("~/users/Default.aspx")
              Dim processor As Boolean = Roles.IsUserInRole("Processor") = True
            ElseIf Request.IsAuthenticated AndAlso Roles.IsUserInRole("Processor") = True Then
              Response.Redirect("~/users2/default.aspx")
            End If
          Else
            ' This is an unauthorized, authenticated request...
            Response.Redirect("~/UnauthorizedAccess.aspx")
          End If
        End If

    In web.config, place back <deny users="*" />
    As 3th note in https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/roles/role-based-authorization-cs
    "If your URL authorization rules do not include a<deny>element, all users will be granted access."

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, May 4, 2020 3:39 PM