Limit Page & Folder Access by roles and ip address in web.config

Question

User-1395768221 posted

Have a website with users and roles where I have set up "role" access as such:

<system.web>
<authorization>
<allow roles="admin" />
<allow roles="manager" />
<deny users="*" />
</authorization>
<system.web>

This works great. Now I would like to add one page which would be accessible from a specific IP address (without logging in as admin).

I tried:

<location path="MyPage.aspx">
<system.webServer>
<security>
<ipSecurity allowUnlisted="true">
<clear/>
<add ipAddress="NNN.NNN.NNN.NNN" allowed="true"/>
</ipSecurity>
</security>
</system.webServer>
</location>

...but the "system.web" seems to be overriding everything.

So I need a combination:

Allow specific "roles" OR "specific IP address"

Any suggestions?

Answer 1

User475983607 posted

If it's just one page or action then check for the IP address in the page or action and redirect if the IP does not match the expected.

Answer 2

User-893317190 posted

Hi wgcampbell ,

You could override  system.web's authorization role  in  location node.

  <location path="MyPage.aspx">
  
    <system.web>

      <authorization>
    
     <allow users="*" />
      </authorization>
    </system.web>

  </location>

If authorization always has more priority than  ipaddress, I think you should  allow all access to your page  and then  match role and ipaddress  as  mgebhard has suggested.

You could check the user's role and match ip address using

User.IsInRole()
Request.UserHostAddress

Best regards,

Ackerly Xu