restrict access to folder by Membership Role

Question

User-1242214802 posted

Hi All: I have an ASP.NET 2.0 membership website, with roles assigned to specific users. I've been using the following rules in web.config in each folder to restrict access:

<?xml version="1.0"?>
<configuration>
    <system.web>
      <authorization>
        <allow roles="admin,mgr"/>
        <deny users="*, ?"/>
      </authorization>
    </system.web>
</configuration>

what I just discovered is that a user that I've assigned to a different role, say "editors", can still access this folder after they log in. Shouldn't the ACL above prevent them from accessing an aspx file in that folder?

Answer 1

User-1636183269 posted

Please try:

<location path="FolderName">

    <system.web>
    <authorization>

    <allow roles="admin,mgr"/> //Allows users in admin & mgr role
    <deny users="*"/> // deny everyone else

    </authorization>
    </system.web>

</location>

Answer 2

User-1716253493 posted

AFAIK, to allow admin and manager only is like this

        <authorization>
          <allow roles="admin,mgr"/>
          <deny users="*" />
        </authorization>

        <authorization>
          <allow roles="admin,mgr"/>
          <allow users="someone"/>
          <deny users="*" />
        </authorization>

Allow loged in user only

        <authorization>
            <deny users="?" />
        </authorization>

To allow all (logedin or not)

        <authorization>
            <allow users="*" />
        </authorization>

Answer 3

User465171450 posted

Also, keep in mind that these aren't ACLs as that is only NTFS based. Also, the rules work in conjunction with an authentication provider that you need to setup, usually the membership provider., Lastly, only files that are processed through the ASP.Net pipeline will be protected. Don't expect word docs or any other file there to be protected unless you have static content running through the pipeline .

Answer 4

User-1242214802 posted

Also, keep in mind that these aren't ACLs as that is only NTFS based. Also, the rules work in conjunction with an authentication provider that you need to setup, usually the membership provider., Lastly, only files that are processed through the ASP.Net pipeline will be protected. Don't expect word docs or any other file there to be protected unless you have static content running through the pipeline .

Hi Mark: I'm using the ASPNET 2.0 Membership and Roles providers.

With my configuration above, a user in the "editors" role is still able to access ASPX files in this folder.

My access rules are in a web.config in the folder.

Answer 5

User-1242214802 posted

Please try:

<location path="FolderName">

    <system.web>
    <authorization>

    <allow roles="admin,mgr"/> //Allows users in admin & mgr role
    <deny users="*"/> // deny everyone else

    </authorization>
    </system.web>

</location>

Thanks Sandeep...I tried it and it made no difference. Bear in mind that the web.config file with the authorization rules is in the same folder I'm trying to protect, so I am not user the "location path"

Answer 6

User475983607 posted

It's been a long time since I used ASP Membership provider but what you have shown should work.  Have you verified the user is not in the admin or mgr role?  

Answer 7

User-1242214802 posted

Thanks Sandeep...I tried it and it made no difference. Bear in mind that the web.config file with the authorization rules is in the same folder I'm trying to protect, so I am not user the "location path"

'

Sandeep: I tried deleting the web.config from the child folder, and moving the authorization rules to the root web.config using the "location" parameter, and this seemed to work.