I have been developing a web application project. I have used Asp.Net Membership API to apply security to the application. For security reasons I would like to limit the page access based on Roles.
I have some pages on root folder in my project and a subfolder named Account in my project also. In Account subfolder I have the following pages:
1. CreateRole.aspx
2. AssignRoleToUser.aspx
3. CreateAccount.aspx
4. ManageAccount.aspx
5. Login.aspx
In root directory there are also some other pages. Now I want the users whose Role is “Users”, can access these pages but all the other Role cannot access these pages including Anonymous users. Any attempt to access to these pages by unauthorized role will redirect to the Login.aspxpage in Account subfolder. To do this in my root folder I have added a Web.config file. In that file I have added the following configurations. These are given bellow.
<authentication mode="Forms">
<forms
defaultUrl="~/Default.aspx"
loginUrl="~/Account/Login.aspx"
slidingExpiration="true"
timeout="120"
protection="All"
cookieless="UseCookies">
</forms>
</authentication>
<machineKey
decryption="AES"
validation="SHA1"
decryptionKey="1513F567EE75F7FB5AC0AC4D79E1D9F25430E3E2F1BCDD3370BCFC4EFC97A541"
validationKey="32CBA563F26041EE5B5FE9581076C40618DCC1218F5F447634EDE8624508A129" />
<roleManager enabled="true"
defaultProvider="CJDMSConnectionStringSqlRoleProvider"
cacheRolesInCookie="true"
createPersistentCookie="false"
cookieProtection="All">
<providers>
<add
name="CJDMSConnectionStringSqlRoleProvider"
type="System.Web.Security.SqlRoleProvider"
applicationName="CJDMSApps"
connectionStringName="CJDMSConnectionString"
commandTimeout="120"/>
</providers>
</roleManager>
<membership defaultProvider="CJDMSConnectionStringSqlMembershipProvider">
<providers>
<clear/>
<add name="CJDMSConnectionStringSqlMembershipProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="CJDMSConnectionString"
enablePasswordRetrieval="false"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="true"
passwordFormat="Hashed"
maxInvalidPasswordAttempts="5"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="0"
passwordAttemptWindow="10"
passwordStrengthRegularExpression=""
applicationName="CJDMSApps"
/>
</providers>
</membership>
<authorization>
<allow roles="Users"/>
<deny users="*"/>
</authorization>
In the same way I want to limit the access of the Account subfolder pages. I want users with “Admin” Role can access every pages of this subfolder. But other users and roles cannot access these pages. But I want only “anonymous” users can access the “CreateAccount.aspx” and “Login.aspx” page. But in other case unauthorized access to the other pages will cause redirect to the Login.aspx page in Account subfolder. So I have added another Web.config file in this subfolder and added the following configurations. These are given bellow:
="1.0"
<configuration>
<system.web>
<authorization>
<allow roles="Admin, Supervisors"/>
<deny users="*"/>
</authorization>
</system.web>
<location path="CreateUserAccounts.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
But the problem is in both cases either access to the root folder pages or subfolder pages, it throws the following exceptions. The exception is:
Access is denied. Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.
Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.
I do not find any problem in my code. So can anyone help me to find a suitable solution?
Connection string configuration is given bellow:
<connectionStrings>
<add name="CJDMSConnectionString" connectionString="Data Source=.;Initial Catalog=CJDMS;Integrated Security=True" providerName="System.Data.SqlClient" />
</connectionStrings>