Click here to Skip to main content
15,918,516 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
I have been developing a web application project. I have used Asp.Net Membership API to apply security to the application. For security reasons I would like to limit the page access based on Roles.

I have some pages on root folder in my project and a subfolder named Account in my project also. In Account subfolder I have the following pages:

1. CreateRole.aspx
2. AssignRoleToUser.aspx
3. CreateAccount.aspx
4. ManageAccount.aspx
5. Login.aspx

In root directory there are also some other pages. Now I want the users whose Role is “Users”, can access these pages but all the other Role cannot access these pages including Anonymous users. Any attempt to access to these pages by unauthorized role will redirect to the Login.aspxpage in Account subfolder. To do this in my root folder I have added a Web.config file. In that file I have added the following configurations. These are given bellow.

XML
<authentication mode="Forms">
      <forms
        defaultUrl="~/Default.aspx"
        loginUrl="~/Account/Login.aspx"
        slidingExpiration="true"
        timeout="120"
        protection="All"
        cookieless="UseCookies">
      </forms>
    </authentication>
    <machineKey
      decryption="AES"
      validation="SHA1"
      decryptionKey="1513F567EE75F7FB5AC0AC4D79E1D9F25430E3E2F1BCDD3370BCFC4EFC97A541"
      validationKey="32CBA563F26041EE5B5FE9581076C40618DCC1218F5F447634EDE8624508A129" />
    <roleManager enabled="true" 
            defaultProvider="CJDMSConnectionStringSqlRoleProvider" 
            cacheRolesInCookie="true" 
            createPersistentCookie="false" 
            cookieProtection="All">
      <providers>
        <add
          name="CJDMSConnectionStringSqlRoleProvider"
          type="System.Web.Security.SqlRoleProvider"
          applicationName="CJDMSApps"
          connectionStringName="CJDMSConnectionString"
          commandTimeout="120"/>
      </providers>
    </roleManager>
    <membership  defaultProvider="CJDMSConnectionStringSqlMembershipProvider">
      <providers>
        <clear/>
        <add name="CJDMSConnectionStringSqlMembershipProvider"
            type="System.Web.Security.SqlMembershipProvider"
            connectionStringName="CJDMSConnectionString"
            enablePasswordRetrieval="false"
            enablePasswordReset="true"
            requiresQuestionAndAnswer="false"
            requiresUniqueEmail="true"
            passwordFormat="Hashed"
            maxInvalidPasswordAttempts="5"
            minRequiredPasswordLength="7"
            minRequiredNonalphanumericCharacters="0"
            passwordAttemptWindow="10"
            passwordStrengthRegularExpression=""
            applicationName="CJDMSApps"
          />
      </providers>
    </membership>
    <authorization>
      <allow roles="Users"/>
      <deny users="*"/>
    </authorization>


In the same way I want to limit the access of the Account subfolder pages. I want users with “Admin” Role can access every pages of this subfolder. But other users and roles cannot access these pages. But I want only “anonymous” users can access the “CreateAccount.aspx” and “Login.aspx” page. But in other case unauthorized access to the other pages will cause redirect to the Login.aspx page in Account subfolder. So I have added another Web.config file in this subfolder and added the following configurations. These are given bellow:

XML
<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <allow roles="Admin, Supervisors"/>
      <deny users="*"/>
    </authorization>
  </system.web>
  <!--Allow all users to visit CreateAccount.aspx & Login.aspx page-->
  <location path="CreateUserAccounts.aspx">
    <system.web>
      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>
  </location>
  <location path="Login.aspx">
    <system.web>
      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>
  </location>
</configuration>


But the problem is in both cases either access to the root folder pages or subfolder pages, it throws the following exceptions. The exception is:

Access is denied. Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.

Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.

I do not find any problem in my code. So can anyone help me to find a suitable solution?

Connection string configuration is given bellow:

XML
<connectionStrings>
    <add name="CJDMSConnectionString" connectionString="Data Source=.;Initial Catalog=CJDMS;Integrated Security=True" providerName="System.Data.SqlClient" />
  </connectionStrings>
Posted

1 solution

For that you have to write some extra <location> in your web.config file as per the example given below

XML
<location path="Customer/NewToken.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>
  <location path="Customer">
    <system.web>
      <authorization>
        <allow roles="Customer"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
  <location path="Admin">
    <system.web>
      <authorization>
        <allow roles="SuperAdmin"/>
        <allow roles="Admin"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>



Here path="Customer" and path="Admin" is directory in my case, You can change as per your need
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900