ASP.NET Forms Auth Allowing access to specific file in subdirectory when all others should be denied

I am having problems allowing a specific Role access to a specific page in a subdirectory.

My ASP.NET application has a directory, ~/Forms/Administration that has limited access. There is a specific file, ~/Forms/Administration/Default.aspx that I want to give 1 additional user role access to, as well as the Admin role.

In ~/Forms/Administration, I have a web.config file that looks like this:

   <?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.web>
        <authorization>
            <allow roles="Administrator, User" />
            <deny users="*"/>
        </authorization>
    </system.web>

    <location path="Forms/Administration/Default.aspx">
        <system.web>
            <authorization>
                <allow roles="Administrator, User, AdditionalUser" />
            </authorization>
        </system.web>
    </location>

</configuration>

The Admin user works just fine, but AdditionalUser always fails. I’ve tried a number of things – listing the location as
<location path="Forms/Administration/Default.aspx">

And as
<location path="~/Forms/Administration/Default.aspx">

Is the deny=”*” from the first generic rule taking precedent? I tried changing
<deny users="*"/>

To
<deny users="?"/>

But that ends up giving AdditionalUser access to everything. Suggestions?

EDIT: I tried putting the location specific allow before the generic deny rule, in case order mattered. Same problem.

UPDATE: I am clearly missing something here: I removed the deny * config, and left only the location specific section. Then, instead of allowing on certain roles, I set that one to deny all (*). However, it is not denying me at all when I login. I even reduced the rule to not be file specific, but apply to the whole directory, and it’s not denying me anything. However, the original non-location specific rules do work, so I know this config file is being read.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <location path="Forms/Administration">
        <system.web>
            <authorization>
                <deny users="*" />
            </authorization>
        </system.web>
    </location>
</configuration>

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Two things:

  1. The location is relative to the web.config file, so if your web.config is already in /Forms/Administration it should be corrected to be:
    <location path="Default.aspx">
        <system.web>
            <authorization>
                <allow roles="Administrator, User, AdditionalUser" />
            </authorization>
        </system.web>
    </location>
  2. To clarify about the order of Allow and Deny, authorization is going to apply based on the first match it finds, so order is very important. For instance:
    <deny users="*" />
    <allow users="Administrator" />

Administrator will be denied since it matched the first entry of deny… even though you specified to allow the Administrator user on the next line. So to only allow the Administrator, the correct syntax would be:

<allow users="Administrator" />
<deny users="*" />

In Summary

If I am reading what you want correctly, this is probably the final product you want:

<configuration>
  <system.web>
    <authorization>
        <allow roles="Administrator, User" />
        <deny users="*"/>
    </authorization>
  </system.web>

  <location path="Default.aspx">
    <system.web>
        <authorization>
            <allow roles="AdditionalUser" />
        </authorization>
    </system.web>
  </location>

</configuration>


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x