Why does CheckUrlAccessForPrincipal still return true when authorization has been revoked on a page level?

by

I’m building a dynamic navigation control which toggles the visiblity of elements in the navigation depending on which pages the user is authorized to view in the web.config.

To find out if a user is allowed to visit a page, I use the CheckUrlAccessForPrincipal method and set the authorization rules for a whole directory like this.

<?xml version="1.0"?>
<configuration>
<system.web>
    <authorization>
        <allow roles="demoAdministrators"/>
        <deny users="*" />
    </authorization>
</system.web>
</configuration>

This works just as expected and CheckUrlAccessForPrincipal returns false for all pages in the directory that contains the web.config-file when the current user is not in the Administrators group.

Now I want to set authorization rules on a page level like this. 

<?xml version="1.0"?>
<configuration>
<location path="DemoPage.aspx">
    <system.web>
        <authorization>
            <allow roles="demoSomeDifferentGroup"/>
            <deny users="*" />
        </authorization>
    </system.web>
</location>
</configuration>

If I now check whether a user is allowed to access DemoPage, CheckUrlAccessForPrincipal returns true, no matter if the current user is in SomeDifferentGroup or not.

I have assured that the configuration is correct. Visiting a page for which the current user is not authorized opens the Windows-Authentication and prompts the user to provide valid credentials.

Any ideas why the behavior differs depending on whether authorization-rules are set on a directory or folder level?

Contents hide
Answers:
Method 1

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Ok so after 2 days of digging I finally found the answer.
Apparently, some ASP.NET projects omit the .aspx file-ending in the URL.

If one now were to call the CheckUrlAccessForPrincipal method with a URL that is missing the .aspx ending, the method will somehow not recognize correctly that the URL is a page and not check the web.config authorization rules correctly.

Manually adding the file-ending to the URL has fixed the problem.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x