|
Subject:
|
problem with role based authorization
|
|
Posted By:
|
hotshot_21
|
Post Date:
|
2/21/2006 7:12:41 AM
|
iam having problem with role based authorization.i have a foldernamed "Company" which is similar to admin folder.to which other user r not alowed to access.iam using cookies to store my authentication ticket.here is the code for my global.asax
Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As EventArgs)
' Fires upon attempting to authenticate the use
Dim cookiename As String
Dim authcookie As HttpCookie
Dim authticket As FormsAuthenticationTicket
'Dim roles
cookiename = FormsAuthentication.FormsCookieName
authcookie = Context.Request.Cookies(cookiename)
If authticket Is "" Then
authticket = FormsAuthentication.Decrypt(authcookie.Value)
Dim id As FormsIdentity
Dim principal As GenericPrincipal
Dim userdata As String
userdata = authticket.UserData
Dim roles
roles = userdata
id = New FormsIdentity(authticket)
'roles = authticket.UserData.ToString
principal = New GenericPrincipal(id, roles)
HttpContext.Current.User = principal
End If
End Sub
------------------------------------------------
the code for "Default.aspx" which is also login page where cookies r set.User can login in two ways either as admin or Employee.
Private Sub ImageButton1_Click(ByVal sender As System.Object, ByVal e As System.Web.UI.ImageClickEventArgs) Handles ImageButton1.Click
Dim strFname As String
Dim dsn As String
dsn = ConfigurationSettings.AppSettings("DSN")
Dim sqlcmd As String
If rdiBtn.Checked = True Then
sqlcmd = "Select Username,Password,empuser_id,Roles From employee_master Where Username='" & tbusername.Text & "' AND Password='" & tbpassword.Text & "'"
Dim roles
Dim myconn As New SqlConnection(dsn)
Dim objcmd As New SqlCommand(sqlcmd, myconn)
Dim objreader As SqlDataReader
Dim emp_id As Integer = 0
myconn.Open()
objreader = objcmd.ExecuteReader
If Not objreader.Read() Then
lblmessage.Text = "Invalid Username Or password "
Else
' lblmessage.Text = objreader("Roles")
Dim authticket As FormsAuthenticationTicket
Dim encryptedticket As String
Dim authcookie As HttpCookie
roles = objreader("Roles")
'create authentication ticket
authticket = New FormsAuthenticationTicket(1, tbusername.Text, DateTime.Now(), DateTime.Now.AddMinutes(30), False, roles)
'Create encrypted ticket
encryptedticket = FormsAuthentication.Encrypt(authticket)
'Create a cookie and add the encrypted ticket to the cookie as data
authcookie = New HttpCookie(FormsAuthentication.FormsCookieName, encryptedticket)
'Add Cookie to outgoing cookie collection
Response.Cookies.Add(authcookie)
'FormsAuthentication.RedirectFromLoginPage(tbusername.Text, False)
Session("empuser_id") = objreader("empuser_id")
objreader.Close()
myconn.Close()
'Redirect User to required page
Response.Redirect("candidate_home.aspx?username='" & tbusername.Text & "'")
End If
Else
lblmessage.Text = "Not active for Employer"
sqlcmd = "Select cmpuser_id,Username,Password,Roles From Company_user Where Username='" & tbusername.Text & "' AND Password='" & tbpassword.Text & "'"
Dim myconn As New SqlConnection(dsn)
Dim objcmd As New SqlCommand(sqlcmd, myconn)
Dim objreader As SqlDataReader
Dim emp_id As Integer = 0
Dim roles As String
myconn.Open()
objreader = objcmd.ExecuteReader
If Not objreader.Read() Then
lblmessage.Text = "Invalid Username Or password "
Else
' lblmessage.Text = objreader("Roles")
'FormsAuthentication.RedirectFromLoginPage(tbusername.Text, False)
Dim authticket As FormsAuthenticationTicket
Dim encryptedticket As String
Dim authcookie As HttpCookie
roles = objreader("Roles")
'create authentication ticket
authticket = New FormsAuthenticationTicket(1, tbusername.Text, DateTime.Now(), DateTime.Now.AddMinutes(30), False, roles)
'Create encrypted ticket
encryptedticket = FormsAuthentication.Encrypt(authticket)
'Create a cookie and add the encrypted ticket to the cookie as data
authcookie = New HttpCookie(FormsAuthentication.FormsCookieName, encryptedticket)
'Add Cookie to outgoing cookie collection
Response.Cookies.Add(authcookie)
Session("cmpuser_id") = objreader("cmpuser_id")
objreader.Close()
myconn.Close()
Response.Redirect("Company/CompUserPage.aspx")
End If
End If
----------------------------------
the page_load for the Company page where the admin is taken after authentication and employee shud not get access is
Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
'Put user code to initialize the page here
Dim p As IPrincipal
p = HttpContext.Current.User
If Not p.IsInRole("Admin") Then
Response.Redirect("Default.aspx")
End If
End Sub
---------------------------------------------
the web.config for entire structure
<location path="Company/CompUserPage.aspx">
<system.web>
<authorization>
<allow roles="Admin"/>
<deny users="?"/>
</authorization>
</system.web>
</location>
---------------------------------
now the main problem is that whenver i try to login as admin iam redirected to"Default.aspx" instead iam supposed to go to "CompUserPage.aspx".how to solve this problem.
|
|
