 |
| ASP.NET 3.5 Basics If you are new to ASP or ASP.NET programming with version 3.5, this is the forum to begin asking questions. Please also see the Visual Web Developer 2008 forum. |
Welcome to the p2p.wrox.com Forums.
You are currently viewing the ASP.NET 3.5 Basics section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
|
|
|
|
April 6th, 2010, 02:10 PM
|
|
Registered User
|
|
Join Date: Apr 2010
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
.net membership issue
Hey everyone,
I'm struck with this issue since 2 days. I don't know why it doesn't work, but I used .Net membership for authentication.
The authentication part has been implemented as a service. In the web.config file, the maximum invalid login attempts has been
set to 3.
I logged into the app with admin credentials, created a user and tried to log in with the user credentials.
Even after 3 unsuccessful attempts, I could still log into the app. The funny part however is that when I tried to
log in as the admin with wrong credentials 3 times, I was locked out.
Can anybody please explain this strange behavior??Am I missing something here?
I am trying to write unit tests for this case and I just can't figure out what's going on..... :(
|
|
January 22nd, 2012, 05:00 PM
|
|
Authorized User
|
|
Join Date: Dec 2011
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
IsaccessibletoUser XMLsitemapprovider. question
Hello guys,
need some help with IsaccessibletoUser XMLsitemapprovider .
I have a web.sitemap file .defined like this .
<siteMapNode title="Account" description="Account" roles="Admin,User,RegVendor,Vendor,Profile viewer,Creator" >
<siteMapNode title="Change Pass" description="Change Pass" url="~/Good/ChangePasscode.aspx"/>
<siteMapNode title="Change Vendor Id" description="Change Vendor code" url="~/Good/ChangeVendorCode.aspx" />
AND
Depending on a check box some where in the application i have to hide the ChangePassword menu item in menu control. The scenario here is ... this Changepassword page is independent of roles and users. it only depends on the check box in the application to show up on the menu . what i did is i created a seperate class and inherited from XMLSitemapprovider and overide the IsaccessibletoUser method ... something like this shown below ... it works just fine ....but the issue i m facing is when i type the path of the page in the browser its takes me to that page and thats a bug... here what i m doing..im typing
"www.test.com/Good/ChangePasscode.aspx" and it takes me that page instead of resticting me depending on code in IsaccessibletoUser method it take me that page ...that a issue for me   .... please help how can i achieve this using IsAccessibleToUser
public override bool IsAccessibleToUser(HttpContext context, SiteMapNode node)
{
System.Security.Principal.IPrincipal user = context.User;
if (!user.Identity.IsAuthenticated == false)
{
if (string.Equals(node.Title, "Change Pass", StringComparison.InvariantCultureIgnoreCase))
{
if (!admin.UserCanChangePassword)
{
return false;
}
}
}
return base.IsAccessibleToUser(context, node);
}
}
|
|
January 22nd, 2012, 05:05 PM
|
 |
Wrox Author
|
|
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
|
|
The SiteMapProvider is just that: it provides a site map, with nodes visisble or hidden to users based on their roles.
To protect pages, you need ti implement URL authorization.A typical way to do this is to add a <location /> element to your web.config and override the settings for system.web/<authorization>. You can add a <allow /> element for your role and then a deny rule to block access to other users. E.g.:
Code:
<location path="WhateverYouWantHere.aspx">
<system.web>
<authorization>
<allow roles="YourRole"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
Hope this helps,
Imar
|
|
January 22nd, 2012, 05:34 PM
|
|
Authorized User
|
|
Join Date: Dec 2011
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
I m testing with what u mentioned ... pleas stand by
|
|
January 22nd, 2012, 05:51 PM
|
|
Authorized User
|
|
Join Date: Dec 2011
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
I tried what u mentioned...but things didnt work i will explain a little bit more
The page which i want to access and see from the menu control is independent of roles and users. no matter who logs in, if the administrator has checked it as false for that particular user , it should not show up in the menu control and it should not show up even if you type the path www.test.com/Good/ChangePasscode.aspx" .... but the things which i have done (Isaccessible method ) to hide it from the menu control is working but when u type the path the page shows up which will be a bug in qa.
|
|
January 22nd, 2012, 05:56 PM
|
|
Wrox Author
|
|
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
|
|
I see.
Then simply do a test for that setting in the Page_Load of the page you're protecting, and redirect away when the user cannot access it (or return a forbidden or not found status code).
Cheers,
Imar
|
|
January 22nd, 2012, 06:16 PM
|
|
Authorized User
|
|
Join Date: Dec 2011
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
Thanks for replying Imar I appreciate it ...
OK i will redirect it to default page ,but now i m thinking i will let adminsitrator view it in any way and not allow any of those users..... i can do by how u suggested. like below location path mentioned
In this way if admin had unchecked the required box for the user it will not be able to do by specifying the path also...i will throw this one out there lets see how the qa reacts. CAN YOU PLEASE POINT ME A WEBSITE Where it explains how to specify roles and uses in web config ,,, i get confused when to deny ,when to allow ,want to get correct idea.. I FOLLOW YOU ON twitter too 
<location path="WhateverYouWantHere.aspx">
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
|
|
January 22nd, 2012, 06:21 PM
|
|
Authorized User
|
|
Join Date: Dec 2011
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
This is all togetther different question what do you thing about this lines from web.config
<system.web>
<authorization>
<deny users="?"/>
<allow roles="User,Vendor,Superuser,Reviewer,Creator"/>
<deny users="*"/>
</authorization>
</system.web>
what it will do ... is it the right way to deny users.. I m restricting anonymous users and allowing roles mentioned ,, but i m not sure whether i should mention
<deny users="*"/> ....
|
|
January 23rd, 2012, 05:10 AM
|
|
Wrox Author
|
|
Join Date: Jun 2003
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
|
|
Access permissions work from top to bottom. It checks each rule and see if it applies. As soon as it finds a matching rule, it stops. When no rule matches, access is granted. In other words, you should use this:
Code:
<authorization>
<allow roles="User,Vendor,Superuser,Reviewer,Creator"/>
<deny users="*"/>
</authorization>
When a user is in one of the roles, access is granted. For all other users, access is blocked. You don't need to block anonymous, users, as you can't be in a role when you're anonymous.
Hope this helps,
Imar
|
|
January 24th, 2012, 11:45 AM
|
|
Authorized User
|
|
Join Date: Dec 2011
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
|
|
I have a scenario where the Contact menu item should not be shown on the menu control when logged in as administrator but there are few data grids which has a email column and when u click on the email icon it should take me to the Contact page. This should all happen when you all
logged in as administrator.
|
|
|
button below this post to show your appreciation!
