Hey everyone,

I'm struck with this issue since 2 days. I don't know why it doesn't work, but I used .Net membership for authentication.
The authentication part has been implemented as a service. In the web.config file, the maximum invalid login attempts has been
set to 3.

I logged into the app with admin credentials, created a user and tried to log in with the user credentials.
Even after 3 unsuccessful attempts, I could still log into the app. The funny part however is that when I tried to
log in as the admin with wrong credentials 3 times, I was locked out.

Can anybody please explain this strange behavior??Am I missing something here?

I am trying to write unit tests for this case and I just can't figure out what's going on..... :(

Hello guys,
need some help with IsaccessibletoUser XMLsitemapprovider .

I have a web.sitemap file .defined like this .
<siteMapNode title="Account" description="Account" roles="Admin,User,RegVendor,Vendor,Profile viewer,Creator" >
<siteMapNode title="Change Pass" description="Change Pass" url="~/Good/ChangePasscode.aspx"/>
<siteMapNode title="Change Vendor Id" description="Change Vendor code" url="~/Good/ChangeVendorCode.aspx" />


AND

Depending on a check box some where in the application i have to hide the ChangePassword menu item in menu control. The scenario here is ... this Changepassword page is independent of roles and users. it only depends on the check box in the application to show up on the menu . what i did is i created a seperate class and inherited from XMLSitemapprovider and overide the IsaccessibletoUser method ... something like this shown below ... it works just fine ....but the issue i m facing is when i type the path of the page in the browser its takes me to that page and thats a bug... here what i m doing..im typing
"www.test.com/Good/ChangePasscode.aspx" and it takes me that page instead of resticting me depending on code in IsaccessibletoUser method it take me that page ...that a issue for me .... please help how can i achieve this using IsAccessibleToUser

public override bool IsAccessibleToUser(HttpContext context, SiteMapNode node)
{

System.Security.Principal.IPrincipal user = context.User;

if (!user.Identity.IsAuthenticated == false)
{
if (string.Equals(node.Title, "Change Pass", StringComparison.InvariantCultureIgnoreCase))
{
if (!admin.UserCanChangePassword)
{
return false;
}
}
}
return base.IsAccessibleToUser(context, node);
}
}

The SiteMapProvider is just that: it provides a site map, with nodes visisble or hidden to users based on their roles.

To protect pages, you need ti implement URL authorization.A typical way to do this is to add a <location /> element to your web.config and override the settings for system.web/<authorization>. You can add a <allow /> element for your role and then a deny rule to block access to other users. E.g.:

Hope this helps,

Imar

__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!

I m testing with what u mentioned ... pleas stand by

I tried what u mentioned...but things didnt work i will explain a little bit more

The page which i want to access and see from the menu control is independent of roles and users. no matter who logs in, if the administrator has checked it as false for that particular user , it should not show up in the menu control and it should not show up even if you type the path www.test.com/Good/ChangePasscode.aspx" .... but the things which i have done (Isaccessible method ) to hide it from the menu control is working but when u type the path the page shows up which will be a bug in qa.

I see.

Then simply do a test for that setting in the Page_Load of the page you're protecting, and redirect away when the user cannot access it (or return a forbidden or not found status code).

Cheers,

Imar

__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!

Thanks for replying Imar I appreciate it ...

OK i will redirect it to default page ,but now i m thinking i will let adminsitrator view it in any way and not allow any of those users..... i can do by how u suggested. like below location path mentioned
In this way if admin had unchecked the required box for the user it will not be able to do by specifying the path also...i will throw this one out there lets see how the qa reacts. CAN YOU PLEASE POINT ME A WEBSITE Where it explains how to specify roles and uses in web config ,,, i get confused when to deny ,when to allow ,want to get correct idea.. I FOLLOW YOU ON twitter too

<location path="WhateverYouWantHere.aspx">
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

This is all togetther different question what do you thing about this lines from web.config
<system.web>
<authorization>
<deny users="?"/>
<allow roles="User,Vendor,Superuser,Reviewer,Creator"/>
<deny users="*"/>
</authorization>
</system.web>

what it will do ... is it the right way to deny users.. I m restricting anonymous users and allowing roles mentioned ,, but i m not sure whether i should mention
<deny users="*"/> ....

Access permissions work from top to bottom. It checks each rule and see if it applies. As soon as it finds a matching rule, it stops. When no rule matches, access is granted. In other words, you should use this:

When a user is in one of the roles, access is granted. For all other users, access is blocked. You don't need to block anonymous, users, as you can't be in a role when you're anonymous.

Hope this helps,

Imar

__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!

I have a scenario where the Contact menu item should not be shown on the menu control when logged in as administrator but there are few data grids which has a email column and when u click on the email icon it should take me to the Contact page. This should all happen when you all
logged in as administrator.