Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > ASP.NET and ASP > ASP.NET 3.5 > ASP.NET 3.5 Basics
Password Reminder
Register
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
ASP.NET 3.5 Basics If you are new to ASP or ASP.NET programming with version 3.5, this is the forum to begin asking questions. Please also see the Visual Web Developer 2008 forum.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the ASP.NET 3.5 Basics section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
 
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old April 6th, 2010, 02:10 PM
Registered User
 
Join Date: Apr 2010
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default .net membership issue

Hey everyone,

I'm struck with this issue since 2 days. I don't know why it doesn't work, but I used .Net membership for authentication.
The authentication part has been implemented as a service. In the web.config file, the maximum invalid login attempts has been
set to 3.

I logged into the app with admin credentials, created a user and tried to log in with the user credentials.
Even after 3 unsuccessful attempts, I could still log into the app. The funny part however is that when I tried to
log in as the admin with wrong credentials 3 times, I was locked out.

Can anybody please explain this strange behavior??Am I missing something here?

I am trying to write unit tests for this case and I just can't figure out what's going on..... :(
  #2 (permalink)  
Old January 22nd, 2012, 05:00 PM
Authorized User
Points: 78, Level: 1
Points: 78, Level: 1 Points: 78, Level: 1 Points: 78, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Dec 2011
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
Default IsaccessibletoUser XMLsitemapprovider. question

Hello guys,
need some help with IsaccessibletoUser XMLsitemapprovider .

I have a web.sitemap file .defined like this .
<siteMapNode title="Account" description="Account" roles="Admin,User,RegVendor,Vendor,Profile viewer,Creator" >
<siteMapNode title="Change Pass" description="Change Pass" url="~/Good/ChangePasscode.aspx"/>
<siteMapNode title="Change Vendor Id" description="Change Vendor code" url="~/Good/ChangeVendorCode.aspx" />


AND

Depending on a check box some where in the application i have to hide the ChangePassword menu item in menu control. The scenario here is ... this Changepassword page is independent of roles and users. it only depends on the check box in the application to show up on the menu . what i did is i created a seperate class and inherited from XMLSitemapprovider and overide the IsaccessibletoUser method ... something like this shown below ... it works just fine ....but the issue i m facing is when i type the path of the page in the browser its takes me to that page and thats a bug... here what i m doing..im typing
"www.test.com/Good/ChangePasscode.aspx" and it takes me that page instead of resticting me depending on code in IsaccessibletoUser method it take me that page ...that a issue for me .... please help how can i achieve this using IsAccessibleToUser

public override bool IsAccessibleToUser(HttpContext context, SiteMapNode node)
{

System.Security.Principal.IPrincipal user = context.User;

if (!user.Identity.IsAuthenticated == false)
{
if (string.Equals(node.Title, "Change Pass", StringComparison.InvariantCultureIgnoreCase))
{
if (!admin.UserCanChangePassword)
{
return false;
}
}
}
return base.IsAccessibleToUser(context, node);
}
}
  #3 (permalink)  
Old January 22nd, 2012, 05:05 PM
Imar's Avatar
Wrox Author
Points: 72,055, Level: 100
Points: 72,055, Level: 100 Points: 72,055, Level: 100 Points: 72,055, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,086
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

The SiteMapProvider is just that: it provides a site map, with nodes visisble or hidden to users based on their roles.

To protect pages, you need ti implement URL authorization.A typical way to do this is to add a <location /> element to your web.config and override the settings for system.web/<authorization>. You can add a <allow /> element for your role and then a deny rule to block access to other users. E.g.:

Code:
 
<location path="WhateverYouWantHere.aspx">
  <system.web>
    <authorization>
      <allow roles="YourRole"/>
      <deny users="*"/>
    </authorization>
  </system.web>
  </location>
Hope this helps,

Imar
__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!
  #4 (permalink)  
Old January 22nd, 2012, 05:34 PM
Authorized User
Points: 78, Level: 1
Points: 78, Level: 1 Points: 78, Level: 1 Points: 78, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Dec 2011
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
Default

I m testing with what u mentioned ... pleas stand by
  #5 (permalink)  
Old January 22nd, 2012, 05:51 PM
Authorized User
Points: 78, Level: 1
Points: 78, Level: 1 Points: 78, Level: 1 Points: 78, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Dec 2011
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
Default

I tried what u mentioned...but things didnt work i will explain a little bit more

The page which i want to access and see from the menu control is independent of roles and users. no matter who logs in, if the administrator has checked it as false for that particular user , it should not show up in the menu control and it should not show up even if you type the path www.test.com/Good/ChangePasscode.aspx" .... but the things which i have done (Isaccessible method ) to hide it from the menu control is working but when u type the path the page shows up which will be a bug in qa.
  #6 (permalink)  
Old January 22nd, 2012, 05:56 PM
Imar's Avatar
Wrox Author
Points: 72,055, Level: 100
Points: 72,055, Level: 100 Points: 72,055, Level: 100 Points: 72,055, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,086
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

I see.

Then simply do a test for that setting in the Page_Load of the page you're protecting, and redirect away when the user cannot access it (or return a forbidden or not found status code).

Cheers,

Imar
__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!
  #7 (permalink)  
Old January 22nd, 2012, 06:16 PM
Authorized User
Points: 78, Level: 1
Points: 78, Level: 1 Points: 78, Level: 1 Points: 78, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Dec 2011
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
Default

Thanks for replying Imar I appreciate it ...

OK i will redirect it to default page ,but now i m thinking i will let adminsitrator view it in any way and not allow any of those users..... i can do by how u suggested. like below location path mentioned
In this way if admin had unchecked the required box for the user it will not be able to do by specifying the path also...i will throw this one out there lets see how the qa reacts. CAN YOU PLEASE POINT ME A WEBSITE Where it explains how to specify roles and uses in web config ,,, i get confused when to deny ,when to allow ,want to get correct idea.. I FOLLOW YOU ON twitter too

<location path="WhateverYouWantHere.aspx">
<system.web>
<authorization>
<allow roles="Administrator"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
  #8 (permalink)  
Old January 22nd, 2012, 06:21 PM
Authorized User
Points: 78, Level: 1
Points: 78, Level: 1 Points: 78, Level: 1 Points: 78, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Dec 2011
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
Default

This is all togetther different question what do you thing about this lines from web.config
<system.web>
<authorization>
<deny users="?"/>
<allow roles="User,Vendor,Superuser,Reviewer,Creator"/>
<deny users="*"/>
</authorization>
</system.web>

what it will do ... is it the right way to deny users.. I m restricting anonymous users and allowing roles mentioned ,, but i m not sure whether i should mention
<deny users="*"/> ....
  #9 (permalink)  
Old January 23rd, 2012, 05:10 AM
Imar's Avatar
Wrox Author
Points: 72,055, Level: 100
Points: 72,055, Level: 100 Points: 72,055, Level: 100 Points: 72,055, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,086
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

Access permissions work from top to bottom. It checks each rule and see if it applies. As soon as it finds a matching rule, it stops. When no rule matches, access is granted. In other words, you should use this:

Code:
<authorization>
<allow roles="User,Vendor,Superuser,Reviewer,Creator"/>
<deny users="*"/>
</authorization>
When a user is in one of the roles, access is granted. For all other users, access is blocked. You don't need to block anonymous, users, as you can't be in a role when you're anonymous.

Hope this helps,

Imar
__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!
  #10 (permalink)  
Old January 24th, 2012, 11:45 AM
Authorized User
Points: 78, Level: 1
Points: 78, Level: 1 Points: 78, Level: 1 Points: 78, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Dec 2011
Posts: 18
Thanks: 1
Thanked 0 Times in 0 Posts
Default

I have a scenario where the Contact menu item should not be shown on the menu control when logged in as administrator but there are few data grids which has a email column and when u click on the email icon it should take me to the Contact page. This should all happen when you all
logged in as administrator.
 


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Question about Asp.net Membership chobo2 ASP.NET 3.5 Basics 3 April 2nd, 2009 04:02 PM
Help with ASP.NET Membership VerbatimBOT SQL Server 2000 6 May 2nd, 2007 01:58 PM
Issue with custom membership provider cacaldo ASP.NET 2.0 Professional 1 October 7th, 2006 03:05 AM
Roles and membership asp.net 2 zeeshannasir ASP.NET 1.x and 2.0 Application Design 1 September 22nd, 2006 03:34 AM
Roles and membership asp.net 2 zeeshannasir ASP.NET 2.0 Basics 2 September 15th, 2006 07:24 AM



All times are GMT -4. The time now is 11:02 PM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.