scouser
Registered User.
- Local time
- Today, 21:13
- Joined
- Nov 25, 2003
- Messages
- 767
I have developed an aspx intranet site and was looking to control access to certain pages based on the users role. I have added a web.config file to each folder and configured similar to code shown in post.
The issue is that when I specify within my web.config file the roles that have access to the page (url), users that are not members of the group placed within the role (deny users="*" ) are redirected to the login page (as specified in my site root Web.Config file below).
However they are not authorized to access the url so it would be better to direct them to a page that explained this.
Example:
User A member of Accounts
(allow roles="ACCOUNTS,ADMINISTRATION")
User B member of Sales
User A is not logged in and requests Accounts.aspx They are directed to the login.aspx page. They successfully authenticate and they are able to access accounts.aspx.
User B requests Accounts.aspx. User B is not a member of Accounts. User B is directed to the login.aspx. Even if he authenticates he will be unable to access accounts (as he is not authorized). The login status changes to show that the user has successfully authenticated and is now logged in but they remain at the login screen as they do not have authorization to access accounts.aspx (not a member of accounts).
It would be better that if after User B authenticates rather than remaining on the login.aspx page they are forwarded to a web page that states 'You do not have permission to access the page requested'.
I have atched my site Web.Config file.
Code:
Code:
?xml version="1.0" encoding="utf-8"?
configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0"
location path="production.aspx"
system.web
authorization
allow roles="ACCOUNTS,ADMINISTRATION"
deny users="*"
authorization
system.web
location
configurationThe issue is that when I specify within my web.config file the roles that have access to the page (url), users that are not members of the group placed within the role (deny users="*" ) are redirected to the login page (as specified in my site root Web.Config file below).
Code:
"<authentication mode="Forms">
<forms loginUrl="Login.aspx" timeout="60" defaultUrl="default.aspx" cookieless="AutoDetect"/>
</authentication>"However they are not authorized to access the url so it would be better to direct them to a page that explained this.
Example:
User A member of Accounts
(allow roles="ACCOUNTS,ADMINISTRATION")
User B member of Sales
User A is not logged in and requests Accounts.aspx They are directed to the login.aspx page. They successfully authenticate and they are able to access accounts.aspx.
User B requests Accounts.aspx. User B is not a member of Accounts. User B is directed to the login.aspx. Even if he authenticates he will be unable to access accounts (as he is not authorized). The login status changes to show that the user has successfully authenticated and is now logged in but they remain at the login screen as they do not have authorization to access accounts.aspx (not a member of accounts).
It would be better that if after User B authenticates rather than remaining on the login.aspx page they are forwarded to a web page that states 'You do not have permission to access the page requested'.
I have atched my site Web.Config file.
Last edited: