How can I allow and deny access to certain pages?

Question

2.50/5 (2 votes)

See more:

Hello,
Any ideas on how to do the following?
Allow users in group WebAppAccess full access
Deny users in group WebAppAccessDefaultOnly to WebForm1, WebForm2, and WebForm3 (basically just allowing them to see Default.aspx)

I've gone through multiple articles and have not been able to successfully secure an ASP.NET application. The only way I've been able it to work is by adding "allow" permissions for the group within IIS Authorization on the web server. However, this grants the group full access to the site and even if I set deny permissions on specific pages within web.config, they can still be accessed. The impersonation settings are all set to false and the AppPool identity has been changed to a specific service account because it is the only way I've been able to get my powershell scripts that contain invoke-command on remote computers to run properly. When setting impersonate settings are set to true, I have problems with either logging in or running the scripts from the site.

HTML

<configuration>

  <system.web>
    <authentication mode="Windows"/>
    <identity impersonate="false"/>
    <roleManager enabled="true" />
  </system.web>
  
  <location path="Default.aspx">
    <system.web>
      <authorization>
        <allow roles="domain\WebAppAccess"/>
      </authorization>
    </system.web>
  </location>

  <location path="WebForm1.aspx">
    <system.web>
      <authorization>
        <deny roles="domain\WebAppAccessDefaultOnly"/>
      </authorization>
    </system.web>
  </location>

  <location path="WebForm2.aspx">
    <system.web>
      <authorization>
        <deny roles="domain\WebAppAccessDefaultOnly" />
      </authorization>
    </system.web>
  </location>

  <location path="WebForm3.aspx">
    <system.web>
      <authorization>
        <deny roles="domain\WebAppAccessDefaultOnly" />
      </authorization>
    </system.web>
  </location>
  
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>
  <runtime>
    <legacyImpersonationPolicy enabled="false"/>
    <alwaysFlowImpersonationPolicy enabled="false"/>
  </runtime>
  
</configuration>

Posted 4-Aug-12 7:18am

Tyson3264

Add a Solution

2 solutions

Solution 1

I would do this entirely inside my site. I'd have classes that worked out the permissions, but could do that from any source and then use attributes or method calls in a base class I used for all pages, to allow or deny access based on the logged in user.

Posted 4-Aug-12 10:33am

Christian Graus

Comments

Tyson3264 4-Aug-12 18:00pm

Hi Christan, do you know of any articles or references that show how to implement this method? Thanks

Christian Graus 4-Aug-12 18:05pm

No, sorry, I just worked it out for myself. I always did a base class for my pages in ASP.NET to add helper methods, so adding a security check was an easy step from there.

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Tyson3264 · Accepted Answer · 2012-08-05T19:17:00

Found the solution at http://learn.iis.net/page.aspx/142/understanding-iis-url-authorization/[^]

XML

<configuration> 
    <system.webserver> 
        <security> 
            <authorization> 
                <remove users="*" roles="" verbs="" /> 
                <add accesstype="Allow" roles="iis7test\BobAndFriends" />             

            </authorization> 
        </security> 
    </system.webserver> 
    <location path="bobsSecret.aspx"> 
        <system.webserver> 
            <security> 
                <authorization> 
                    <remove users="" roles="iis7test\BobAndFriends" verbs="" /> 
                    <add accesstype="Allow" users="iis7test\Bob" />                  

                </authorization> 
            </security> 
        </system.webserver> 
    </location> 
</configuration>