.NETGURU
  Search:  
NamespacesDiscussions.NET v1.1Dot Net Guru's BlogIT Certification
Roles and Form Based Authentication
Messages   Related Types
This message was discovered on ASPFriends.com 'aspngsec' list.


Wolfgang Baeck
Ok, I'm ready to pull the last of my hair out.

I have a website with forms authentication:

    <authentication mode="Forms">
            <forms name="FormAuthentication" path="/" loginUrl="Login.aspx"/>
    </authentication>

a login page that assigns a role to the user:

    if(my user is authenticated)
    {
        HttpContext currentContext = HttpContext.Current;
        string formsCookieStr = string.Empty;
        FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
            1, // version
            txtUsername.Text, // user name
            DateTime.Now, // issue time
            DateTime.Now.AddMinutes(30), // expires
            false, // persistent
            "Member" // here is my role assignment
            );
        // get the encrypted representation suitable for placing in a HTTP cookie
        formsCookieStr = FormsAuthentication.Encrypt(ticket);
        HttpCookie FormsCookie = new
HttpCookie(FormsAuthentication.FormsCookieName, formsCookieStr);
        currentContext.Response.Cookies.Add(FormsCookie);

System.Web.Security.FormsAuthentication.RedirectFromLoginPage(txtUsername.Te
xt, chkCookies.Checked);
    }

and a standard global.asax mod like:

protected void Application_OnAuthenticateRequest(Object src, EventArgs e)
{
    HttpContext currentContext = HttpContext.Current;
    if (HttpContext.Current.User != null)
    {
        if (HttpContext.Current.User.Identity.IsAuthenticated)
        {
            if( HttpContext.Current.User.Identity is FormsIdentity )
            {
                FormsIdentity id = HttpContext.Current.User.Identity as FormsIdentity;
                FormsAuthenticationTicket ticket = id.Ticket;
                string userData = ticket.UserData;
                // Roles is a helper class which places the roles of the
                // currently logged on user into a string array
                // accessable via the value property.
                //Roles userRoles = new Roles(userData);
                HttpContext.Current.User = new
System.Security.Principal.GenericPrincipal(id, userRoles.value);
            }
        }
    }
}

my authorization section is:

<location path="Admin">
        <system.web>
            <authorization>
                <allow roles="Supervisor"/>
                <deny users="?"/>
            </authorization>
        </system.web>
</location>

Result, the system gives a hoot on what I write in <allow roles/>

Any idea what I'm missing?

Thanks
Reply to this message...
 
    
Michael Lang
WolfGang I think the line going wrong is

                <allow roles=3D"Supervisor"/>

this should probably be the full active directory path to your group

                <allow roles=3D"<YOUR DOMAIN OR MACHINE NAME>/Supervisor"/>

-----Original Message-----
From: Wolfgang Baeck [mailto:Click here to reveal e-mail address]
Sent: Friday, 5 July 2002 6:57 AM
To: aspngsec
Subject: [aspngsec] Roles and Form Based Authentication

Ok, I'm ready to pull the last of my hair out.

I have a website with forms authentication:

    <authentication mode=3D"Forms">
            <forms name=3D"FormAuthentication" path=3D"/" =
loginUrl=3D"Login.aspx"/>
    </authentication>

a login page that assigns a role to the user:

    if(my user is authenticated)
    {
        HttpContext currentContext =3D HttpContext.Current;
        string formsCookieStr =3D string.Empty;
        FormsAuthenticationTicket ticket =3D new FormsAuthenticationTicket(
            1, // version
            txtUsername.Text, // user name
            DateTime.Now, // issue time
            DateTime.Now.AddMinutes(30), // expires
            false, // persistent
            "Member" // here is my role assignment
            );
        // get the encrypted representation suitable for placing in a HTTP =
cookie
        formsCookieStr =3D FormsAuthentication.Encrypt(ticket);
        HttpCookie FormsCookie =3D new
HttpCookie(FormsAuthentication.FormsCookieName, formsCookieStr);
        currentContext.Response.Cookies.Add(FormsCookie);

System.Web.Security.FormsAuthentication.RedirectFromLoginPage(txtUsername=
.Te
xt, chkCookies.Checked);
    }

and a standard global.asax mod like:

protected void Application_OnAuthenticateRequest(Object src, EventArgs =
e)
{
    HttpContext currentContext =3D HttpContext.Current;
    if (HttpContext.Current.User !=3D null)
    {
        if (HttpContext.Current.User.Identity.IsAuthenticated)
        {
            if( HttpContext.Current.User.Identity is FormsIdentity )
            {
                FormsIdentity id =3D HttpContext.Current.User.Identity as =
FormsIdentity;
                FormsAuthenticationTicket ticket =3D id.Ticket;
                string userData =3D ticket.UserData;
                // Roles is a helper class which places the roles of the
                // currently logged on user into a string array
                // accessable via the value property.
                //Roles userRoles =3D new Roles(userData);
                HttpContext.Current.User =3D new
System.Security.Principal.GenericPrincipal(id, userRoles.value);
            }
        }
    }
}

my authorization section is:

<location path=3D"Admin">
        <system.web>
            <authorization>
                <allow roles=3D"Supervisor"/>
                <deny users=3D"?"/>
            </authorization>
        </system.web>
</location>

Result, the system gives a hoot on what I write in <allow roles/>

Any idea what I'm missing?

Thanks

| [aspngsec] member Click here to reveal e-mail address =3D YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT
| http://www.asplists.com/search =3D SEARCH Archives
Reply to this message...
 
    
Wolfgang Baeck
Michael,

thanks, you pointed me into a good direction, but the problem was:

                <deny users="?"/>
should have been
                <deny users="*"/>

to deny everyone BUT the roles

Wolfgang

-----Original Message-----
From: Michael Lang [mailto:Click here to reveal e-mail address]
Sent: Friday, July 05, 2002 12:30 AM
To: aspngsec
Subject: [aspngsec] RE: Roles and Form Based Authentication

WolfGang I think the line going wrong is

                <allow roles="Supervisor"/>

this should probably be the full active directory path to your group

                <allow roles="<YOUR DOMAIN OR MACHINE NAME>/Supervisor"/>

-----Original Message-----
From: Wolfgang Baeck [mailto:Click here to reveal e-mail address]
Sent: Friday, 5 July 2002 6:57 AM
To: aspngsec
Subject: [aspngsec] Roles and Form Based Authentication

Ok, I'm ready to pull the last of my hair out.

I have a website with forms authentication:

    <authentication mode="Forms">
            <forms name="FormAuthentication" path="/" loginUrl="Login.aspx"/>
    </authentication>

a login page that assigns a role to the user:

    if(my user is authenticated)
    {
        HttpContext currentContext = HttpContext.Current;
        string formsCookieStr = string.Empty;
        FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
            1, // version
            txtUsername.Text, // user name
            DateTime.Now, // issue time
            DateTime.Now.AddMinutes(30), // expires
            false, // persistent
            "Member" // here is my role assignment
            );
        // get the encrypted representation suitable for placing in a HTTP cookie
        formsCookieStr = FormsAuthentication.Encrypt(ticket);
        HttpCookie FormsCookie = new
HttpCookie(FormsAuthentication.FormsCookieName, formsCookieStr);
        currentContext.Response.Cookies.Add(FormsCookie);

System.Web.Security.FormsAuthentication.RedirectFromLoginPage(txtUsername.Te
xt, chkCookies.Checked);
    }

and a standard global.asax mod like:

protected void Application_OnAuthenticateRequest(Object src, EventArgs e)
{
    HttpContext currentContext = HttpContext.Current;
    if (HttpContext.Current.User != null)
    {
        if (HttpContext.Current.User.Identity.IsAuthenticated)
        {
            if( HttpContext.Current.User.Identity is FormsIdentity )
            {
                FormsIdentity id = HttpContext.Current.User.Identity as FormsIdentity;
                FormsAuthenticationTicket ticket = id.Ticket;
                string userData = ticket.UserData;
                // Roles is a helper class which places the roles of the
                // currently logged on user into a string array
                // accessable via the value property.
                //Roles userRoles = new Roles(userData);
                HttpContext.Current.User = new
System.Security.Principal.GenericPrincipal(id, userRoles.value);
            }
        }
    }
}

my authorization section is:

<location path="Admin">
        <system.web>
            <authorization>
                <allow roles="Supervisor"/>
                <deny users="?"/>
            </authorization>
        </system.web>
</location>

Result, the system gives a hoot on what I write in <allow roles/>

Any idea what I'm missing?

Thanks

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives
Reply to this message...
 
    
Mark Feinholz
1. I would try putting the web.config file in the admin directory with
nothing in it but the <authorization> element (and of course the
elements above it in the hierarchy) - just to make sure the problem is
not in how you've devined the location element.

2. I just wrote some code that sets up a custom auth cookie and from
the way I read the docs I don't think you want to use
RedirectFromLoginPage because that method will put the auth cookie in
the response. To me that means that it will build an auth cookie and
put it in the response - replacing the cookie you just put there.
Instead of using RedirectFromLoginPage, simply grab the url and do the
redirect yourself:

Response.Redirect(FormsAuthentication.GetRedirectUrl(
            txtUsername.Text, chkCookies.Checked));

3. Keep the last of your hair as long as you can!

-----Original Message-----
From: Michael Lang [mailto:Click here to reveal e-mail address]
Sent: Thursday, July 04, 2002 11:30 PM
To: aspngsec
Subject: [aspngsec] RE: Roles and Form Based Authentication

WolfGang I think the line going wrong is

                <allow roles="Supervisor"/>

this should probably be the full active directory path to your group

                <allow roles="<YOUR DOMAIN OR MACHINE
NAME>/Supervisor"/>

-----Original Message-----
From: Wolfgang Baeck [mailto:Click here to reveal e-mail address]
Sent: Friday, 5 July 2002 6:57 AM
To: aspngsec
Subject: [aspngsec] Roles and Form Based Authentication

Ok, I'm ready to pull the last of my hair out.

I have a website with forms authentication:

    <authentication mode="Forms">
            <forms name="FormAuthentication" path="/"
loginUrl="Login.aspx"/>
    </authentication>

a login page that assigns a role to the user:

    if(my user is authenticated)
    {
        HttpContext currentContext = HttpContext.Current;
        string formsCookieStr = string.Empty;
        FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(
            1, // version
            txtUsername.Text,
// user name
            DateTime.Now, // issue
time
            DateTime.Now.AddMinutes(30), // expires
            false, //
persistent
            "Member" // here is my role assignment
            );
        // get the encrypted representation suitable for placing
in a HTTP cookie
        formsCookieStr = FormsAuthentication.Encrypt(ticket);
        HttpCookie FormsCookie = new
HttpCookie(FormsAuthentication.FormsCookieName, formsCookieStr);
        currentContext.Response.Cookies.Add(FormsCookie);

System.Web.Security.FormsAuthentication.RedirectFromLoginPage(txtUsernam
e.Te
xt, chkCookies.Checked);
    }

and a standard global.asax mod like:

protected void Application_OnAuthenticateRequest(Object src, EventArgs
e)
{
    HttpContext currentContext = HttpContext.Current;
    if (HttpContext.Current.User != null)
    {
        if (HttpContext.Current.User.Identity.IsAuthenticated)
        {
            if( HttpContext.Current.User.Identity is
FormsIdentity )
            {
                FormsIdentity id =
HttpContext.Current.User.Identity as FormsIdentity;
                FormsAuthenticationTicket ticket =
id.Ticket;
                string userData = ticket.UserData;
                // Roles is a helper class which places
the roles of the
                // currently logged on user into a
string array
                // accessable via the value property.
                //Roles userRoles = new Roles(userData);
                HttpContext.Current.User = new
System.Security.Principal.GenericPrincipal(id, userRoles.value);
            }
        }
    }
}

my authorization section is:

<location path="Admin">
        <system.web>
            <authorization>
                <allow roles="Supervisor"/>
                <deny users="?"/>
            </authorization>
        </system.web>
</location>

Result, the system gives a hoot on what I write in <allow roles/>

Any idea what I'm missing?

Thanks

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives
Reply to this message...
 
    
Wolfgang Baeck
Mark,

AHHHHH, your number two explains to me why I never see my cookie again that
I just added. It gets overwritten! I made a crude fix because I didn't
understand the cause of the problem, so I fixed the symptom by creating a
different cookie and using it.

Thanks again, that made my weekend!

Wolfgang

-----Original Message-----
From: Mark Feinholz [mailto:Click here to reveal e-mail address]
Sent: Friday, July 05, 2002 10:54 AM
To: aspngsec
Subject: [aspngsec] RE: Roles and Form Based Authentication

1. I would try putting the web.config file in the admin directory with
nothing in it but the <authorization> element (and of course the
elements above it in the hierarchy) - just to make sure the problem is
not in how you've devined the location element.

2. I just wrote some code that sets up a custom auth cookie and from
the way I read the docs I don't think you want to use
RedirectFromLoginPage because that method will put the auth cookie in
the response. To me that means that it will build an auth cookie and
put it in the response - replacing the cookie you just put there.
Instead of using RedirectFromLoginPage, simply grab the url and do the
redirect yourself:

Response.Redirect(FormsAuthentication.GetRedirectUrl(
            txtUsername.Text, chkCookies.Checked));

3. Keep the last of your hair as long as you can!

-----Original Message-----
From: Michael Lang [mailto:Click here to reveal e-mail address]
Sent: Thursday, July 04, 2002 11:30 PM
To: aspngsec
Subject: [aspngsec] RE: Roles and Form Based Authentication

WolfGang I think the line going wrong is

                <allow roles="Supervisor"/>

this should probably be the full active directory path to your group

                <allow roles="<YOUR DOMAIN OR MACHINE
NAME>/Supervisor"/>

-----Original Message-----
From: Wolfgang Baeck [mailto:Click here to reveal e-mail address]
Sent: Friday, 5 July 2002 6:57 AM
To: aspngsec
Subject: [aspngsec] Roles and Form Based Authentication

Ok, I'm ready to pull the last of my hair out.

I have a website with forms authentication:

    <authentication mode="Forms">
            <forms name="FormAuthentication" path="/"
loginUrl="Login.aspx"/>
    </authentication>

a login page that assigns a role to the user:

    if(my user is authenticated)
    {
        HttpContext currentContext = HttpContext.Current;
        string formsCookieStr = string.Empty;
        FormsAuthenticationTicket ticket = new
FormsAuthenticationTicket(
            1, // version
            txtUsername.Text,
// user name
            DateTime.Now, // issue
time
            DateTime.Now.AddMinutes(30), // expires
            false, //
persistent
            "Member" // here is my role assignment
            );
        // get the encrypted representation suitable for placing
in a HTTP cookie
        formsCookieStr = FormsAuthentication.Encrypt(ticket);
        HttpCookie FormsCookie = new
HttpCookie(FormsAuthentication.FormsCookieName, formsCookieStr);
        currentContext.Response.Cookies.Add(FormsCookie);

System.Web.Security.FormsAuthentication.RedirectFromLoginPage(txtUsernam
e.Te
xt, chkCookies.Checked);
    }

and a standard global.asax mod like:

protected void Application_OnAuthenticateRequest(Object src, EventArgs
e)
{
    HttpContext currentContext = HttpContext.Current;
    if (HttpContext.Current.User != null)
    {
        if (HttpContext.Current.User.Identity.IsAuthenticated)
        {
            if( HttpContext.Current.User.Identity is
FormsIdentity )
            {
                FormsIdentity id =
HttpContext.Current.User.Identity as FormsIdentity;
                FormsAuthenticationTicket ticket =
id.Ticket;
                string userData = ticket.UserData;
                // Roles is a helper class which places
the roles of the
                // currently logged on user into a
string array
                // accessable via the value property.
                //Roles userRoles = new Roles(userData);
                HttpContext.Current.User = new
System.Security.Principal.GenericPrincipal(id, userRoles.value);
            }
        }
    }
}

my authorization section is:

<location path="Admin">
        <system.web>
            <authorization>
                <allow roles="Supervisor"/>
                <deny users="?"/>
            </authorization>
        </system.web>
</location>

Result, the system gives a hoot on what I write in <allow roles/>

Any idea what I'm missing?

Thanks

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives
Reply to this message...
 
    
Michael Lang
? =3D Deny Unauthenticated users

* =3D Deny all

Did you have to change the allow roles from 'Supervisor' to =
'DOMAIN/Supervisor' ?

-----Original Message-----
From: Wolfgang Baeck [mailto:Click here to reveal e-mail address]
Sent: Saturday, 6 July 2002 1:16 AM
To: aspngsec
Subject: [aspngsec] RE: Roles and Form Based Authentication

Michael,

thanks, you pointed me into a good direction, but the problem was:

                <deny users=3D"?"/>
should have been
                <deny users=3D"*"/>

to deny everyone BUT the roles

Wolfgang

-----Original Message-----
From: Michael Lang [mailto:Click here to reveal e-mail address]
Sent: Friday, July 05, 2002 12:30 AM
To: aspngsec
Subject: [aspngsec] RE: Roles and Form Based Authentication

WolfGang I think the line going wrong is

                <allow roles=3D"Supervisor"/>

this should probably be the full active directory path to your group

                <allow roles=3D"<YOUR DOMAIN OR MACHINE NAME>/Supervisor"/>

-----Original Message-----
From: Wolfgang Baeck [mailto:Click here to reveal e-mail address]
Sent: Friday, 5 July 2002 6:57 AM
To: aspngsec
Subject: [aspngsec] Roles and Form Based Authentication

Ok, I'm ready to pull the last of my hair out.

I have a website with forms authentication:

    <authentication mode=3D"Forms">
            <forms name=3D"FormAuthentication" path=3D"/" =
loginUrl=3D"Login.aspx"/>
    </authentication>

a login page that assigns a role to the user:

    if(my user is authenticated)
    {
        HttpContext currentContext =3D HttpContext.Current;
        string formsCookieStr =3D string.Empty;
        FormsAuthenticationTicket ticket =3D new FormsAuthenticationTicket(
            1, // version
            txtUsername.Text, // user name
            DateTime.Now, // issue time
            DateTime.Now.AddMinutes(30), // expires
            false, // persistent
            "Member" // here is my role assignment
            );
        // get the encrypted representation suitable for placing in a HTTP =
cookie
        formsCookieStr =3D FormsAuthentication.Encrypt(ticket);
        HttpCookie FormsCookie =3D new
HttpCookie(FormsAuthentication.FormsCookieName, formsCookieStr);
        currentContext.Response.Cookies.Add(FormsCookie);

System.Web.Security.FormsAuthentication.RedirectFromLoginPage(txtUsername=
.Te
xt, chkCookies.Checked);
    }

and a standard global.asax mod like:

protected void Application_OnAuthenticateRequest(Object src, EventArgs =
e)
{
    HttpContext currentContext =3D HttpContext.Current;
    if (HttpContext.Current.User !=3D null)
    {
        if (HttpContext.Current.User.Identity.IsAuthenticated)
        {
            if( HttpContext.Current.User.Identity is FormsIdentity )
            {
                FormsIdentity id =3D HttpContext.Current.User.Identity as =
FormsIdentity;
                FormsAuthenticationTicket ticket =3D id.Ticket;
                string userData =3D ticket.UserData;
                // Roles is a helper class which places the roles of the
                // currently logged on user into a string array
                // accessable via the value property.
                //Roles userRoles =3D new Roles(userData);
                HttpContext.Current.User =3D new
System.Security.Principal.GenericPrincipal(id, userRoles.value);
            }
        }
    }
}

my authorization section is:

<location path=3D"Admin">
        <system.web>
            <authorization>
                <allow roles=3D"Supervisor"/>
                <deny users=3D"?"/>
            </authorization>
        </system.web>
</location>

Result, the system gives a hoot on what I write in <allow roles/>

Any idea what I'm missing?

Thanks

| [aspngsec] member Click here to reveal e-mail address =3D YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT
| http://www.asplists.com/search =3D SEARCH Archives

| [aspngsec] member Click here to reveal e-mail address =3D YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT
| http://www.asplists.com/search =3D SEARCH Archives

| [aspngsec] member Click here to reveal e-mail address =3D YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp =3D JOIN/QUIT
| http://www.asplists.com/search =3D SEARCH Archives
Reply to this message...
 
    
Wolfgang Baeck
Michael,

No, I didn't have to use Domain/Supervisor, Supervisor as role was enough.

My changes were:
1. Deny all (I wrongly assumed that I needed to allow authenticated users
along with roles)
2. Allow only specific roles
3. Do not use RedirectFromLoginPage when you create your own
FormsAuthentication Ticket since the method will wipe out your ticket and
replace it with its own.

Thanks!

Wolfgang

-----Original Message-----
From: Michael Lang [mailto:Click here to reveal e-mail address]
Sent: Sunday, July 07, 2002 9:00 PM
To: aspngsec
Subject: [aspngsec] RE: Roles and Form Based Authentication

? = Deny Unauthenticated users

* = Deny all

Did you have to change the allow roles from 'Supervisor' to
'DOMAIN/Supervisor' ?

-----Original Message-----
From: Wolfgang Baeck [mailto:Click here to reveal e-mail address]
Sent: Saturday, 6 July 2002 1:16 AM
To: aspngsec
Subject: [aspngsec] RE: Roles and Form Based Authentication

Michael,

thanks, you pointed me into a good direction, but the problem was:

                <deny users="?"/>
should have been
                <deny users="*"/>

to deny everyone BUT the roles

Wolfgang

-----Original Message-----
From: Michael Lang [mailto:Click here to reveal e-mail address]
Sent: Friday, July 05, 2002 12:30 AM
To: aspngsec
Subject: [aspngsec] RE: Roles and Form Based Authentication

WolfGang I think the line going wrong is

                <allow roles="Supervisor"/>

this should probably be the full active directory path to your group

                <allow roles="<YOUR DOMAIN OR MACHINE NAME>/Supervisor"/>

-----Original Message-----
From: Wolfgang Baeck [mailto:Click here to reveal e-mail address]
Sent: Friday, 5 July 2002 6:57 AM
To: aspngsec
Subject: [aspngsec] Roles and Form Based Authentication

Ok, I'm ready to pull the last of my hair out.

I have a website with forms authentication:

    <authentication mode="Forms">
            <forms name="FormAuthentication" path="/" loginUrl="Login.aspx"/>
    </authentication>

a login page that assigns a role to the user:

    if(my user is authenticated)
    {
        HttpContext currentContext = HttpContext.Current;
        string formsCookieStr = string.Empty;
        FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(
            1, // version
            txtUsername.Text, // user name
            DateTime.Now, // issue time
            DateTime.Now.AddMinutes(30), // expires
            false, // persistent
            "Member" // here is my role assignment
            );
        // get the encrypted representation suitable for placing in a HTTP cookie
        formsCookieStr = FormsAuthentication.Encrypt(ticket);
        HttpCookie FormsCookie = new
HttpCookie(FormsAuthentication.FormsCookieName, formsCookieStr);
        currentContext.Response.Cookies.Add(FormsCookie);

System.Web.Security.FormsAuthentication.RedirectFromLoginPage(txtUsername.Te
xt, chkCookies.Checked);
    }

and a standard global.asax mod like:

protected void Application_OnAuthenticateRequest(Object src, EventArgs e)
{
    HttpContext currentContext = HttpContext.Current;
    if (HttpContext.Current.User != null)
    {
        if (HttpContext.Current.User.Identity.IsAuthenticated)
        {
            if( HttpContext.Current.User.Identity is FormsIdentity )
            {
                FormsIdentity id = HttpContext.Current.User.Identity as FormsIdentity;
                FormsAuthenticationTicket ticket = id.Ticket;
                string userData = ticket.UserData;
                // Roles is a helper class which places the roles of the
                // currently logged on user into a string array
                // accessable via the value property.
                //Roles userRoles = new Roles(userData);
                HttpContext.Current.User = new
System.Security.Principal.GenericPrincipal(id, userRoles.value);
            }
        }
    }
}

my authorization section is:

<location path="Admin">
        <system.web>
            <authorization>
                <allow roles="Supervisor"/>
                <deny users="?"/>
            </authorization>
        </system.web>
</location>

Result, the system gives a hoot on what I write in <allow roles/>

Any idea what I'm missing?

Thanks

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives
Reply to this message...
 
 
System.DateTime
System.EventArgs
System.Security.Principal.GenericPrincipal
System.Web.HttpContext
System.Web.HttpCookie
System.Web.Security.FormsAuthentication
System.Web.Security.FormsAuthenticationTicket
System.Web.Security.FormsIdentity




ExamGuru IT Solutions - .Net Guru is owned and operated by ExamGuru, Inc., the man behind .Net Guru. If you're in the market for bespoke software or software consultancy, why not get him and his highly trained team to help? - www.examguru.net/ITCertification
Ad


Need Dot Net Interview Questions?
Ask ExamGuru, Inc. for advice and help on Passing .Net Interviews
.Net Projects
Best-of-breed application framework for .NET projects, developed by ExamGuru, Inc. and ExamGuru IT
Free .net Help
Commission ExamGuru, Inc. and his team for your next bespoke software project
FogBUGZ
The only bug tracking system carefully crafted with one goal in mind: helping teams create great software.
Awesome Tools
If you don't know about these, you're missing out... IT Certification Questions
IT Interview Questions
Free Oracle 10g Training
MCSE Boortcamp
Cisco Study Guides
Cheap Study Guides
Exact Questions
Dot Net Interview Questions
Oracle OCP
Cheap Travel
Designer Perfumes - Wholesale Prices
Free Programming Tutorials
 
ExamGuru IT Solutions - .Net Guru is owned and operated by ExamGuru, Inc., the man behind .Net Guru. If you're in the market for bespoke software or software consultancy, why not get him and his highly trained team to help? - www.examguru.net/ITCertification
 Copyright © ExamGuru, Inc. 2001-2006
Contact Us - Terms of Use - Privacy Policy - www.dot-net-guru.com - www.examguru.net - www.oraclesource.net - www.itinterviews.net - www.examguru.net/ITCertification