1

I have created an aspx page where I can type a name into a texbox and it will add a line under the 'autorization' section in my web.config file (E.g. 'allow users="peter" '), the problem is the line is always added below 'deny users="" ' which automatically stops any user added below that line from logging in. Is there a way to find the 'deny users="" ' line via my C# code and insert the 'allow users' line above?

Thanks

Default.aspx.cs (Add user code)

protected void btnWrite_Click(object sender, EventArgs e)
{

    System.Configuration.Configuration configuration = WebConfigurationManager.OpenWebConfiguration("~");
    AuthorizationSection authorization = (AuthorizationSection)configuration.GetSection("system.web/authorization");
    AuthorizationRule accessRule = new AuthorizationRule(AuthorizationRuleAction.Allow);
    accessRule.Users.Add(txtAddUser.Text);
    authorization.Rules.Add(accessRule);
    configuration.Save(ConfigurationSaveMode.Minimal); 
}

Web.config (authorization section)

  <authentication mode="Forms">
    <forms name=".ASPNET" loginUrl="login.aspx" defaultUrl="Default/default.aspx" />
  </authentication>
  <authorization>
      <allow users="john" />
      <deny users="*" />
      <allow users="peter" />
      <allow users="david" />
  </authorization>
user2168287
  • 101
  • 1
  • 10
  • I suggest you either use Profile Membership, Active Directory Groups or a database to manage users. There are many drawbacks of using `web.config` for this purpose. Everytime web.config is changes, your app is reset, re-deployment may override users settings. – Ray Cheng Mar 14 '13 at 06:26
  • Thanks for the comment. Ideally I would like to use AD Groups but from what I have read AD Groups don't work with Forms authentication therefore I've resorted to adding each AD user individually. If this is incorrect can you give me an example of how AD Groups work with Forms authentication. – user2168287 Mar 19 '13 at 22:18
  • Is it an intranet web app? If so, you don't need form auth at all. You can check user's AD assignment by using `Page.User.IsInRole. If it's external web app, then it's better to use form auth or design your own database tables to handle roles and users. – Ray Cheng Mar 19 '13 at 22:34
  • It is just an Intranet page, so in the case that the user is connecting from a computer that isn't joined to the domain will they be challenged to enter their domain credentials? If so that solution will work – user2168287 Mar 20 '13 at 03:26
  • So you are looking for mixed authentication which I haven't done before. I can only advise you to search for `asp.net mixed authentication`. Here is one for MVC, look for the second answer. http://stackoverflow.com/questions/2432845/asp-net-mvc-and-mixed-mode-authentication – Ray Cheng Mar 20 '13 at 14:30
  • Ideally I would like to continue to use form based authentication and only allows users to logon if they are in a specified AD security groups, that way I'll never have to touch the web.config file and can control tight access to the Intranet page by adding and removing user from the AD group. Can this be done? – user2168287 Mar 21 '13 at 00:37
  • Yes, it can be done via Mixed Authentication I pointed out above. Are you building a ASP.NET MVC or WebForm web app? – Ray Cheng Mar 21 '13 at 01:42
  • Just a WebForm web app. Thanks – user2168287 Mar 21 '13 at 03:43
  • I haven't tried it but this article seems to have a step by step solution http://blog.meansbiz.com/mixing-forms-and-windows-security-in-aspnet-a – Ray Cheng Mar 21 '13 at 04:41
  • Thanks Ray but ideally I want to use form authentication only, the only way I have figured out how to do that at the moment against AD users is to add them individually into the web.config file under . What I want to be able to do is in my web.config file specify an AD group that can login that way I won’t need to modify the web.config file every time I want to grant a user access, instead I can just add AD users to the AD group. This is where I’m stuck and don’t know if it is possible. Thanks for your help – user2168287 Mar 21 '13 at 22:18
  • have you tried allow role? maybe that's what you are looking for. http://msdn.microsoft.com/en-us/library/acsd09b0(v=vs.100).aspx – Ray Cheng Mar 22 '13 at 00:20

2 Answers2

0

You can use linq to select the decendants of authorization and add the element at the first or last where ever you want

nzdev
  • 324
  • 1
  • 9
  • 24
  • Thanks, but can you help me out with the code or give me an example as I'm unfamiliar with linq and how it works – user2168287 Mar 14 '13 at 05:45
0

you can use something like this 

XDocument xDoc = new XDocument(@"your config file name. extention"); 
xDoc.Element("authorization")
.Elements("allow")
.Where(item => item.Attribute("users").Value == "john").FirstOrDefault()
.AddAfterSelf(new XElement("allow", new XAttribute("users", "put the user name your want here")));

to use this you need to add using statement at the top (using system.linq)

Hope you will understand this please replace the string as you want.

nzdev
  • 324
  • 1
  • 9
  • 24
  • Hi, sorry for the delay I've only just got around to looking at the issue. However I can't seem to get it to work still, it gets caught on the last line `.AddAfterSelf(new XElement("allow", new XAttribute("users","brett")));` with the error 'Cannot implicitly convert type 'void' to 'System.Xml.Linq.XElement'' – user2168287 Mar 19 '13 at 12:17