1

I have an ASP.Net web forms app running under IIS 7+ The entire app is currently secured using Windows Authentication and URL Authorization, configured in the web.config via IIS. The .NET doesn't care who the user is, there are no profiles or roles or anything at the moment. 

<system.web>
    <authorization>
        <remove users="*" roles="" verbs="" />
        <add accessType="Allow" roles="AppXUsers" />
        <deny users ="?" />
    </authorization>
</system.web>

I wish to add an additional page (in a subfolder), which will be accessible to subset of users, so I would modify the web.config like so:

<location path="mySubFolder">
<system.web>
    <authorization>
        <remove users="*" roles="" verbs="" />
            <add accessType="Allow" roles="AppXPowerUsers" />
            <deny users ="?" />
    </authorization>
</system.web>
</location>

The client is free to then add or remove AD groups as they see fit. However, as it stands users who are in the AppXUsers group but not in the AppXPowerUsers group still get shown links to the pages in mySubFolder. When they click the links they get access denied as it should be.

Is there any way I can detect whether or not the current user has access to "mySubFolder"?

I feel it would be a bit overkill to introduce User/RoleManagement at this stage - the application has no need to store any information relevant to users and it doesn't care who the user is beyond "can they access this page or not", which is currently handled at the IIS stage.

Mr Dan
  • 55
  • 1
  • 4

1 Answers1

1

Take a look at this: http://msdn.microsoft.com/en-us/library/system.web.security.urlauthorizationmodule.checkurlaccessforprincipal.aspx

which is referenced here: Determine if user can access the requested page?

UrlAuthorizationModule.CheckUrlAccessForPrincipal requires that the authorization rules are set in <system.web><authorization>

If you're introducing this into your web.config, though - why are you reluctant to use it in code?

Another way to check would be:

Context.User.IsInRole("somerole")
Community
  • 1
  • 1
Mike
  • 643
  • 3
  • 10
  • I am trying to get that to work, but it is always returning true... `If UrlAuthorizationModule.CheckUrlAccessForPrincipal("/Detail", HttpContext.Current.User, "GET") Then` Yet if I try an open a page in the Detail folder then I get 401 Access Denied. – Mr Dan Aug 05 '14 at 11:30
  • Based on http://msdn.microsoft.com/en-us/library/system.web.security.urlauthorizationmodule.checkurlaccessforprincipal(v=vs.110).aspx the virtual path is supposed to be to a file, not a directory. Not sure if that would be causing the problem you're experiencing. – Mike Aug 05 '14 at 12:26
  • I finally got it working. I had to put the allow/deny rules under .NET Authorization Rules (``) instead of the IIS Authorization Rules (``) then they were recognised by `CheckUrlAccessForPrincipal` – Mr Dan Aug 05 '14 at 15:51
  • Good catch. I updated my answer to reflect this piece of information. – Mike Aug 05 '14 at 15:54
  • This did not answer the question I was looking for, but it let me down the right path. For everyone having a similar problem to the one described above, maybe my question/answer can be helpful: https://stackoverflow.com/questions/54551844/why-does-checkurlaccessforprincipal-still-return-true-when-authorization-has-bee/54593585#54593585 – Wolter Feb 08 '19 at 13:37