Deny access to a webpage using web.config

Question

I have searched Google & SO posts, but could not get any results that solved my issue.

My web.config is:

<location path="~/reports/PayPeriodQtrReport.aspx, ~/reports/PayPeriodDetailReport.aspx">
  <system.web>
    <authorization>
      <allow roles="PayrollReports"/>
      <deny users="*"/>
    </authorization>
  </system.web>
</location>

<location path="~/reports/ManifestAnnualReport.aspx, ~/reports/ManifestDetailedReport.aspx">
  <system.web>
    <authorization>
      <allow roles="ManifestReports"/>
      <deny users="*"/>
    </authorization>
  </system.web>
</location>  

The authorization works as required (meaning a person with "PayrollReports" role, is not able to see the Manifest Reports in the menu item and a person with "ManifestReports" role is not able to see the Payroll Reports in the menu item).

Problem:
As a user with "PayrollReports" role, I can type into my url http:\\\\mysite.com\\reports\\ManifestDetailedReport.aspx and the page shows up. What should be displayed is unauthorizedaccess.aspx

Similarly, as a user with "ManifestReports" role, I can type into my url http:\\\\mysite.com\\reports\\PayPeriodQtrReport.aspx and the page shows up. What should be displayed is unauthorizedaccess.aspx

Question: Using web.config, how can I prevent a user from hacking into the page by typing in the url?

Answer 1

You need to put each file in it's own location entry and remove the ~/ :

<location path="reports/PayPeriodQtrReport.aspx">
  <system.web>
    <authorization>
      <allow roles="PayrollReports"/>
      <deny users="*"/>
    </authorization>
  </system.web>
</location>

etc...

This assumes you are using a RoleProvider. Either you are using the built-in RoleProvider or you a custom RoleProvider that inherits from RoleProvider and is properly specified in your web.config.