I have searched Google & SO posts, but could not get any results that solved my issue.
My web.config is:
<location path="~/reports/PayPeriodQtrReport.aspx, ~/reports/PayPeriodDetailReport.aspx">
<system.web>
<authorization>
<allow roles="PayrollReports"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="~/reports/ManifestAnnualReport.aspx, ~/reports/ManifestDetailedReport.aspx">
<system.web>
<authorization>
<allow roles="ManifestReports"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
The authorization works as required (meaning a person with "PayrollReports" role, is not able to see the Manifest Reports in the menu item and a person with "ManifestReports" role is not able to see the Payroll Reports in the menu item).
Problem:
As a user with "PayrollReports" role, I can type into my url http:\\\\mysite.com\\reports\\ManifestDetailedReport.aspx
and the page shows up. What should be displayed is unauthorizedaccess.aspx
Similarly, as a user with "ManifestReports" role, I can type into my url http:\\\\mysite.com\\reports\\PayPeriodQtrReport.aspx
and the page shows up. What should be displayed is unauthorizedaccess.aspx
Question: Using web.config, how can I prevent a user from hacking into the page by typing in the url?
You need to put each file in it's own location
entry and remove the ~/
:
<location path="reports/PayPeriodQtrReport.aspx">
<system.web>
<authorization>
<allow roles="PayrollReports"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
etc...
This assumes you are using a RoleProvider. Either you are using the built-in RoleProvider or you a custom RoleProvider that inherits from RoleProvider
and is properly specified in your web.config.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.