stackoom
  简体   繁体   中英

IIS URL Authorization check in ASP.Net

 原文  2014-08-04 20:20:50       asp.net/ iis/ authorization/ iis-7.5/ asp.net-authorization

Question

I have an ASP.Net web forms app running under IIS 7+ The entire app is currently secured using Windows Authentication and URL Authorization, configured in the web.config via IIS. The .NET doesn't care who the user is, there are no profiles or roles or anything at the moment. 

<system.web>
    <authorization>
        <remove users="*" roles="" verbs="" />
        <add accessType="Allow" roles="AppXUsers" />
        <deny users ="?" />
    </authorization>
</system.web>

I wish to add an additional page (in a subfolder), which will be accessible to subset of users, so I would modify the web.config like so: 

<location path="mySubFolder">
<system.web>
    <authorization>
        <remove users="*" roles="" verbs="" />
            <add accessType="Allow" roles="AppXPowerUsers" />
            <deny users ="?" />
    </authorization>
</system.web>
</location>

The client is free to then add or remove AD groups as they see fit. However, as it stands users who are in the AppXUsers group but not in the AppXPowerUsers group still get shown links to the pages in mySubFolder. When they click the links they get access denied as it should be.

Is there any way I can detect whether or not the current user has access to "mySubFolder"?

I feel it would be a bit overkill to introduce User/RoleManagement at this stage - the application has no need to store any information relevant to users and it doesn't care who the user is beyond "can they access this page or not", which is currently handled at the IIS stage.

1 answers

solution1
 1 ACCPTED  2014-08-04 20:40:35

Take a look at this: http://msdn.microsoft.com/en-us/library/system.web.security.urlauthorizationmodule.checkurlaccessforprincipal.aspx

which is referenced here: Determine if user can access the requested page?

UrlAuthorizationModule.CheckUrlAccessForPrincipal requires that the authorization rules are set in <system.web><authorization>

If you're introducing this into your web.config, though - why are you reluctant to use it in code?

Another way to check would be: 

Context.User.IsInRole("somerole")

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Url Authorization with MVC and ASP.NET Identity Is URL Authorization enough secure in ASP.NET? asp.net authorization using url ASP.NET + IIS 7 - URL Rewriting URL Rewriting in asp.net on iis ASP.NET, IIS 6 and url rewriting ASP.Net URL Rewrite on IIS 7 URL rewriting asp.net IIS Url Rewrite of Host in ASP.NET on IIS 6 Using a colon (:) in a url with ASP.NET/IIS
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM