问题
I need an area in my website where only certain users can view.
What I did was create a Video folder. Under that foler I have folders One called Login and the other called WatchVid. In the Login folder I have a page called Login.aspx. Once the user logins in they will then go to /WatchVid/Watch.aspx Below is a representation:
Video Folder
|
|
----> Login Folder
| |
| |
| ---> Login.aspx
|
----> WatchVid Folder
|
|
--->Watch.aspx
I have the following web config file in my WatchVid to only allow roles that have VidUser to view the page:
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="VidUser" />
<deny users="?" />
</authorization>
</system.web>
</configuration>
What I am finding is that even if I change:
<allow roles="VidUser" />
To:
<allow roles="VidUser1" />
I can still get to this the Watch.aspx page even though I do not have a role of VidUser1.
Am I doing something wrong?
Just as a reference below is the code I use once the user logins in with their userid, pwd:
protected void btnLogin_Click(object sender, EventArgs e)
{
if (Roles.IsUserInRole(txtUserName.Text, "StreamingUser"))
{
const string url = "~/Video/WatchVid/Watch.aspx";
Response.Redirect(url);
}
Stephan, I have the following in my root web.config page but still letting me get to the Watch.aspx page:
<location path="Video/WatchVid">
<system.web>
<authorization>
<allow roles="StreamingUser1dfdfdfd" />
<deny users="?" />
</authorization>
</system.web>
</location>
Note how I created a dummy role of StreamingUser1dfdfdfd just to check it out. I am still able to get to the Watch.aspx page.
Mike:
I have the following under my WatchVid folder but getting access error when I do it with * - Any idea? :
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="StreamingUser" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
I get the following message: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.
Keep in mind that this still works:
protected void btnLogin_Click(object sender, EventArgs e)
{
if (Roles.IsUserInRole(txtUserName.Text, "StreamingUser"))
{
const string url = "~/Video/WatchVid/Watch.aspx";
Response.Redirect(url);
}
But now it will not let me through to the Watch.aspx page as I get an error.
回答1:
You'll want to change
<deny users="?"/>
to
<deny users="*"/>
* means it is denied to everyone. Then your allow roles lets in the right roles.
? means it is denied to unauthenticated users. Since you are authenticated, you aren't denied.
回答2:
Use a location tag at the outermost (root) web.config file.
EDIT to show a (adapted) working example from one of our applications:
<authorization>
<allow users="?" />
</authorization>
<location path="Login.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
<location path="Videos/WatchVid">
<system.web>
<authorization>
<allow roles="VidUser" />
<deny users="?" />
</authorization>
</system.web>
</location>
来源:https://stackoverflow.com/questions/16107672/forms-authentication-subfolder-web-config-not-working