问题
I'm building a dynamic navigation control which toggles the visiblity of elements in the navigation depending on which pages the user is authorized to view in the web.config.
To find out if a user is allowed to visit a page, I use the CheckUrlAccessForPrincipal method and set the authorization rules for a whole directory like this.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="demo\Administrators"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>
This works just as expected and CheckUrlAccessForPrincipal returns false for all pages in the directory that contains the web.config-file when the current user is not in the Administrators group.
Now I want to set authorization rules on a page level like this.
<?xml version="1.0"?>
<configuration>
<location path="DemoPage.aspx">
<system.web>
<authorization>
<allow roles="demo\SomeDifferentGroup"/>
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>
If I now check whether a user is allowed to access DemoPage, CheckUrlAccessForPrincipal returns true, no matter if the current user is in SomeDifferentGroup or not.
I have assured that the configuration is correct. Visiting a page for which the current user is not authorized opens the Windows-Authentication and prompts the user to provide valid credentials.
Any ideas why the behavior differs depending on whether authorization-rules are set on a directory or folder level?
回答1:
Ok so after 2 days of digging I finally found the answer. Apparently, some ASP.NET projects omit the .aspx file-ending in the URL.
If one now were to call the CheckUrlAccessForPrincipal method with a URL that is missing the .aspx ending, the method will somehow not recognize correctly that the URL is a page and not check the web.config authorization rules correctly.
Manually adding the file-ending to the URL has fixed the problem.
来源:https://stackoverflow.com/questions/54551844/why-does-checkurlaccessforprincipal-still-return-true-when-authorization-has-bee