tags:

views:

858

answers:

1
+2  Q: 

ASP.NET 3.5 IIS7 Roles Security Implementation

I'm working on a ASP.NET 3.5 application running on IIS7 (Server '08) using the stock MS Forms Authentication and SqlRolesProvider. (I used the aspnet_regsql tool to generate the tables).

We have three roles: SysAdmins, AppAdmins, and Users. All users are in Users, and a user can be in either SysAdmins, AppAdmins or both.

I can't seem to get an Admin directory to block access to users not in SysAdmins and AppAdmins. Either it lets in all logged-in users, or no one.

Here are the relevant bits of my current configuration:

<configuration>
  ...
  <system.web>
    <authentication mode="Forms">
      <forms loginUrl="/client/security/login.aspx" timeout="480" />
    </authentication>
 <authorization>
    </authorization>
 <roleManager defaultProvider="SqlRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName="EquityTouch.Roles" cookieProtection="All" cookieSlidingExpiration="true" cookieTimeout="60">
      <providers>
        <clear />
        <add name="SqlRoleProvider" applicationName="EquityTouch" connectionStringName="SQLProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </roleManager>
 ...
  </system.web>
  <system.webServer>
    <security>
      <authorization>
        <add accessType="Deny" users="?" />
      </authorization>
    </security>
 ...
  </system.webServer>
  <location path="admin">
    <system.webServer>
      <security>
        <authorization>
          <remove users="*" roles="" verbs=""/>
          <add accessType="Allow" roles="SysAdmins,AppAdmins" />
        </authorization>
      </security>
    </system.webServer>
    <system.web>
      <authorization>
        <deny users="*"/>
        <allow roles="SysAdmins,AppAdmins"/>
      </authorization>
    </system.web>
  </location>
</configuration>

I believe this configuration currently blocks everyone. I've done similar configurations that block no one.

I suspect the issue lies in using both system.web and system.webserver sections. Any help with getting this configuration working correctly would be greatly appreciated.

UPDATE

Removing the <system.webServer> section from the <location> element makes the .aspx pages in that folder return correctly! Unfortunately, the .js files in that folder are still blocked to all users... Ideally I would like to lock the .js files as well from unpriviledged eyes. So I'm still looking for help.

+6  A: 

Even in IIS7 Integrated Pipeline mode, I am successfully using the old IIS6-style authorization blocks. Please try the code below, which includes the following changes:

  1. Added <deny users="?" /> to the first authorization block
  2. Switched the order of <allow> and <deny> in location-specific authorization block
  3. Removed <system.webServer> location-specific authorization blocks
  4. To allow js files through, my best advice is to move them to a separate folder and allow all but anonymous to access that folder (see below). Alternately, you can name each js file in the location's path attribute. That solution is less maintainable, however.

Please let me know if that works for you!

<configuration>
  <system.web>
    <authentication mode="Forms">
      <forms loginUrl="/client/security/login.aspx" timeout="480" />
    </authentication>
    <authorization>
      <deny users="?"/>
    </authorization>
    <roleManager defaultProvider="SqlRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName="EquityTouch.Roles" cookieProtection="All" cookieSlidingExpiration="true" cookieTimeout="60">
      <providers>
        <clear />
        <add name="SqlRoleProvider" applicationName="EquityTouch" connectionStringName="SQLProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </roleManager>
  </system.web>

  <location path="admin">
    <system.web>
      <authorization>
        <allow roles="SysAdmins,AppAdmins"/>
        <deny users="*"/>             
      </authorization>
    </system.web>
  </location>
  <location path="js">
    <system.web>
      <authorization>
        <deny users="?"/>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>
</configuration>
Noah Heldman  2009-09-22 16:39:00
Thanks Noah: I guess security by role in the integrated pipeline just doesn't work correctly. Using the .NET system.web section will at least keep the rifraff out of the important aspx pages, even if the static files are unprotected.
Toby  2009-09-23 18:55:10
Just came across a blog post that seems to indicate that roles are supported by IIS 7 URL authorization:http://mvolo.com/blogs/serverside/archive/2009/05/11/Workaround-for-using-IIS-7-url-authorization-with-ASP.NET-roles.aspx
William Gross  2009-11-21 19:11:14
I'll take a look at that Will! Good find!
Toby  2010-01-25 22:38:39

related questions

Change .NET Framework version of application pool to 3.5?
How can I determine the number of users on an ASP.NET site (IIS)? And their info?
Hitting Webservice on Different Subnet
WebResource.asd giving 403 error in ASP.Net Post backs using IIS7
How do you Install a SSL Certificate
Can IIS7 be installed on XP?
Is IIS7 migration a piece of cake
Posting forms to a 404 + HttpHandler in IIS7: why has all POST data gone missing?
WAS hosting vs. Windows Service hosting
How do I fix 404.17 error on Win Server 2k8 and IIS7
Force IIS7 to suggest downloading *.exe files in "Local intranet" zone
Sending 'application/javascript' MIME t Type Header Causes 500 Error with PHP5 & IIS7
How to configure IIS7 to allow zip file uploads using classic asp?
What is the worker process for IIS7?
IIS Integrated Request Processing Pipeline -- Modify Request
How to setup GIT bare HTTP-available repository on IIS-machine
What is the ASP.NET process for IIS 7.0?
IIS7: HTTP->HTTPS Cleanly
URL Rewrite Module for IIS 7
ASP.NET Forms Authorization
Does CruiseControl.NET run on IIS 7.0?
How do I get PHP and MySQL working on IIS 7.0 ?
Convert an asp.net application to IIS7 integrated mode
Impersonation in IIS 7.0
How do I stop IIS7 dropping my cookies?