tags:

views:

97

answers:

1
Q: 

.net Membership deny login

Hi all,

I've been working with the .net login for a long time now, but my latest project calls for some not so great coding.

I have one database which contains the tables etc for .net membership. There are 4 roles:

  • Admin
  • BasicAdmin
  • PowerAdmin
  • Member

Now the top 3 are able to log into the Admin system, but I want to deny login for those in the role Member, I have added in the following to the webconfig:

<authorization>
  <deny roles="Member"/>
  <deny users="?"/>
</authorization>

this works, to an extent. It redirects the user who is in the role 'Member' to the login page, but it does not give the message login failed, as you would get when you are not registered and you enter wrong data.

The members can log into a members area of the site which will be for arguement sake off limits to admins.

Does anyone know where I am going wrong, am I missing something or is this not possible?

Thanks,

+1  A: 

Your members can login and get to the member content but are then redirected when they attempt to get to something in the admin section. It is working by design. The member wouldn't get a failed login message because they have not failed to login, rather they are denied access.

Throughout the application you can check as a person is trying to go to page that they can't access and fire off a message that they don't have access but that is extra work but doable.

You can also modify your application in such a way that links to certain sections of the site only show if the user is in the right role. For example, Roles.IsUserInRole("role") will check the currently logged in identity / user is in a role. There is also the LoginView control in 2.0 that you can wrap controls in that do this nicely for you.

EDIT: Clarification based on your first comment.

This is how the roles provider is designed. It redirects you to the login page when you try to access a page you have been denied in the web.config for.

You could do a couple of things:

Remove the deny statements for the groups in the web.config and then do one of two things or both:

Use the loginview control and encapsulate the functionality for the "admin" role in the admin view and then display a message to the "member" role that they don't have access.

And/Or write code on the page load event for a page checking the roles and presenting a message and/or redirecting a user to another page.

OR leave the deny statement in the web.config for the groups AND

on the page load event of the login page do something like

        If  Me.User.Identity IsNot Nothing and Me.User.Identity.Isauthenticated Then
          If Me.User.IsInRole("admin") Then
            Response.Redirect("~NoAccessToMemberStuff.htm")
          Else If Me.User.IsInRole("member") Then
            Response.Redirect("~/NoAccessToAdminStuff.htm")
          End If
    End If
klabranche  2009-08-20 14:39:16
Ok, I missed a bit of further information which might help.The admin side of the application is actually a seperate website.iewww.mysite.com -- the siteadmin.mysite.com -- admin siteSo rather than saying you dont have access, which would show the peron attempting to login that their details do access this site to some point, I want to just show the "login detail wrong" validation message that login shows but default with an incorrect login.I am also using 3.5I dont like the redirect to "your log in failed page" as really it didnt its just that is the only page you can see.Thanks,
JamesStuddart  2009-08-20 14:50:18
Thanks for the extra bit. I thought I might be stuck doing it like that. Oh well thanks for your help I'll give it a whirl when i'm back in on Monday. Cheers for now.
JamesStuddart  2009-08-22 10:40:59

related questions

after running aspnet_regsql.exe , do I have to init the db with data? how?
Not using e-mail address in a custom MembershipProvider?
How to pass the current user to a web control declaratively
How do you rename a Role using Membership in .NET?
What encryption algorithm does the .net membership provider use?
Membership.GetUser() & MARS
Web.config editing for Membership Role Authorization
Globalization of Membership exceptions isn't taking place... What to do?
OpenId development while disconnected from Internet
programmatic login with .net membership provider
Addin extra properties to MembershipProvider
ASP.Net Providers from web server in DMZ
ASP.NET PasswordRecovery Control with Localized content
Examples of asp.net mvc and authentication
ASP.NET Membership for high security scenarios?
ASP.NET Forms Authentication With Only UserName
What to use for membership in ASP.NET
How can I wrap a transaction around Membership.CreateUser?
New site creation and security/authentication,- should I use ASP.net Membership Provider?
ASP.NET WSAT (Website Administration Tool) and Custom Membership Providers
How do you manage asp.net SQL membership roles/users in production?
How to access UserId in ASP.NET Membership without using Membership.GetUser() ?
Can I use OpenId with the ASP MembershipProvider?
How do you pass an authenticaticated session between app domains
Class design decision