|
|
|
start date: Mon, 9 Jul 2007 18:20:23 +0100,
posted on: microsoft.public.dotnet.framework.aspnet.security
back
| Thread Index |
|
1
Tim Mackey am
|
|
2
Alexey Smirnov
|
|
3
Dominick Baier
|
|
4
Tim Mackey am
|
|
5
Alexey Smirnov
|
User.IsInRole with * wildcard, web.sitemap etc.
hi,
User.IsInRole method appears not to work with the web.sitemap * 'all roles'
wildcard. is this by design? do i have to handle wildcards manually?
ideally User.IsInRole("*") would return true if the user is in any role. an
example is below to illustrate.
i have a sitemap node like so:
<siteMapNode title="Report xyz" description="etc" url="Reports.aspx?sp=XYZ"
roles="*">
since i'm using the querystring to specify a sproc, i make sure to verify
that the user is allowed to access it, as defined in web.sitemap. so i have
code in Reports.aspx that goes like:
foreach (string role in siteMapNode.Roles)
if (User.IsInRole(role))
return; // OK
thanks for any help
tim
Date:Mon, 9 Jul 2007 18:20:23 +0100
Author:
|
Re: User.IsInRole with * wildcard, web.sitemap etc.
On Jul 9, 7:20 pm, "Tim Mackey" <tim.mac...@community.nospam> wrote:
> hi,
> User.IsInRole method appears not to work with the web.sitemap * 'all roles'
> wildcard. is this by design? do i have to handle wildcards manually?
> ideally User.IsInRole("*") would return true if the user is in any role. an
> example is below to illustrate.
>
> i have a sitemap node like so:
> <siteMapNode title="Report xyz" description="etc" url="Reports.aspx?sp=XYZ"
> roles="*">
>
> since i'm using the querystring to specify a sproc, i make sure to verify
> that the user is allowed to access it, as defined in web.sitemap. so i have
> code in Reports.aspx that goes like:
>
> foreach (string role in siteMapNode.Roles)
> if (User.IsInRole(role))
> return; // OK
>
> thanks for any help
> tim
Tim, it makes no sense to worry about (*). If you have roles="*" then
you don't need to check anything, because any role is ok.
Date:Mon, 09 Jul 2007 12:58:57 -0700
Author:
|
Re: User.IsInRole with * wildcard, web.sitemap etc.
You don't specify any authorization requirements in web.sitemap!!!
You use the <authorization> element in web.config for that - the sitemap
just uses this information - and the role attribute in the sitemap file allows
to override the information found in the authorization element for visual
presentation.
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)
> hi,
> User.IsInRole method appears not to work with the web.sitemap * 'all
> roles'
> wildcard. is this by design? do i have to handle wildcards manually?
> ideally User.IsInRole("*") would return true if the user is in any
> role. an
> example is below to illustrate.
> i have a sitemap node like so:
> <siteMapNode title="Report xyz" description="etc"
> url="Reports.aspx?sp=XYZ"
> roles="*">
> since i'm using the querystring to specify a sproc, i make sure to
> verify that the user is allowed to access it, as defined in
> web.sitemap. so i have code in Reports.aspx that goes like:
>
> foreach (string role in siteMapNode.Roles)
> if (User.IsInRole(role))
> return; // OK
> thanks for any help
> tim
Date:Mon, 9 Jul 2007 20:21:27 +0000 (UTC)
Author:
|
Re: User.IsInRole with * wildcard, web.sitemap etc.
alexey, dominick, thanks for the reply. perhaps i should clarify.
authorization is already controlled via web.config in as much as possible.
the 'reports.aspx' page is accessible to anyone, as defined in web.config,
however since i am using querystring parameters to refer to stored
procedures, i perform an additional security check to verify the user's
access to the querystring supplied. Since i have fully specified the access
rules in web.sitemap, i am using the roles defined here to decide if the
user should be able to access a certain URL. the example below illustrates:
<sitemapnode Url="reports.aspx?sp=PublicReport1" Roles="*" />
<sitemapnode Url="reports.aspx?sp=PrivateReport1" Roles="Admins" />
<sitemapnode Url="reports.aspx?sp=PrivateReport2" Roles="Admins" />
reports.aspx currently enumerates the roles specified in web.sitemap to
validate the request. i guess i will have to handle the * wildcard role
manually. my scenario is fairly non-standard, i would accept that, although
my reports page is invaluable: it dynamically generates UI controls to match
parameters for any SP, and then binds the results to an enhanced GridView
with built-in excel export etc. (or sends the parameters to a specified
crystal report).
thanks
tim
----- Original Message -----
From: "Dominick Baier"
Newsgroups: microsoft.public.dotnet.framework.aspnet.security
Sent: Monday, July 09, 2007 9:21 PM
Subject: Re: User.IsInRole with * wildcard, web.sitemap etc.
> You don't specify any authorization requirements in web.sitemap!!!
>
> You use the <authorization> element in web.config for that - the sitemap
> just uses this information - and the role attribute in the sitemap file
> allows to override the information found in the authorization element for
> visual presentation.
>
>
> -----
> Dominick Baier (http://www.leastprivilege.com)
>
> Developing More Secure Microsoft ASP.NET 2.0 Applications
> (http://www.microsoft.com/mspress/books/9989.asp)
>
>> hi,
>> User.IsInRole method appears not to work with the web.sitemap * 'all
>> roles'
>> wildcard. is this by design? do i have to handle wildcards manually?
>> ideally User.IsInRole("*") would return true if the user is in any
>> role. an
>> example is below to illustrate.
>> i have a sitemap node like so:
>> <siteMapNode title="Report xyz" description="etc"
>> url="Reports.aspx?sp=XYZ"
>> roles="*">
>> since i'm using the querystring to specify a sproc, i make sure to
>> verify that the user is allowed to access it, as defined in
>> web.sitemap. so i have code in Reports.aspx that goes like:
>>
>> foreach (string role in siteMapNode.Roles)
>> if (User.IsInRole(role))
>> return; // OK
>> thanks for any help
>> tim
>
>
Date:Tue, 10 Jul 2007 11:51:37 +0100
Author:
|
Re: User.IsInRole with * wildcard, web.sitemap etc.
On Jul 10, 12:51 pm, "Tim Mackey" <tim.mac...@community.nospam> wrote:
> alexey, dominick, thanks for the reply. perhaps i should clarify.
> authorization is already controlled via web.config in as much as possible.
> the 'reports.aspx' page is accessible to anyone, as defined in web.config,
> however since i am using querystring parameters to refer to stored
> procedures, i perform an additional security check to verify the user's
> access to the querystring supplied. Since i have fully specified the access
> rules in web.sitemap, i am using the roles defined here to decide if the
> user should be able to access a certain URL. the example below illustrates:
>
> <sitemapnode Url="reports.aspx?sp=PublicReport1" Roles="*" />
> <sitemapnode Url="reports.aspx?sp=PrivateReport1" Roles="Admins" />
> <sitemapnode Url="reports.aspx?sp=PrivateReport2" Roles="Admins" />
>
> reports.aspx currently enumerates the roles specified in web.sitemap to
> validate the request. i guess i will have to handle the * wildcard role
> manually. my scenario is fairly non-standard, i would accept that, although
> my reports page is invaluable: it dynamically generates UI controls to match
> parameters for any SP, and then binds the results to an enhanced GridView
> with built-in excel export etc. (or sends the parameters to a specified
> crystal report).
>
foreach (string role in siteMapNode.Roles)
if (role == "*" || User.IsInRole(role))
return; // OK
Date:Tue, 10 Jul 2007 04:56:48 -0700
Author:
|
|
|
