BUG: Server.Execute ignores web.config <location> role permissions

Ask a Question related to ASP.NET Security, Design and Development.

  1. Paul #1

    Default BUG: Server.Execute ignores web.config <location> role permissions

    I have an intranet site that uses authentication mode="Windows" with
    identity impersonate="true". I recently implemented a site search
    feature that uses server.execute to retrieve dynamic content for the
    search. Unfortunately, Server.execute retrieves pages that the user
    can not access. The pages appear in the search results with the found
    terms highlighted in context. Rut-roh! So much for security. When the
    user clicks the link to see the page located by the search, they get
    the custom access denied page, but they've already seen some content
    that they were not authorized to see.

    The work arounds I have come up with are not elegant.

    Paul Guest
    Reply With Quote Reply With Quote

    2. Similar Questions and Discussions

    1. Role based security - where are permissions/operations ?
      I want to use role based security in ASP.NET, but can't see how assigning permissions/operations to a role is done. IsInRole can check a user is in a...
    2. Role of the web.config file with UserControls [2.0]
      Most of the configuration information for a web application exist in the web.config file. We're planning on writing a set of compiled...
    3. Role based Security and Permissions
      Hi, I have been working on a framework for publishing several sites from a single code based allowing for easy modification by end users. I have...
    4. #25466 [Opn->Bgs]: PHP ignores --with-config-file-path compile option somehow?
      ID: 25466 Updated by: sniper@php.net Reported By: php-bugs-2003-09 at webfreezer dot com -Status: Open...
    5. #25466 [NEW]: PHP ignores --with-config-file-path compile option somehow?
      From: php-bugs-2003-09 at webfreezer dot com Operating system: Linux PHP version: 4.3.3 PHP Bug Type: PHP options/info...
  2. Paul #2

    Default Re: BUG: Server.Execute ignores web.config <location> role permissions

    As a workaround, before I call Server.Execute I now check to see if
    there is a location entry in web.config for the path/file. If there is,
    I call User.IsInRole against the listed roles in any allow or deny
    lists found.

    Paul Guest
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts

Forum Rules


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139