FormsAuthentication Roles Problem

[James McFarland]

I want to use FormsAuthentication and allow access based on role.

I have a /Admin directory on the web app, and want to allow role "admin",
but deny all other users.

/Web.config:
<authorization>
<allow users="*" /> <!-- Allow all users -->
</authorization>

/Admin/Web.config:
<authorization>
<allow roles="admin"/>
<deny users="*"/>
</authorization>

This setup prevents all users from accessing pages in the /Admin folder,
even users whose IPrincipal.IsInRole("admin") implementation returns true.

If I change /Amdin/Web.config to the below, it allows the "admin@mysite.com"
user in:
<authorization>
<allow users="admin@mysite.com" roles="admin"/>
<deny users="*"/>
</authorization>

Anyone ever seen this problem or have any idea what I am doing wrong?
All examples I have seen appear to use the <allow roles="admin"/> approach.

Thanks,
-james

--
James McFarland :: SunPorch Structures Inc.

[[MSFT]]

Hello James,

I think you should put the domain/machine name before "Admins". Also,
please pay attention to that these names (including the group name) are
case sensitive.

Hope this help,

Luke

[James McFarland]

"[MSFT]" wrote:

> Hello James,
>
> I think you should put the domain/machine name before "Admins". Also,
> please pay attention to that these names (including the group name) are
> case sensitive.
>
> Hope this help,
>
> Luke
>
>
>

Luke:
I checked the case, and that all matches.
Just to furhter clarify, I am not using AD or Windows Authentication, so the
domain name/machine name are not relevant in my case.
Does that make sense?

Thanks,
-james

[[MSFT]]

Since you use Form authentication, can you explain more about how you
implement IPrincipal.IsInRole and Application_AuthenticateRequest?
Normally, we need grant roles in Application_AuthenticateRequest like:

Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
EventArgs)
if (not(HttpContext.Current.User is Nothing)) then
if HttpContext.Current.User.Identity.AuthenticationTy pe = "Forms" then
Dim id as System.Web.Security.FormsIdentity
id = HttpContext.Current.User.Identity

Dim MyRoles(2) As String
MyRoles(0) = "Manager"
MyRoles(1) = "Admin"
HttpContext.Current.User = new
System.Security.Principal.GenericPrincipal(id,MyRo les)
End if
End if
End sub


Luke

[Patrick.O.Ige]

I think try MSFT advice first and see....
And make sure u have Anonymous Access when using Forms Auth!
With Web.Config its case sensitive so be careful...
Enjoy!
Patrick

"[MSFT]" wrote:

> Since you use Form authentication, can you explain more about how you
> implement IPrincipal.IsInRole and Application_AuthenticateRequest?
> Normally, we need grant roles in Application_AuthenticateRequest like:
>
> Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
> EventArgs)
> if (not(HttpContext.Current.User is Nothing)) then
> if HttpContext.Current.User.Identity.AuthenticationTy pe = "Forms" then
> Dim id as System.Web.Security.FormsIdentity
> id = HttpContext.Current.User.Identity
>
> Dim MyRoles(2) As String
> MyRoles(0) = "Manager"
> MyRoles(1) = "Admin"
> HttpContext.Current.User = new
> System.Security.Principal.GenericPrincipal(id,MyRo les)
> End if
> End if
> End sub
>
>
> Luke
>
>