Security

Re: No Membership/Role Remote Configuration?!?!??!!

joec0814 — Wed, 24 Jan 2007 14:06:09 GMT

There is a good article with source code on www.aspnetpro.com called Build a User Administration Tool by Bipin Joshi which resolves the remote administration problems. I downloaded the code and was impressed with the functionality. I will be adding to my sites, as I have had the same remote admin issues. I'm tempted to post my "slightly altered" code for the community, but I don't want to violate aspnetpro terms, as access to this article is subscription based. Worth looking into.....

Joe

Re: No Membership/Role Remote Configuration?!?!??!!

cpt_safety — Wed, 24 Jan 2007 13:45:12 GMT

I know that this forum is not really for complaints, but I've been going insane over this same problem for a week now.

It's actually helpful to know that there are others ot there. I'll be thinking of you as I'm also re-developing my site...

Re: No Membership/Role Remote Configuration?!?!??!!

dkode — Wed, 24 Jan 2007 13:23:58 GMT

Just to follow up with the problems I was having,

I completely abandoned the membership features in ASP.NET 2.0 and built my own. Took me all of 3 days to do the registration features, and make all the correct tables.

After that I built a backend administrator to allow me to manage users on my site.

I am much more comfortable now with my own code in place so now if something malfunctions, I dont have to drudge through a large number of tables that use uniqueidentifiers and it is much easier to integreate with my existing table structure.

Perhaps in the future when the membership tools have matured a little, I will try them again, I just dumped so much time into trying to get their controls to work that I gave up.

Thank you for your comments everyone, I appreciate the help and advice!

Sean

Re: No Membership/Role Remote Configuration?!?!??!!

arifali — Tue, 28 Nov 2006 05:43:39 GMT

Scott,

Strangely, although I have been wrestling with this for several days in my spare time, 10 minutes after I made the above post, the problem went away.

Unfortunately I dont know what changed so I am going to plow ahead slowly and hope to continue to make progress as I add more features to the security of this site.

Thanks,

Re: No Membership/Role Remote Configuration?!?!??!!

ScottGu — Wed, 12 Jul 2006 18:08:58 GMT

ASP.NET 2.0 provides support for a managing and setting configuration settings using the System.Configuration namespace. These quickstart tutorials discuss how to access and change values:

http://www.asp.net/QuickStart/aspnet/doc/management/default.aspx

You could use this to programmatically change settings.

Note that saving web.config files typically cause an application restart -- so that is one thing to be aware of if you are updating yourself (as long as your app doesn't store things in session state this should be fine).

Hope this helps,

Scott

Re: No Membership/Role Remote Configuration?!?!??!!

AWizardInDallas — Wed, 12 Jul 2006 16:27:46 GMT

Thanks, Scott!! I have it working for the subfolder at long last! Okay the last feature I would like to implement is the ability to modify the page permissions remotely rather than having to sit in front of Visual Studio to edit the file. Is that possible?

Thanks for the Rolla link. I'll look it over and start a new topic if I have questions.

Thanks Again!
AWizardInDallas

Re: No Membership/Role Remote Configuration?!?!??!!

ScottGu — Wed, 12 Jul 2006 03:56:40 GMT

You can absolutely specify a location directive to a file in a sub-directory. Your syntax above is wrong, it should instead be:

Note that you should use forward-slash instead of backslash, and no "~".

This article: http://aspnet.4guysfromrolla.com/demos/printPage.aspx?path=/articles/122805-1.aspx describes how to implement "security trimming" -- which allows you to show/hide nodes within a menu based on the security role of the user.

Hope this helps,

Scott

Re: No Membership/Role Remote Configuration?!?!??!!

AWizardInDallas — Wed, 12 Jul 2006 03:32:20 GMT

The root web.config file will not accept this directive, however:

<location path="~\security\securepage.aspx">
    <system.web>
           <authorization>
                 <allow roles="subscribers"/>
                 <deny users="*"/>
           </authorization>
    </system.web>
</location>

Your example will only work if securepage.aspx file in in the root with the web.config file, right? So it doesn't solve the problem. I suspect that I'll have to add a page_load to every single page in my site that redirects if the user doesn't have the proper role for that page. In ASP I would create a security include that does that and have the include at the top of every page. I imagine I'll have to do something simlar.

I'm also trying to figure out how to hide menu items based on role too. Have not found an example of that either.

Re: No Membership/Role Remote Configuration?!?!??!!

AWizardInDallas — Wed, 12 Jul 2006 03:19:32 GMT

I believe you've missed the point entirely. I have an admin tool built...now. I spent weeks building it. I had to figure out to use aspnet_sqlreg.exe to create the schema in my existing database because Visual Studio otherwise assumed that I would settle for using SQL Server Express. It also decided what my application name would be in web.config, which I had to figure out how to change. I had to figure out how to use and configure all of the login controls. I had to take side trips to learn how to use the GridView and how to write skin files so the pages wouldn't be as hideous as the ones in the SDK.

I examined the admin tool code in the framework folder and discovered that they're out of date (the code is still using DataGrids rather than the new GridViews). I have also had the built-in admin tool mangle my web.config file half a dozen times. I've read blogs, forums, and culled code from various sources including the SDK. I've Installed and uninstalled four .NET forums as well as Dotnetnuke. I bought two books that were both rip offs. I've read junk for previous versions (i.e. Whidby, 2003, etc.) that no longer apply as well. I've done plenty of searching...the point is I shouldn't have to.

I learned a lot. I have most of it done. The irony? I still can't secure pages in a subfolder after all these weeks of effort. I haven't spent any time on the actual application code I'd rather have spent the time writing. And, as with most programmers security is probably my least favorite topic. You remember the Microsoft web adds with the guy going to the fridge late at night? Well Visual Studio didn't save me any time and I'm still at it.

Re: No Membership/Role Remote Configuration?!?!??!!

ScottGu — Wed, 12 Jul 2006 03:03:17 GMT

Web.config files support the concept of <location> directives that allow you to scope settings to specific files (or folders). So if you want to secure a specific file or set the authorization rules for just one URL, you can use a location directive like this to-do so:

<system.web>

</authorization>

</system.web>

</location>

The above config applies only to the securepage.aspx file, and basically indicates that users within the "subscribers" role have access to it - and everyone not in that role is denied access.

Let me know if this makes sense and solves what you are trying to-do,

Scott

Re: No Membership/Role Remote Configuration?!?!??!!

AWizardInDallas — Wed, 12 Jul 2006 02:26:57 GMT

Okay let me address your points constructively...

1) Easier or not, securing a folder is not what I want. I like to organize things by topic so placing the all code related to security in a single folder and allowing access to only some pages makes more sense to me than having multiple folders. Also see point #2.

2) I have reviewed the SDK code in depth. I looked at the specifc example entitled "Authorizing Access to a Page with Role Manager." The exact description of what I'd like to accomplish. Have a good look at the code if you would. It secures a folder not a page...clearly a misleading example. Otherwise the SDK has no example of securing a page that I can see. The root web.config will not secure pages in a sub folder. I tried it and also tried setting up a web.config file in the subfolder (which is also undesirable because I don't want to maintain multiple web.config files for each folder I want secured).

3) Yes, and I can and have done something similar in ASP. I check a session token and redirect to a login page if they don't have access. So what have I gained with ASP.NET if I have to use the same approach? Nothing that I can see.

So I've still not found an easy way to secure access to singular pages.

Re: No Membership/Role Remote Configuration?!?!??!!

ScottGu — Tue, 11 Jul 2006 07:20:50 GMT

I haven't heard from many people having problems with the Membership/Roles implementations. There are now tens of thousands of sites deployed using them, and I'd definitely recommend going that approach.

This page has a ton of information regarding ASP.NET 2.0 security resources: http://weblogs.asp.net/scottgu/archive/2006/02/24/438953.aspx

Here is a free sample that you can download that implements a remote security management tool for the ASP.NET Membership/Roles system: http://peterkellner.net/archives/2006/01/09/24 The source is fully available, so you can take it and integrate it however you want into your site.

Hope this helps,

Scott

Re: No Membership/Role Remote Configuration?!?!??!!

rjdudley — Mon, 10 Jul 2006 15:22:32 GMT

>I want to be able to restrict access to individual pages?

There are three ways to do this:

1) If you have a lot of related pages, such as an administration tool, it's easier to put all the pages in a subfolder and protect the subfolder.

2) If you want finer control over pages in the same folder, you can protect individual pages in the web.config. You can set access by role or user ID, or both. This example allows only logged-in users to access test.aspx:

Put these sections in your web.config just before the final </configuration> tag.

3a) You can use the User.IsInRole on each individual page, which would be bulky, but effective.

3b) You could create a base page, which inherits from system.web.page, and add your own authorization routine in the page_onload. Then have every page in your site inherit the base page (rather than system.web.page) and your authorization will be applied to every page.

For an example, look at http://www.asp.net/QuickStart/aspnet/doc/security/membership.aspx#progauth.

Re: No Membership/Role Remote Configuration?!?!??!!

AWizardInDallas — Sun, 09 Jul 2006 20:51:20 GMT

I totally agree! I've spent an entire month just building the same functionality from scratch and it wasn't quick and it wasn't easy and it's still not complete, thus the reason I'm trolling through this forum. Also, I would like to point this out: I tried to go to the framework version in my Windows directory and pilfer the code for this functionality. Guess what? It's out of date. It was apparently written for Framework 1.1. The help files read like sterio instructions, the SDK code is crappy and a Google search will show that people all over are having problems with it.

The problem I'm having? I want to be able to restrict access to individual pages? What advice do I get? Move crap into subfolders and secure the folders. So now my file structure is being dictated to me as well. No, thank you...I refuse. It looks like I'll be using redirects as in ASP. What have I gained? Nothing.

I like the concepts behind ASP.NET but it's implementation sucks and it's clearly meant to make third party code and component providers rich by providing out-of-the-box solutions that should be in .NET to begin with.

Re: No Membership/Role Remote Configuration?!?!??!!

dkode — Thu, 06 Jul 2006 17:37:41 GMT

I actually saw the quality data site and considered purchasing that product, but again...I shouldnt have to be purchasing tools that should already be included in features that microsoft is providing.

Sorry, I dont mean to be trolling here, but it's just aggravating to go and spend money on something that I shouldnt have to purchase. Even though it is only $60, I am so discouraged, I am going to develop my own registration system from scratch so I don't even have to use any of microsoft's tools to manage my membership user base.

In addition, after browsing google and other forums, it seems that quite a number of people are having ALOT of problems with the membership/profile/role provider tools that are supplied by microsoft in production websites, so rather then flirt with disaster, I feel more comfortable developing my own system so IF it does break, I at least know where the problem is because it is my code, rather than post on here or google begging for help while my website is going down in flames.

Thanks for your postings.

P.S.
If any "ASP.NET Team" users browse this thread, PLEASE make a note that it is absolutley amazing to me that such a large number of people are having problems with these tools, ESPECIALLY remote management like I am stating here, and try to make it a point to include that feature in the next release. PLEASE!! it will make alot of peoples lives SO much easier. If your going to provide these tools, please provide them from beginning to end, and not half way in between.