Hello.

VS2005 Pro, SP1, ASP.Net 2.0, .Net 2.0, Ajax 1.0.61025, WSE 3.0 web consuming client.

I went through all of the security tutorials by Scott Mitchell and numerous other articles and documentation on security and the web.config.

I'm still unsure of how to control users and roles to web pages.  Am i supposed to have a different web.config in each folder to control who gets access to the pages in the folder?

I read other posts at other sites that say you don't need multiple web.config files, you can do all of the security control in the root web.config.

I'm having a problem with my web site that works fine locally, but it does not do anything after uploading it to my hoster.  My hoster, discountAsp.net, tech support refuses to help with the problem.

Could it be the machine.config that i have on my computer that is different from the machine.config on discount.Asp.net?

Any help that anybody can provide would be gratefully appreciated.

Thanks,
Tony

 You only need one web.config for this.  I have a site on discountasp that is working fine for restricting access to aspx pages with the web.config. 

Can you explain the issue you are having in more detail (ie file extension of the file you are trying to protect)
 

Hello Ken.

I can't figure out why my roles/rules are not working after uploading latest changes to discountAsp.net

I have certain pages that are restricted to role "Administrators". When i test it locally it works fine, but after uploading it to discountASP.net, it does not work the same way.  It just goes back to the deafult.aspx page.

I have one page that will not display certain buttons except for role "Administrators" only and that works fine. It does show the button when i am logged on with "Administrators" role.

The web pages that are not displaying for "Administrators" role has it's own web.config in the folder.

Is there something special i need to do for folders that have their own web.config?

Thanks,
Tony

Here is my root web.config:

<?xml version="1.0"?><!--
    Note: As an alternative to hand editing this file you can use the
    web admin tool to configure settings for your application. Use
    the Website->Asp.Net Configuration option in Visual Studio.
    A full list of settings and comments can be found in
    machine.config.comments usually located in
    \Windows\Microsoft.Net\Framework\v2.x\Config
-->
<configuration xmlns="http://schemas.microsoft.com/.NetConfiguration/v2.0">
 <configSections>
  <section name="microsoft.web.services3" type="Microsoft.Web.Services3.Configuration.WebServicesConfiguration, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
  <sectionGroup name="system.web.extensions" type="System.Web.Configuration.SystemWebExtensionsSectionGroup, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
   <sectionGroup name="scripting" type="System.Web.Configuration.ScriptingSectionGroup, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
    <section name="scriptResourceHandler" type="System.Web.Configuration.ScriptingScriptResourceHandlerSection, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="MachineToApplication"/>
    <sectionGroup name="webServices" type="System.Web.Configuration.ScriptingWebServicesSectionGroup, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
     <section name="jsonSerialization" type="System.Web.Configuration.ScriptingJsonSerializationSection, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="Everywhere"/>
     <section name="profileService" type="System.Web.Configuration.ScriptingProfileServiceSection, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="MachineToApplication"/>
     <section name="authenticationService" type="System.Web.Configuration.ScriptingAuthenticationServiceSection, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" requirePermission="false" allowDefinition="MachineToApplication"/>
    </sectionGroup>
   </sectionGroup>
  </sectionGroup>
 </configSections>
 
  <connectionStrings>
  <add name="CoyneWebDatabaseConnectionString" connectionString="Data Source=.\SQLEXPRESS;AttachDbFilename=|DataDirectory|\CoyneWebDatabase.mdf;Integrated Security=True;User Instance=True" providerName="System.Data.SqlClient"/>
 </connectionStrings>
 
  <system.web>
  <roleManager enabled="true" defaultProvider="CustomizedRoleProvider">
   <providers>
    <add name="CustomizedRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="CoyneWebDatabaseConnectionString"/>
   </providers>
  </roleManager>
  <membership defaultProvider="CustomizedMembershipProvider">
   <providers>
    <!--        <add name="CustomizedMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="CoyneWebDatabaseConnectionString" applicationName="/WebServices"/> -->
    <clear/>
    <add name="CustomizedMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="CoyneWebDatabaseConnectionString" applicationName="/CoyneWebServices"/>
   </providers>
  </membership>
  <siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
   <providers>
    <add name="XmlSiteMapProvider" description="Default SiteMap provider." type="System.Web.XmlSiteMapProvider " siteMapFile="Web.sitemap" securityTrimmingEnabled="true"/>
   </providers>
  </siteMap>
  <compilation debug="true">
   <assemblies>
    <add assembly="Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
    <add assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
    <add assembly="System.Web.Extensions.Design, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
    <add assembly="System.Design, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
    <add assembly="System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
    <add assembly="Microsoft.ReportViewer.WebForms, Version=8.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
    <add assembly="Microsoft.ReportViewer.Common, Version=8.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>
      </assemblies>
   <buildProviders>
    <add extension=".rdlc" type="Microsoft.Reporting.RdlBuildProvider, Microsoft.ReportViewer.Common, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
   </buildProviders>
  </compilation>
  <authentication mode="Forms">
   <forms slidingExpiration="true" timeout="60" loginUrl="default.aspx" defaultUrl="default.aspx"/>
  </authentication>
    <authorization>
      <allow roles="Administrators" />
      <deny users="*" />
    </authorization>

    <!-- Use any of the following values for the styleSheetTheme attribute: "Granite", "Sand", "Paper".-->
  <pages styleSheetTheme="Granite">
   <controls>
    <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
   </controls>
   <namespaces>
    <add namespace="System.Data"/>
    <add namespace="System.IO"/>
   </namespaces>
  </pages>
  <httpHandlers>
   <remove path="*.asmx" verb="*"/>
   <add path="*.asmx" verb="*" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" validate="false"/>
   <add path="*_AppService.axd" verb="*" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" validate="false"/>
   <add path="ScriptResource.axd" verb="GET,HEAD" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" validate="false"/>
   <add path="Reserved.ReportViewerWebControl.axd" verb="*" type="Microsoft.Reporting.WebForms.HttpHandler, Microsoft.ReportViewer.WebForms, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" validate="false"/>
    </httpHandlers>
  <httpModules>
   <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
  </httpModules>
  <webServices>
   <soapExtensionImporterTypes>
    <add type="Microsoft.Web.Services3.Description.WseExtensionImporter, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
   </soapExtensionImporterTypes>
   <soapServerProtocolFactory type="Microsoft.Web.Services3.WseProtocolFactory, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
  </webServices>
 </system.web>
 
  <microsoft.web.services3>
  <policy fileName="wse3policyCache.config"/>
 </microsoft.web.services3>
 
  <system.webServer>
  <validation validateIntegratedModeConfiguration="false"/>
  <modules>
   <add name="ScriptModule" preCondition="integratedMode" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
  </modules>
  <handlers>
   <remove name="WebServiceHandlerFactory-Integrated"/>
   <add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
   <add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
   <add name="ScriptResource" preCondition="integratedMode" verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
  </handlers>
 </system.webServer>
 
  <location allowOverride="true" inheritInChildApplications="true">
    <appSettings>
      <add key="CompanyName" value="George S. Coyne Chemical Co., Inc." />
      <add key="CompanySlogan" value="Start With Quality, Finish With Coyne" />
      <add key="CompanyAddress" value="3015 State Road, Croydon, PA  19021" />
      <add key="CompanyCopyright" value="Copyright 2007 George S. Coyne Chemical Co., Inc. All Rights Reserved." />
      <add key="CompanyURL" value="http://localhost:39733/" />
      <add key="CompanyMailServer" value="mail.club.com" />
      <add key="CompanyMailUsername" value="admin@club.com" />
      <add key="CompanyMailPassword" value="password" />
      <add key="ReportContentUpdate" value="false" />
      <add key="XatanetCompanyName" value="Coyne Chemical" />
      <add key="XatanetUserName" value="xatadl" />
      <add key="XatanetPassword" value="download" />
      <add key="WebMaster" value="webmaster@clubsite.com" />
      <add key="TripExportService.TripExportService" value="http://xatanet.net/xatanetwebservice/TripExportService.asmx" />
    </appSettings>
  </location>
 
</configuration>

Here is a web.config from one of the folders that is not allowing role "Administrators":

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="Default.aspx">
<system.web>
<authorization>
<allow roles="Administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>
</configuration>

Discount asp does not support sql express databases.  I see your membership provider is using one.

http://kb.discountasp.net/article.aspx?id=10411

Hello Ken.

I'm sorry.  I made the mistake of posting my web.config that i use for local testing.  Here is my live connection string:

Hello Ken.

Does my correction to the connectionstring give you any different insight into what the problem could be?

Thanks,
Tony

I am only using a web application project so I can only have 1 web.config so I put all restricted paths in the 1 file. 

<configuration>
  <configSections>
    <sectionGroup name="system.web.extensions" type="System.Web.Configuration.SystemWebExtensionsSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
      <sectionGroup name="scripting" type="System.Web.Configuration.ScriptingSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
        <section name="scriptResourceHandler" type="System.Web.Configuration.ScriptingScriptResourceHandlerSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
        <sectionGroup name="webServices" type="System.Web.Configuration.ScriptingWebServicesSectionGroup, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
          <section name="jsonSerialization" type="System.Web.Configuration.ScriptingJsonSerializationSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="Everywhere"/>
          <section name="profileService" type="System.Web.Configuration.ScriptingProfileServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
          <section name="authenticationService" type="System.Web.Configuration.ScriptingAuthenticationServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
          <section name="roleService" type="System.Web.Configuration.ScriptingRoleServiceSection, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" requirePermission="false" allowDefinition="MachineToApplication"/>
        </sectionGroup>
      </sectionGroup>
    </sectionGroup>
  </configSections>
  <location path="addevents.aspx">
    <system.web>
      <authorization>
        <allow roles="admin"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
  <location path="sponsors.aspx">
    <system.web>
      <authorization>
        <allow roles="admin"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
  <location path="admin.aspx">
    <system.web>
      <authorization>
        <allow roles="admin"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
  <location path="blog/editblog.aspx">
    <system.web>
      <authorization>
        <allow roles="admin"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
  <location path="jobs/editjobs.aspx">
    <system.web>
      <authorization>
        <allow roles="admin"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>

  <appSettings/>

Thanks Ken.

I appreciate your help.

Tony

Hello.

I resolved this issue by adding this  applicationName="/CoyneWebServices" to the end of the CustomizedRoleProvider as indicated below.

  <roleManager enabled="true" defaultProvider="CustomizedRoleProvider">
      <providers>
          <add name="CustomizedRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="CoyneWebDatabaseConnectionString" applicationName="/CoyneWebServices"/>
      </providers>
  </roleManager>

Tony