Last post Sep 29, 2014 02:28 AM by Michelle Ge - MSFT
Sep 26, 2014 10:46 AM|mgambone|LINK
I have restricted web pages for admin to manage users in my web app. In my web.config file, I have this:
<allow users="?" />
<allow roles="Administrator, Manager, User, Temp" />
<allow users="?" />
The problem is, the NoAccess web page pops up sometimes when users navigate from different Views (I'm using MultiView control and a Master Page).
My web app is in VS 2012 using VB.Net, ASP.NET technology and .NET4.5 framework. I'm using SqlMembershipProvider. Because the Admin is in a different county, I have to create web pages so he can add/delete users.
I also have a timeout jquery routine that starts the count down after some period of inactivity. I wonder if there is some conflict somewhere; or is my web config wrong?
Appreciate any help.
Sep 26, 2014 11:34 AM|BrockAllen|LINK
Maybe you want this:
<allow users="*" />
Notice * and not ?. This means allow everyone.
Sep 26, 2014 11:37 AM|mgambone|LINK
I'm sorry. That's a typo. The actual line in my web.config is <allow users="?" />
Sep 26, 2014 12:38 PM|BrockAllen|LINK
That's my point -- you want to mark it as accessible to everyone.
Also, just to clarify, what do you mean by "it pops up" -- do you mean the authentication dialog?
Sep 26, 2014 01:09 PM|mgambone|LINK
That's not the advice I got from this Forum. I was told I should mark NoAccess web page as accessible
only to authenticated users. The one that popups is the NoAccess web page and users have no other choice but to log out and re-login again because it just sits there on the screen. You can't do anything unless you log out. I was also advised
to do this in my Global.asax.vb:
Public Sub Application_AuthorizationRequest(sender As Object, e As EventArgs)
If (sender.Request.Path.ToUpper().EndsWith("LOGON.ASPX") And sender.Request.IsAuthenticated) Then
Sep 26, 2014 01:19 PM|BrockAllen|LINK
Ok, then if that's the rule you have for that page (I couldn't tell exactly the issue from the name of the page and the term "pops up"). So yes, that rule you originally put to deny access to anonymous users is correct.
I still don't understand what "pops up" means. Can you describer the flow and page transitions in terms of what's happening and what you want to happen?
Sep 26, 2014 01:43 PM|mgambone|LINK
One scenario: Default page loads after user is authenticated. User enters data in the form. User clicks Save button. User re-enters more data. Clicks another button to run a routine to generate a PDF file. The NoAccess web page instead "popups". It
shouldn't because it's supposed to popup only if user clicks the "Manage Users" button reserved for Admins. By the way, NoAccess simply tells user, "Sorry. The web page you requested is for authorized users only." Then it's supposed to take user back to
Default/Home page. But it doesn't because NoAccess won't go away unless you log out.
There are other scenarios where it just popups--usually on click events; but I want it to only popup on the Admin buttons--not just any clickable control.
You're right..."popup" is wrong choice of word, because it doesn't popup. It's being
loaded (since it's a web page). I don't understand why it's being loaded.
Sep 26, 2014 03:53 PM|BrockAllen|LINK
If the intent of the NoAccess.aspx is to show the user an error message that says they're not allowed, then you should make it available to anyone. So perhaps you do want to change it to allow="*". As for why it's being shown to the user, that's hard to
tell -- are you sure you don't have code somewhere (perhaps in global.asax) that's redirecting the user to it (perhaps when the HTTP response status code is 401)?
Sep 26, 2014 04:12 PM|mgambone|LINK
The only code I have in Global.asax is the one I mentioned above (previous post). I'm still not clear on this code. It seems to me that If users are authenticated via the Logon.aspx page, why is it redirecting users to NoAccess page? But I was told to
put this in the Global.asax. I previously coded it to redirect users to Default.aspx. But it was redirecting users to Login page instead, so I was told to change it to redirect to NoAccess page.
Sep 29, 2014 02:28 AM|Michelle Ge - MSFT|LINK
<allow users="?" />
So far as I know, if you want to deny anonymous users
, please refer to the code below:
<deny users="?"/> //will deny anonymous users </authorization>
For more information, please refer to the link below:
Hope it's useful for you.