iis-7web-configasp.net-3.5sqlroleprovider

ASP.NET 3.5 IIS7 Roles Security Implementation


I'm working on a ASP.NET 3.5 application running on IIS7 (Server '08) using the stock MS Forms Authentication and SqlRolesProvider. (I used the aspnet_regsql tool to generate the tables).

We have three roles: SysAdmins, AppAdmins, and Users. All users are in Users, and a user can be in either SysAdmins, AppAdmins or both.

I can't seem to get an Admin directory to block access to users not in SysAdmins and AppAdmins. Either it lets in all logged-in users, or no one.

Here are the relevant bits of my current configuration:

<configuration>
  ...
  <system.web>
    <authentication mode="Forms">
      <forms loginUrl="/client/security/login.aspx" timeout="480" />
    </authentication>
    <authorization>
    </authorization>
    <roleManager defaultProvider="SqlRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName="EquityTouch.Roles" cookieProtection="All" cookieSlidingExpiration="true" cookieTimeout="60">
      <providers>
        <clear />
        <add name="SqlRoleProvider" applicationName="EquityTouch" connectionStringName="SQLProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
      </providers>
    </roleManager>
    ...
  </system.web>
  <system.webServer>
    <security>
      <authorization>
        <add accessType="Deny" users="?" />
      </authorization>
    </security>
    ...
  </system.webServer>
  <location path="admin">
    <system.webServer>
      <security>
        <authorization>
          <remove users="*" roles="" verbs=""/>
          <add accessType="Allow" roles="SysAdmins,AppAdmins" />
        </authorization>
      </security>
    </system.webServer>
    <system.web>
      <authorization>
        <deny users="*"/>
        <allow roles="SysAdmins,AppAdmins"/>
      </authorization>
    </system.web>
  </location>
</configuration>

I believe this configuration currently blocks everyone. I've done similar configurations that block no one.

I suspect the issue lies in using both system.web and system.webserver sections. Any help with getting this configuration working correctly would be greatly appreciated.

UPDATE

Removing the <system.webServer> section from the <location> element makes the .aspx pages in that folder return correctly! Unfortunately, the .js files in that folder are still blocked to all users... Ideally I would like to lock the .js files as well from unpriviledged eyes. So I'm still looking for help.


Solution

  • Even in IIS7 Integrated Pipeline mode, I am successfully using the old IIS6-style authorization blocks. Please try the code below, which includes the following changes:

    1. Added <deny users="?" /> to the first authorization block
    2. Switched the order of <allow> and <deny> in location-specific authorization block
    3. Removed <system.webServer> location-specific authorization blocks
    4. To allow js files through, my best advice is to move them to a separate folder and allow all but anonymous to access that folder (see below). Alternately, you can name each js file in the location's path attribute. That solution is less maintainable, however.

    Please let me know if that works for you!

    <configuration>
      <system.web>
        <authentication mode="Forms">
          <forms loginUrl="/client/security/login.aspx" timeout="480" />
        </authentication>
        <authorization>
          <deny users="?"/>
        </authorization>
        <roleManager defaultProvider="SqlRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName="EquityTouch.Roles" cookieProtection="All" cookieSlidingExpiration="true" cookieTimeout="60">
          <providers>
            <clear />
            <add name="SqlRoleProvider" applicationName="EquityTouch" connectionStringName="SQLProvider" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
          </providers>
        </roleManager>
      </system.web>
    
      <location path="admin">
        <system.web>
          <authorization>
            <allow roles="SysAdmins,AppAdmins"/>
            <deny users="*"/>             
          </authorization>
        </system.web>
      </location>
      <location path="js">
        <system.web>
          <authorization>
            <deny users="?"/>
            <allow users="*"/>
          </authorization>
        </system.web>
      </location>
    </configuration>