表单身份验证在子文件夹页面中不起作用 [英] Form authentication is not working in sub folder pages

问题描述

我一直在开发一个Web应用程序项目。我使用Asp.Net Membership API将安全性应用于应用程序。出于安全考虑，我想根据角色限制页面访问。



我项目中的根文件夹上有一些页面，项目中也有一个名为Account的子文件夹。在Account子文件夹中，我有以下页面：



1. CreateRole.aspx

2. AssignRoleToUser.aspx

3. CreateAccount.aspx

4. ManageAccount.aspx

5. Login.aspx



root目录还有一些其他页面。现在我希望角色为用户的用户可以访问这些页面，但所有其他角色都无法访问这些页面，包括匿名用户。任何未经授权的角色访问这些页面的尝试都将重定向到Account子文件夹中的Login.aspx页面。为了在我的根文件夹中执行此操作，我添加了一个Web.config文件。在该文件中，我添加了以下配置。如下所示。

I have been developing a web application project. I have used Asp.Net Membership API to apply security to the application. For security reasons I would like to limit the page access based on Roles.

I have some pages on root folder in my project and a subfolder named Account in my project also. In Account subfolder I have the following pages:

1. CreateRole.aspx
2. AssignRoleToUser.aspx
3. CreateAccount.aspx
4. ManageAccount.aspx
5. Login.aspx

In root directory there are also some other pages. Now I want the users whose Role is "Users", can access these pages but all the other Role cannot access these pages including Anonymous users. Any attempt to access to these pages by unauthorized role will redirect to the Login.aspxpage in Account subfolder. To do this in my root folder I have added a Web.config file. In that file I have added the following configurations. These are given bellow.

<authentication mode="Forms">
      <forms

        defaultUrl="~/Default.aspx"

        loginUrl="~/Account/Login.aspx"

        slidingExpiration="true"

        timeout="120"

        protection="All"

        cookieless="UseCookies">
      </forms>
    </authentication>
    <machineKey

      decryption="AES"

      validation="SHA1"

      decryptionKey="1513F567EE75F7FB5AC0AC4D79E1D9F25430E3E2F1BCDD3370BCFC4EFC97A541"

      validationKey="32CBA563F26041EE5B5FE9581076C40618DCC1218F5F447634EDE8624508A129" />
    <roleManager enabled="true" 

            defaultProvider="CJDMSConnectionStringSqlRoleProvider" 

            cacheRolesInCookie="true" 

            createPersistentCookie="false" 

            cookieProtection="All">
      <providers>
        <add

          name="CJDMSConnectionStringSqlRoleProvider"

          type="System.Web.Security.SqlRoleProvider"

          applicationName="CJDMSApps"

          connectionStringName="CJDMSConnectionString"

          commandTimeout="120"/>
      </providers>
    </roleManager>
    <membership  defaultProvider="CJDMSConnectionStringSqlMembershipProvider">
      <providers>
        <clear/>
        <add name="CJDMSConnectionStringSqlMembershipProvider"

            type="System.Web.Security.SqlMembershipProvider"

            connectionStringName="CJDMSConnectionString"

            enablePasswordRetrieval="false"

            enablePasswordReset="true"

            requiresQuestionAndAnswer="false"

            requiresUniqueEmail="true"

            passwordFormat="Hashed"

            maxInvalidPasswordAttempts="5"

            minRequiredPasswordLength="7"

            minRequiredNonalphanumericCharacters="0"

            passwordAttemptWindow="10"

            passwordStrengthRegularExpression=""

            applicationName="CJDMSApps"

          />
      </providers>
    </membership>
    <authorization>
      <allow roles="Users"/>
      <deny users="*"/>
    </authorization>

我想以同样的方式限制帐户子文件夹页面的访问权限。我希望具有Admin角色的用户可以访问此子文件夹的每个页面。但是其他用户和角色无法访问这些页面。但我只想匿名用户可以访问CreateAccount.aspx和Login.aspx页面。但在其他情况下，未经授权访问其他页面将导致重定向到Account子文件夹中的Login.aspx页面。所以我在这个子文件夹中添加了另一个Web.config文件并添加了以下配置。如下所示：

In the same way I want to limit the access of the Account subfolder pages. I want users with "Admin" Role can access every pages of this subfolder. But other users and roles cannot access these pages. But I want only "anonymous" users can access the "CreateAccount.aspx" and "Login.aspx" page. But in other case unauthorized access to the other pages will cause redirect to the Login.aspx page in Account subfolder. So I have added another Web.config file in this subfolder and added the following configurations. These are given bellow:

<?xml version="1.0"?>
<configuration>
  <system.web>
    <authorization>
      <allow roles="Admin, Supervisors"/>
      <deny users="*"/>
    </authorization>
  </system.web>
  <!--Allow all users to visit CreateAccount.aspx & Login.aspx page-->
  <location path="CreateUserAccounts.aspx">
    <system.web>
      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>
  </location>
  <location path="Login.aspx">
    <system.web>
      <authorization>
        <allow users="?"/>
      </authorization>
    </system.web>
  </location>
</configuration>

但问题是在两种情况下都可以访问根文件夹页面或子文件夹页面，它会抛出以下异常。例外是：



访问被拒绝。描述：访问提供此请求所需的资源时发生错误。服务器可能未配置为访问所请求的URL。



错误消息401.2。：未授权：由于服务器配置登录失败。验证您是否有权根据您提供的凭据和Web服务器上启用的身份验证方法查看此目录或页面。请联系Web服务器的管理员以获取其他帮助。



我的代码中没有发现任何问题。 So can anyone help me to find a suitable solution?



Connection string configuration is given bellow:

But the problem is in both cases either access to the root folder pages or subfolder pages, it throws the following exceptions. The exception is:

Access is denied. Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.

Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.

I do not find any problem in my code. So can anyone help me to find a suitable solution?

Connection string configuration is given bellow:

<connectionStrings>
    <add name="CJDMSConnectionString" connectionString="Data Source=.;Initial Catalog=CJDMS;Integrated Security=True" providerName="System.Data.SqlClient" />
  </connectionStrings>

推荐答案

For that you have to write some extra <location> in your web.config file as per the example given below

For that you have to write some extra <location> in your web.config file as per the example given below

<location path="Customer/NewToken.aspx">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>
  <location path="Customer">
    <system.web>
      <authorization>
        <allow roles="Customer"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>
  <location path="Admin">
    <system.web>
      <authorization>
        <allow roles="SuperAdmin"/>
        <allow roles="Admin"/>
        <deny users="*"/>
      </authorization>
    </system.web>
  </location>

Here path=\"Customer\" and path=\"Admin\" is directory in my case, You can change as per your need

Here path="Customer" and path="Admin" is directory in my case, You can change as per your need

这篇关于表单身份验证在子文件夹页面中不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！