andycharger Posted October 10, 2003 Posted October 10, 2003 Im still stuck on a post that has become forgotten with a role authentication issue. I have changed web.config to the following for access to the "procs" directory: <location path="procs"> <system.web> <authorization> <allow roles="admin"/> <deny users="*"/> </authorization> </system.web> </location> This should only allow "admin" roles in, correct? However, when I go to this page it sends me to the login page. I then login and it continually redirects me to the login page and not the desired "procs" directory. I have hard coded setting a "role" to "admin" and "superadmin" for now but even that does not work. Can someone solve my dilema please? Here is my login page code: Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click Dim strSql As String Dim strUsername As String Dim strPW As String Dim cnSQL As String cnSQL = ConfigurationSettings.AppSettings("ConnectionString") strUsername = TextBox1.Text strPW = TextBox2.Text If strUsername = "" Then Response.Write("You did not enter a username") Else If strPW = "" Then Response.Write("You did not enter a password") Else strSql = "Select * from Users u,Userroles r where u.username = '" & strUsername & "' and u.password='" & strPW & "' and u.userlevel = r.user_id " CreateMySqlDataReader(strSql, cnSQL) End If End If End Sub Public Sub CreateMySqlDataReader(ByVal mySelectQuery As String, _ ByVal myConnectionString As String) Dim myConnection As New SqlConnection(myConnectionString) Dim myCommand As New SqlCommand(mySelectQuery, myConnection) myCommand.Connection.Open() Dim strName As String Dim strError As String Dim myReader As SqlDataReader = myCommand.ExecuteReader(CommandBehavior.CloseConnection) If myReader.Read() Then Dim ckCookie As New HttpCookie("UserCookie") Dim strUserID As String strUserID = myReader("UserID") Session("UserID") = myReader("UserID") Session("UserName") = myReader("UserName") Session("FirstName") = myReader("FirstName") Session("UserLevel") = myReader("UserLevel") Session("UserType") = myReader("user_type") ckCookie.Value = strUserID.ToString() Dim objIdentity As GenericIdentity = New GenericIdentity(myReader("UserName")) Dim strRoles() As String = {"admin"} Dim objPrincipal As GenericPrincipal = New GenericPrincipal(objIdentity, strRoles) FormsAuthentication.RedirectFromLoginPage(TextBox1.Text, PersistCookie.Checked) Console.WriteLine(myReader.GetString(0)) Else strError = "Either your username or password were incorrect." End If myReader.Close() myConnection.Close() End Sub Quote
*Gurus* Derek Stone Posted October 10, 2003 *Gurus* Posted October 10, 2003 (edited) Access is denied because your user object has no roles associated with it as far as the Forms Authentication module is concerned. You need to handle the FormsAuthentication_OnAuthenticate event in global.asax and set the User property of the passed event parameter to a new principal object that has roles defined in it. Public Sub FormsAuthentication_OnAuthenticate(source As Object, e As FormsAuthenticationEventArgs) Dim roles() As String = {"admin"} e.User = New GenericPrincipal(e.User.Identity, roles) End Sub Of course you'll need to retrieve the roles for the currently authenticating user from a database or less preferably hardcode them into the event. Edited October 13, 2003 by Derek Stone Quote Posting Guidelines
andycharger Posted October 13, 2003 Author Posted October 13, 2003 Hi Derek, Thanks for your post. However, Im still a bit lost! The code you posted, I have pasted into my global.asax file. However, when I compile it, it complains about e.identity. It says "identity is not a member of system.web.security.FormsAuthenticationEventArgs" Eventually, I commented th ecode out and I put a break point on the sub. It does not get called during the log on procedure. Im really stuck here. Can you tell me exactly what I need to put where to make it work? Thanks Andy Quote
*Gurus* Derek Stone Posted October 13, 2003 *Gurus* Posted October 13, 2003 It should have read "e.User.Identity", and I have no idea why the event isn't being called. It is raised as soon as an authentication cookie is set. Make sure the portion of your code that sets the cookie is in fact reachable. Quote Posting Guidelines
esteuart Posted January 27, 2004 Posted January 27, 2004 (edited) I don't get it.... I have read about a hundred forums tonight, but this is the one that comes closest to my problem. I have never used roles before, but I understand their ability. I am trying to assign users who have admin rights (as defined by the DB) to an Admin role. I have to create a custom cookie so that I can set my role string when the user is authenticated. Here is the code: If Admin Then 'Admin Authenticated User Dim currentContext As HttpContext = HttpContext.Current Dim formsCookieStr As String = String.Empty Dim ticket As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, tbUserName.Text, DateTime.Now, DateTime.Now.AddMinutes(30), False, "Admin") formsCookieStr = FormsAuthentication.Encrypt(ticket) Dim FormsCookie As New HttpCookie(FormsAuthentication.FormsCookieName, formsCookieStr) currentContext.Response.Cookies.Add(FormsCookie) Response.Redirect(FormsAuthentication.GetRedirectUrl(tbUserName.Text, False)) End If I got this code from another forum and it seems logical. The problem is that when the FormsAuthentication_OnAuthenticate function runs it doesn't recognize that there's anyone logged on! Here is the code: Public Sub FormsAuthentication_OnAuthenticate(ByVal source As Object, ByVal e As FormsAuthenticationEventArgs) If Not e.User Is Nothing Then If e.User.Identity.IsAuthenticated Then Dim id As FormsIdentity = e.User.Identity Dim ticket As FormsAuthenticationTicket = id.Ticket Dim roles() As String = {ticket.UserData} e.User = New System.Security.Principal.GenericPrincipal(e.User.Identity, roles) End If End If End Sub When it checks e.User, it is nothing, and therefore there is nothing to get the identity from. The weirdest part is that after it doesn't do anything in this function, the user is still authenticated (I know this because I have set a response.write() that tells me whether or not the user has been authenticated. But, the user is still not part of the role. Please help!!!:eek: Edited January 27, 2004 by esteuart Quote
*Gurus* Derek Stone Posted January 27, 2004 *Gurus* Posted January 27, 2004 Forms authentication will only recognize a form authentication ticket, not just any cookie. Quote Posting Guidelines
esteuart Posted January 28, 2004 Posted January 28, 2004 Okay, well the code as you see is using a FormsAuthenticationTicket class. Shouldn't that work? Quote
*Gurus* Derek Stone Posted January 29, 2004 *Gurus* Posted January 29, 2004 No. You have to set the cookie using one of the two Forms Authentication methods, not Response.Cookies.Add(). Quote Posting Guidelines
esteuart Posted January 29, 2004 Posted January 29, 2004 Will you please give me an example of how it should be? Keep in mind that I need to pass the role string into the cookie so that I can access it in the OnAuthenticate method to know which role to give the user. Thanks. Quote
*Gurus* Derek Stone Posted January 30, 2004 *Gurus* Posted January 30, 2004 There's an example in the .NET SDK under [msdn]System.Web.Security.FormsAuthenticationTicket[/msdn]. Quote Posting Guidelines
esteuart Posted January 30, 2004 Posted January 30, 2004 Okay, that example is nearly word for word my code. The only difference is that I declare some variables and assign to them where MSDN does a lot of it inline. I still don't understand why mine doesn't work! Any suggestions? Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.