Asp.Net deny access on certain pages to users

Question

How do I allow access to my web application to a user, but deny them access to a specific page? I want to allow more uses to use an app I've built, but there are a couple pages I don't want them to be able to access.

Here's what I have in the Web.config now.

    <authorization>
        <allow roles="COMPANY\User_1"/>
        <allow roles="COMPANY\User_2"/>
        <allow roles="COMPANY\User_3"/>

        <deny users="*"/>
    </authorization>

==================================================================================== Here's what I have in tag

<system.web>
        <!-- 
            Set compilation debug="true" to insert debugging 
            symbols into the compiled page. Because this 
            affects performance, set this value to true only 
            during development.
        -->
        <customErrors mode="Off"/>
        <compilation debug="true">
            <assemblies>
                <add assembly="System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                <add assembly="System.Data.DataSetExtensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                <add assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
                <add assembly="System.Xml.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                <add assembly="System.Data.OracleClient, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                <add assembly="System.Web.DataVisualization, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
                <add assembly="System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>
                <add assembly="Microsoft.SqlServer.ConnectionInfo, Version=9.0.242.0, Culture=neutral, PublicKeyToken=89845DCD8080CC91"/>
                <add assembly="Microsoft.SqlServer.Smo, Version=9.0.242.0, Culture=neutral, PublicKeyToken=89845DCD8080CC91"/>
                <add assembly="Microsoft.SqlServer.SmoEnum, Version=9.0.242.0, Culture=neutral, PublicKeyToken=89845DCD8080CC91"/>
                <add assembly="Microsoft.SqlServer.SqlEnum, Version=9.0.242.0, Culture=neutral, PublicKeyToken=89845DCD8080CC91"/></assemblies>
        </compilation>
        <!--
            The <authentication> section enables configuration 
            of the security authentication mode used by 
            ASP.NET to identify an incoming user. 
        -->
        <authentication mode="Windows"/>





    <authorization>
       <allow roles="COMPANY\User_1"/>
       <allow roles="COMPANY\User_2"/>
       <allow roles="COMPANY\User_3"/>

       <deny users="*"/>
    </authorization>



        <identity impersonate="true" userName="COMPANY\User_1" password="password"/>
        <!--
            The <customErrors> section enables configuration 
            of what to do if/when an unhandled error occurs 
            during the execution of a request. Specifically, 
            it enables developers to configure html error pages 
            to be displayed in place of a error stack trace.

        <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
            <error statusCode="403" redirect="NoAccess.htm" />
            <error statusCode="404" redirect="FileNotFound.htm" />
        </customErrors>
        -->
        <pages maintainScrollPositionOnPostBack="true">
            <controls>
                <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
                <add tagPrefix="asp" namespace="System.Web.UI.WebControls" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
                <add tagPrefix="asp" namespace="System.Web.UI.DataVisualization.Charting" assembly="System.Web.DataVisualization, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
            </controls>
        </pages>
        <httpHandlers>
            <remove path="*.asmx" verb="*"/>
            <add path="*.asmx" verb="*" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false"/>
            <add path="*_AppService.axd" verb="*" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false"/>
            <add path="ScriptResource.axd" verb="GET,HEAD" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false"/>
            <add path="ChartImg.axd" verb="GET,HEAD,POST" type="System.Web.UI.DataVisualization.Charting.ChartHttpHandler, System.Web.DataVisualization, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" validate="false"/>
        </httpHandlers>
        <httpModules>
            <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        </httpModules>
    </system.web>

Brian MacKay · Answer 1 · 2009-08-28T19:25:40.693

8

You can use location tags to control this type of thing.

In this example, I give Customers and Admins access to the CustomersFolder directory:

<location path="CustomersFolder">
    <system.web>
        <authorization>
            <allow roles="Customers, Admin"/>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

And with this second block, I then limit access to a certain file under that folder to just Admins:

<location path="CustomersFolder/SecureFile.aspx">
    <system.web>
        <authorization>
            <allow roles="Admin"/>
            <deny users="*"/>
        </authorization>
    </system.web>
</location>

Hopefully something like that will work for you.

edited Aug 28 '09 at 19:25

answered Aug 28 '09 at 19:18

Brian MacKay

31,133
17
86
125

I've got a lot of other things in between the tags. do I need to copy all of it? – FashionHouseJewelry.com Aug 28 '09 at 20:22
You know, I misunderstood your question. For the sake of anyone else who sees this -- no, you don't have to copy the whole system.web contents over. You should be good to go. – Brian MacKay Apr 29 '11 at 19:53

score 0 · Answer 2 · answered Aug 28 '09 at 19:18

This video does a good job of discussing your options. There is also some code:

http://www.asp.net/learn/videos/video-06.aspx

"In this lesson, you will explore the new membership capabilities of ASP.NET 2.0. In addition, you will learn about role-based security, and how you can use roles to control access to your web site."

Asp.Net deny access on certain pages to users

2 Answers2

Linked