I have a legacy application which needs moving to Azure web apps. When running it locally in IIS Express, the authorization rules work as expected, however when it's deployed to an Azure app service, the authorization rules don't seem have any effect.
The authorization rules are defined in the web config file like this:
<system.web>
<authentication mode="Forms">
<forms cookieless="UseCookies" loginUrl="~/Login.aspx" requireSSL="true" timeout="40" />
</authentication>
</system.web>
<system.webServer>
<security>
<authorization>
<remove users="*" />
<remove roles="*" />
</authorization>
<authentication>
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
<location allowOverride="false" path="Admin">
<system.webServer>
<security>
<authorization>
<add accessType="Allow" roles="Admin" />
</authorization>
</security>
</system.webServer>
</location>
I would expect the rule to only allow users with the "Admin" role, but all users can access the page when hosted as an Azure App Service.
Is this method of authorization supported or is there any extra config I need to make it work?
I have checked that the roles are being read correctly (the
Roles.GetRolesForUser()method returns the correct roles for the logged in user).I have also tried replacing the modules under system.webserver like this:
<system.webServer> <modules runAllManagedModulesForAllRequests="true"> <remove name="Session" /> <add name="Session" type="Microsoft.AspNet.SessionState.SessionStateModuleAsync, Microsoft.AspNet.SessionState.SessionStateModule, Version=1.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="integratedMode" /> <remove name="FormsAuthenticationModule" /> <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" /> <remove name="UrlAuthorization" /> <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" /> <remove name="DefaultAuthentication" /> <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" /> <remove name="RoleManager"/> <add name="RoleManager" type="System.Web.Security.RoleManagerModule" /> </modules> ...
CodePudding user response:
Yes, it is possible to define the roles from web.config by enabling role manager and adding the users category allowing to specific path/location of the web page.
Role Cache Cookie Configuration Options:
<roleManager enabled="true"
defaultProvider="SecurityTutorialsSqlRoleProvider"
cacheRolesInCookie="true"
createPersistentCookie="false"
cookieProtection="All">
<providers>
...
</providers>
</roleManager>
Here is the practical code provided by Microsoft. Please refer for more information.
- https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-security/roles/role-based-authorization-cs
- https://docs.microsoft.com/en-us/troubleshoot/developer/webapps/aspnet/www-authentication-authorization/authorization-permissions
CodePudding user response:
For completeness, I've amended my web.config file in the question to the following to get it working. Note the use of system.web instead of system.webServer:
<system.web>
<authentication mode="Forms">
<forms cookieless="UseCookies" loginUrl="~/Login.aspx" requireSSL="true" timeout="40" />
</authentication>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
<location allowOverride="false" path="Admin">
<system.web>
<authorization>
<allow roles="Admin" />
</authorization>
</system.web>
</location>