What I have tried so far:
I placed a Web.config in a folder I want to protect with the following content which should grant access to admin, second_level and third_level users only.
<?xml version="1.0"?>
<configuration>
<system.web>
<authorization>
<allow roles="admin"/>
<allow roles="second_level"/>
<allow roles="third_level"/>
<deny roles="first_level"/>
<deny roles="blocked"/>
<deny users="*" />
</authorization>
</system.web>
</configuration>
In the main Web.config I put:
<roleManager enabled="true" defaultProvider="myapp.App_Code.SecurityAppRoleProvider" cacheRolesInCookie="true" createPersistentCookie="false" cookieProtection="All">
<providers>
<clear />
</providers>
</roleManager>
The custom role provider:
namespace myapp.App_Code
{
public class SecurityAppRoleProvider : System.Configuration.Provider.ProviderBase
{
public SecurityAppRoleProvider()
{
var i = 0; // breakpoint here will never be reached?
}
}
}
At this point there are some things I am struggling with:
- The
<deny users="*" />works. The ASP.NET app redirects me to the login page which is the beahvior I need. But the roles are are not considered by web application. Which means all users are currently blocked to access the page even if they are member of roleadmin. SecurityAppRoleProviderwill never be instanced so I guess I need to register the custom role provider else where?- Is not there a default Role Provider which should be used in connection with ASP.Net Identity Framework without code a custom one?
