asp.net security: I am trying to use a custom role provider (along with custom
membership/profile providers) to secure some sections of our
website.For testing purposes I have implemented a very basic role
provider as shown in the code below. In the website I have test.aspx
under secure folder and I use <location> element in web.config to
restrict access to this page to only 'Admin' roles. When this page is
accessed in the browser, login page shows up but after login all users
are allowed to access this page irrespective of their roles.

Any help on why this is happening is highly appreciated.

Role Provider:
===========

public class MyRoleProvider : RoleProvider
{

public override string[] GetRolesForUser(string username)
{
if (username == "jdoe@test.com")
return new string[] { "Admin" };
else
return new string[] { "PowerUser" };
}

. . .
}



Web.Config Location Element:
=======================
<location path="Secure/test.aspx">
<system.web>
<authorization>
<deny users="?"/>
<allow roles="Admin"/>
</authorization>
</system.web>
</location>

Web.Config RoleProvider configuration
=============================
<roleManager defaultProvider="TestRoleProvider" enabled="true">
<providers>
<add name="TestRoleProvider" type="MyRoleProvider" description="Test
role provider"/>
</providers>
</roleManager>

---------
I notice GetRolesForUser being called after login and returning
'PowerUser' for username that is not 'jdoe@test.com'. But test.aspx
gets displayed after that without any kind of access denied msg.

Thanks in advance,
Seetha

Here you are saying deny unathenticated users but if they logged in
they are authenticated and so pass the test.

<deny users="?"/>
<allow roles="Admin"/>

You want your allows before your denies because the first rule that
matches wins so maybe try:

<allow roles="Admin"/>
<deny users="*"/>

Thank you very much. That fixed it.

When the users are denied access they are taken back to the login page
and I am unable to trap the 'Access Denied' error to display a custom
error page. I tried trapping it on Application_Error and with
<customErrors> in web.config and couldnt get it.

Is there a way to trap this 'Access denied' error when the user is not
in a specific role?

Thanks
Seetha

Perhaps not link to pages they are not allowed to see in the first
place.
Otherwise look around this group and the web for that topic.