I’m testing the security controls & authorization; I’ve one page : activity.aspx ( in an "admin" folder) as well as 2 users defined with the asp.net configuration tool (WSAT) in a (sql express) aspnetdb.mdf ; 2 roles are defined : "administrator" and "students" , and I’ve a login page Login.aspx specified in my web.config file. On the administrator folder I created the following access rules :
allow administrator role followed by:
deny all users
First problem : when I try to manage the rules in WSAT, the MoveUp and Move Down button are grayed (why?)
Second problem: when I call the admin/activity.aspx page , after providing my credentials in the login page, any authenticated user can reach the page (why?).
I don’t Use IIS here but only the personal web server