Add extra parameter to Login/Membership - ASP 2.0

Discussion in 'ASP .Net Security' started by David Sack, Oct 24, 2005.

  1. David Sack

    David Sack Guest

    I hope can explain this properly. I have a time keeping site that host
    multiple companies data in a single database. I would like the logins to be
    unique for each company but not across the entire site (i.e. I could have
    two jsmith logins as long as they are with seperate companies).

    I would like to add a drop down box to the login that allow the user to
    select the company that they are with. By adding a "site" column to the
    users table I would be able to partition the users so that they would be
    authenticated only against the id that has a "site" that matches theirs.

    Does this require creating a custom membership provider? I have written
    my own authentication routines in the past and can do so for this projects
    but I would really like to leverage the existing membership/role capablility
    of ASP2. I'm not sure that I have the skills needed to write a custom
    membership provider. I just want to make sure that I wasn't missing
    anything.

    Thanks
    Dave
     
    David Sack, Oct 24, 2005
    #1
    1. Advertising

  2. Hello David,

    can you "misuse" the ApplicationName for that??

    otherwise i guess you need a custom provider.
    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I hope can explain this properly. I have a time keeping site that
    > host multiple companies data in a single database. I would like the
    > logins to be unique for each company but not across the entire site
    > (i.e. I could have two jsmith logins as long as they are with seperate
    > companies).
    >
    > I would like to add a drop down box to the login that allow the user
    > to select the company that they are with. By adding a "site" column
    > to the users table I would be able to partition the users so that they
    > would be authenticated only against the id that has a "site" that
    > matches theirs.
    >
    > Does this require creating a custom membership provider? I have
    > written my own authentication routines in the past and can do so for
    > this projects but I would really like to leverage the existing
    > membership/role capablility of ASP2. I'm not sure that I have the
    > skills needed to write a custom membership provider. I just want to
    > make sure that I wasn't missing anything.
    >
    > Thanks
    > Dave
     
    Dominick Baier [DevelopMentor], Oct 25, 2005
    #2
    1. Advertising

  3. David Sack

    David Sack Guest

    Thanks for the response. I think the Application name is set
    automatically by settings in the web config? I would like to pass the value
    from my login.aspx form to be used as part of the authentication process.
    Kinda like saying to the server please check user "jsmith" with password
    "xxxx" from Site (from drop down) "1".

    Thanks again,

    Dave


    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello David,
    >
    > can you "misuse" the ApplicationName for that??
    >
    > otherwise i guess you need a custom provider.
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> I hope can explain this properly. I have a time keeping site that
    >> host multiple companies data in a single database. I would like the
    >> logins to be unique for each company but not across the entire site
    >> (i.e. I could have two jsmith logins as long as they are with seperate
    >> companies).
    >>
    >> I would like to add a drop down box to the login that allow the user
    >> to select the company that they are with. By adding a "site" column
    >> to the users table I would be able to partition the users so that they
    >> would be authenticated only against the id that has a "site" that
    >> matches theirs.
    >>
    >> Does this require creating a custom membership provider? I have
    >> written my own authentication routines in the past and can do so for
    >> this projects but I would really like to leverage the existing
    >> membership/role capablility of ASP2. I'm not sure that I have the
    >> skills needed to write a custom membership provider. I just want to
    >> make sure that I wasn't missing anything.
    >>
    >> Thanks
    >> Dave

    >
    >
     
    David Sack, Oct 25, 2005
    #3
  4. Hello David,

    smells like custom provider...

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Thanks for the response. I think the Application name is set
    > automatically by settings in the web config? I would like to pass the
    > value from my login.aspx form to be used as part of the authentication
    > process. Kinda like saying to the server please check user "jsmith"
    > with password "xxxx" from Site (from drop down) "1".
    >
    > Thanks again,
    >
    > Dave
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hello David,
    >>
    >> can you "misuse" the ApplicationName for that??
    >>
    >> otherwise i guess you need a custom provider.
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> I hope can explain this properly. I have a time keeping site that
    >>> host multiple companies data in a single database. I would like the
    >>> logins to be unique for each company but not across the entire site
    >>> (i.e. I could have two jsmith logins as long as they are with
    >>> seperate companies).
    >>>
    >>> I would like to add a drop down box to the login that allow the user
    >>> to select the company that they are with. By adding a "site" column
    >>> to the users table I would be able to partition the users so that
    >>> they would be authenticated only against the id that has a "site"
    >>> that matches theirs.
    >>>
    >>> Does this require creating a custom membership provider? I have
    >>> written my own authentication routines in the past and can do so for
    >>> this projects but I would really like to leverage the existing
    >>> membership/role capablility of ASP2. I'm not sure that I have the
    >>> skills needed to write a custom membership provider. I just want to
    >>> make sure that I wasn't missing anything.
    >>>
    >>> Thanks
    >>> Dave
     
    Dominick Baier [DevelopMentor], Oct 25, 2005
    #4
  5. David Sack

    David Sack Guest

    Thats what I was afraid of. Do you know of any good "How to's" or
    tutorials on the subject? Thanks again for the response. It is greatly
    appreciated.

    Thanks
    Dave

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello David,
    >
    > smells like custom provider...
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Thanks for the response. I think the Application name is set
    >> automatically by settings in the web config? I would like to pass the
    >> value from my login.aspx form to be used as part of the authentication
    >> process. Kinda like saying to the server please check user "jsmith"
    >> with password "xxxx" from Site (from drop down) "1".
    >>
    >> Thanks again,
    >>
    >> Dave
    >>
    >> "Dominick Baier [DevelopMentor]"
    >> <> wrote in message
    >> news:...
    >>
    >>> Hello David,
    >>>
    >>> can you "misuse" the ApplicationName for that??
    >>>
    >>> otherwise i guess you need a custom provider.
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> I hope can explain this properly. I have a time keeping site that
    >>>> host multiple companies data in a single database. I would like the
    >>>> logins to be unique for each company but not across the entire site
    >>>> (i.e. I could have two jsmith logins as long as they are with
    >>>> seperate companies).
    >>>>
    >>>> I would like to add a drop down box to the login that allow the user
    >>>> to select the company that they are with. By adding a "site" column
    >>>> to the users table I would be able to partition the users so that
    >>>> they would be authenticated only against the id that has a "site"
    >>>> that matches theirs.
    >>>>
    >>>> Does this require creating a custom membership provider? I have
    >>>> written my own authentication routines in the past and can do so for
    >>>> this projects but I would really like to leverage the existing
    >>>> membership/role capablility of ASP2. I'm not sure that I have the
    >>>> skills needed to write a custom membership provider. I just want to
    >>>> make sure that I wasn't missing anything.
    >>>>
    >>>> Thanks
    >>>> Dave

    >
    >
     
    David Sack, Oct 25, 2005
    #5
  6. David Sack

    David Sack Guest

    Something kind of clicked when I thought about this after the fact. As
    far as I can tell the ApplicationID is set from the Web.Config file. If I
    were to create application directories under my home directory that had a
    different ApplicationID specified then create a login form on that directory
    that would redirect on a successful login the the main menu page in the
    parent web directory it would used the sub applications authentication to
    allow access based upon the ApplicationID.

    I have tested it quickly and it seems to work. I don't know how it will
    affect overall security or the use of roles? I would also have the create a
    sub-application login directory for each unique site that would be accessing
    the site. That could turn into a pain.

    Let me know what you think?

    Thanks again,
    Dave
    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello David,
    >
    > can you "misuse" the ApplicationName for that??
    >
    > otherwise i guess you need a custom provider.
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> I hope can explain this properly. I have a time keeping site that
    >> host multiple companies data in a single database. I would like the
    >> logins to be unique for each company but not across the entire site
    >> (i.e. I could have two jsmith logins as long as they are with seperate
    >> companies).
    >>
    >> I would like to add a drop down box to the login that allow the user
    >> to select the company that they are with. By adding a "site" column
    >> to the users table I would be able to partition the users so that they
    >> would be authenticated only against the id that has a "site" that
    >> matches theirs.
    >>
    >> Does this require creating a custom membership provider? I have
    >> written my own authentication routines in the past and can do so for
    >> this projects but I would really like to leverage the existing
    >> membership/role capablility of ASP2. I'm not sure that I have the
    >> skills needed to write a custom membership provider. I just want to
    >> make sure that I wasn't missing anything.
    >>
    >> Thanks
    >> Dave

    >
    >
     
    David Sack, Oct 25, 2005
    #6
  7. Hello David,

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspp/html/ASPNETProvMod_Intro.asp
    this is a good starting point
    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Thats what I was afraid of. Do you know of any good "How to's" or
    > tutorials on the subject? Thanks again for the response. It is
    > greatly appreciated.
    >
    > Thanks
    > Dave
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hello David,
    >>
    >> smells like custom provider...
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Thanks for the response. I think the Application name is set
    >>> automatically by settings in the web config? I would like to pass
    >>> the value from my login.aspx form to be used as part of the
    >>> authentication process. Kinda like saying to the server please check
    >>> user "jsmith" with password "xxxx" from Site (from drop down) "1".
    >>>
    >>> Thanks again,
    >>>
    >>> Dave
    >>>
    >>> "Dominick Baier [DevelopMentor]"
    >>> <> wrote in message
    >>> news:...
    >>>
    >>>> Hello David,
    >>>>
    >>>> can you "misuse" the ApplicationName for that??
    >>>>
    >>>> otherwise i guess you need a custom provider.
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> I hope can explain this properly. I have a time keeping site that
    >>>>> host multiple companies data in a single database. I would like
    >>>>> the logins to be unique for each company but not across the entire
    >>>>> site (i.e. I could have two jsmith logins as long as they are with
    >>>>> seperate companies).
    >>>>>
    >>>>> I would like to add a drop down box to the login that allow the
    >>>>> user to select the company that they are with. By adding a "site"
    >>>>> column to the users table I would be able to partition the users
    >>>>> so that they would be authenticated only against the id that has a
    >>>>> "site" that matches theirs.
    >>>>>
    >>>>> Does this require creating a custom membership provider? I have
    >>>>> written my own authentication routines in the past and can do so
    >>>>> for this projects but I would really like to leverage the existing
    >>>>> membership/role capablility of ASP2. I'm not sure that I have the
    >>>>> skills needed to write a custom membership provider. I just want
    >>>>> to make sure that I wasn't missing anything.
    >>>>>
    >>>>> Thanks
    >>>>> Dav
     
    Dominick Baier [DevelopMentor], Oct 25, 2005
    #7
  8. Hello David,

    this is fine for Membership - but the role provider, or more specifically
    the RoleManagerModule is called on every request in your local application.
    It subscribes to PostAuthenticateRequest in the HTTP pipeline to get the
    roles for the user and sets Context.User. This will pick up the ApplicationID
    of your local application.

    so i think this will not work...

    To be honest, i think a provider will not work at all for you ...

    Let's say you have written your own provider witch a new ValidateUser method
    that takes an additional application name as parameter - how do you want
    to teach the login control the trick (without templating and basically rebuilding
    it) ??

    Well - you could subclass the SqlMembershipProvider and add a ApplicationName
    property that you set on Application_Start e.g. - not a perfect solution
    - but again this means you have to override ValidateUser and quite a number
    of other methods.

    On the other hand - if you don't use the new security controls - why would
    you go through the hassle of building a provider - most probably you'll only
    need 60% of the functionality.

    So why not simply go for your own compact authentication library that does
    exactly what you want - deploy it in the GAC and use it from all your apps??

    providers are no panacea (unfortunately).

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Something kind of clicked when I thought about this after the fact.
    > As far as I can tell the ApplicationID is set from the Web.Config
    > file. If I were to create application directories under my home
    > directory that had a different ApplicationID specified then create a
    > login form on that directory that would redirect on a successful login
    > the the main menu page in the parent web directory it would used the
    > sub applications authentication to allow access based upon the
    > ApplicationID.
    >
    > I have tested it quickly and it seems to work. I don't know how it
    > will affect overall security or the use of roles? I would also have
    > the create a sub-application login directory for each unique site that
    > would be accessing the site. That could turn into a pain.
    >
    > Let me know what you think?
    >
    > Thanks again,
    > Dave
    > "Dominick Baier [DevelopMentor]"
    > <>
    > wrote in message
    > news:...
    >> Hello David,
    >>
    >> can you "misuse" the ApplicationName for that??
    >>
    >> otherwise i guess you need a custom provider.
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> I hope can explain this properly. I have a time keeping site that
    >>> host multiple companies data in a single database. I would like the
    >>> logins to be unique for each company but not across the entire site
    >>> (i.e. I could have two jsmith logins as long as they are with
    >>> seperate companies).
    >>>
    >>> I would like to add a drop down box to the login that allow the user
    >>> to select the company that they are with. By adding a "site" column
    >>> to the users table I would be able to partition the users so that
    >>> they would be authenticated only against the id that has a "site"
    >>> that matches theirs.
    >>>
    >>> Does this require creating a custom membership provider? I have
    >>> written my own authentication routines in the past and can do so for
    >>> this projects but I would really like to leverage the existing
    >>> membership/role capablility of ASP2. I'm not sure that I have the
    >>> skills needed to write a custom membership provider. I just want to
    >>> make sure that I wasn't missing anything.
    >>>
    >>> Thanks
    >>> Dave
     
    Dominick Baier [DevelopMentor], Oct 25, 2005
    #8
  9. David Sack

    David Sack Guest

    Hadn't thought about the re-writing of the controls beyond the Login
    control. I think that you are correct, It will be more work adjusting the
    existing membership provider and others then just creating what I need
    specifically for this application. Thanks so much for the input it was of
    great value. BTW. I had a chance to take a look at your web site, great
    stuff.

    Thanks
    Dave

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello David,
    >
    > this is fine for Membership - but the role provider, or more specifically
    > the RoleManagerModule is called on every request in your local
    > application. It subscribes to PostAuthenticateRequest in the HTTP pipeline
    > to get the roles for the user and sets Context.User. This will pick up the
    > ApplicationID of your local application.
    >
    > so i think this will not work...
    >
    > To be honest, i think a provider will not work at all for you ...
    >
    > Let's say you have written your own provider witch a new ValidateUser
    > method that takes an additional application name as parameter - how do you
    > want to teach the login control the trick (without templating and
    > basically rebuilding it) ??
    >
    > Well - you could subclass the SqlMembershipProvider and add a
    > ApplicationName property that you set on Application_Start e.g. - not a
    > perfect solution - but again this means you have to override ValidateUser
    > and quite a number of other methods.
    >
    > On the other hand - if you don't use the new security controls - why would
    > you go through the hassle of building a provider - most probably you'll
    > only need 60% of the functionality.
    >
    > So why not simply go for your own compact authentication library that does
    > exactly what you want - deploy it in the GAC and use it from all your
    > apps??
    >
    > providers are no panacea (unfortunately).
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Something kind of clicked when I thought about this after the fact.
    >> As far as I can tell the ApplicationID is set from the Web.Config
    >> file. If I were to create application directories under my home
    >> directory that had a different ApplicationID specified then create a
    >> login form on that directory that would redirect on a successful login
    >> the the main menu page in the parent web directory it would used the
    >> sub applications authentication to allow access based upon the
    >> ApplicationID.
    >>
    >> I have tested it quickly and it seems to work. I don't know how it
    >> will affect overall security or the use of roles? I would also have
    >> the create a sub-application login directory for each unique site that
    >> would be accessing the site. That could turn into a pain.
    >>
    >> Let me know what you think?
    >>
    >> Thanks again,
    >> Dave
    >> "Dominick Baier [DevelopMentor]"
    >> <>
    >> wrote in message
    >> news:...
    >>> Hello David,
    >>>
    >>> can you "misuse" the ApplicationName for that??
    >>>
    >>> otherwise i guess you need a custom provider.
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> I hope can explain this properly. I have a time keeping site that
    >>>> host multiple companies data in a single database. I would like the
    >>>> logins to be unique for each company but not across the entire site
    >>>> (i.e. I could have two jsmith logins as long as they are with
    >>>> seperate companies).
    >>>>
    >>>> I would like to add a drop down box to the login that allow the user
    >>>> to select the company that they are with. By adding a "site" column
    >>>> to the users table I would be able to partition the users so that
    >>>> they would be authenticated only against the id that has a "site"
    >>>> that matches theirs.
    >>>>
    >>>> Does this require creating a custom membership provider? I have
    >>>> written my own authentication routines in the past and can do so for
    >>>> this projects but I would really like to leverage the existing
    >>>> membership/role capablility of ASP2. I'm not sure that I have the
    >>>> skills needed to write a custom membership provider. I just want to
    >>>> make sure that I wasn't missing anything.
    >>>>
    >>>> Thanks
    >>>> Dave

    >
    >
     
    David Sack, Oct 25, 2005
    #9
  10. Hello David,

    in fact, it is easier than i thought -

    you can subclass the providers and just override the ApplicationName property
    - in the getter you can dynamically fetch the ApplicationName as all of the
    provider methods use the property only.

    you could e.g. set Context.Items["appname"] to your app/client name before
    calling the ValidateUser method (via the login control) - and read it in
    the getter again

    there may be some testing involved to get that right for the RoleManager..but
    i think this will work.

    Again - if it makes more sense to tweak the providers vs. building your own
    stuff - you decide.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hadn't thought about the re-writing of the controls beyond the Login
    > control. I think that you are correct, It will be more work
    > adjusting the existing membership provider and others then just
    > creating what I need specifically for this application. Thanks so
    > much for the input it was of great value. BTW. I had a chance to
    > take a look at your web site, great stuff.
    >
    > Thanks
    > Dave
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hello David,
    >>
    >> this is fine for Membership - but the role provider, or more
    >> specifically the RoleManagerModule is called on every request in your
    >> local application. It subscribes to PostAuthenticateRequest in the
    >> HTTP pipeline to get the roles for the user and sets Context.User.
    >> This will pick up the ApplicationID of your local application.
    >>
    >> so i think this will not work...
    >>
    >> To be honest, i think a provider will not work at all for you ...
    >>
    >> Let's say you have written your own provider witch a new ValidateUser
    >> method that takes an additional application name as parameter - how
    >> do you want to teach the login control the trick (without templating
    >> and basically rebuilding it) ??
    >>
    >> Well - you could subclass the SqlMembershipProvider and add a
    >> ApplicationName property that you set on Application_Start e.g. - not
    >> a perfect solution - but again this means you have to override
    >> ValidateUser and quite a number of other methods.
    >>
    >> On the other hand - if you don't use the new security controls - why
    >> would you go through the hassle of building a provider - most
    >> probably you'll only need 60% of the functionality.
    >>
    >> So why not simply go for your own compact authentication library that
    >> does exactly what you want - deploy it in the GAC and use it from all
    >> your apps??
    >>
    >> providers are no panacea (unfortunately).
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Something kind of clicked when I thought about this after the fact.
    >>> As far as I can tell the ApplicationID is set from the Web.Config
    >>> file. If I were to create application directories under my home
    >>> directory that had a different ApplicationID specified then create a
    >>> login form on that directory that would redirect on a successful
    >>> login
    >>> the the main menu page in the parent web directory it would used the
    >>> sub applications authentication to allow access based upon the
    >>> ApplicationID.
    >>> I have tested it quickly and it seems to work. I don't know how it
    >>> will affect overall security or the use of roles? I would also have
    >>> the create a sub-application login directory for each unique site
    >>> that would be accessing the site. That could turn into a pain.
    >>>
    >>> Let me know what you think?
    >>>
    >>> Thanks again,
    >>> Dave
    >>> "Dominick Baier [DevelopMentor]"
    >>> <>
    >>> wrote in message
    >>> news:...
    >>>> Hello David,
    >>>>
    >>>> can you "misuse" the ApplicationName for that??
    >>>>
    >>>> otherwise i guess you need a custom provider.
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> I hope can explain this properly. I have a time keeping site that
    >>>>> host multiple companies data in a single database. I would like
    >>>>> the logins to be unique for each company but not across the entire
    >>>>> site (i.e. I could have two jsmith logins as long as they are with
    >>>>> seperate companies).
    >>>>>
    >>>>> I would like to add a drop down box to the login that allow the
    >>>>> user to select the company that they are with. By adding a "site"
    >>>>> column to the users table I would be able to partition the users
    >>>>> so that they would be authenticated only against the id that has a
    >>>>> "site" that matches theirs.
    >>>>>
    >>>>> Does this require creating a custom membership provider? I have
    >>>>> written my own authentication routines in the past and can do so
    >>>>> for this projects but I would really like to leverage the existing
    >>>>> membership/role capablility of ASP2. I'm not sure that I have the
    >>>>> skills needed to write a custom membership provider. I just want
    >>>>> to make sure that I wasn't missing anything.
    >>>>>
    >>>>> Thanks
    >>>>> Dave
     
    Dominick Baier [DevelopMentor], Oct 28, 2005
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ml1n

    Map with an extra parameter

    ml1n, Sep 9, 2006, in forum: Python
    Replies:
    8
    Views:
    307
    Peter Otten
    Sep 9, 2006
  2. Dave
    Replies:
    5
    Views:
    364
    Ivan Vecerina
    Apr 24, 2007
  3. Tino Donderwinkel
    Replies:
    2
    Views:
    801
    Tino Donderwinkel
    Jun 18, 2008
  4. David C

    Extra box in Login control

    David C, Dec 8, 2008, in forum: ASP .Net
    Replies:
    1
    Views:
    283
    David C
    Dec 9, 2008
  5. mathieu
    Replies:
    3
    Views:
    623
    Bo Persson
    Sep 4, 2009
Loading...

Share This Page