ASP.NET 2.0 Authorization based on Combination of Allow/Deny Users/Roles.

D

Douglas J. Badin

Hi,

The problem with Authorization is it stops at the first match and doesn't
permit Grouping.

On the Web Site, I am trying to Secure Page Access and SiteNaviagation by
implementing the following ASP.NET 2.0 features:

- Membership
- Site Maps
- SiteMap Security Trimming

A User has a least 2 roles, let's say:

- Customer or Vendor

and

- User and/or Manger and/or Accounting

User U1 has the roles:

- Customer
- Accounting
- User

User U2 has the roles:

- Customer
- User

How do I keep U2 out using roles?

Right now, it stop when it sawn they were in the Customer Role

I don't want to deny the User Role because U1 would be stopped.

I would like something like this

<authorization>
<deny users="?" />
<deny users="U3" />
<allow roles="Customer, Accounting" />
<allow roles="Vendor, Manager, Accounting" />
</authorization>

or possibly

<authorization>
<deny users="?" />
<deny users="U3" />
<allow roles="(Customer, Accounting), (Vendor, Manager, Accounting)" />
</authorization>


For Above:

The allow roles list would be evaluated with a boolean AND

The allow elements would be evaluated between each other with a boolean OR

The allow and deny elements would be evaluated with a boolean AND

..i.e.

(
(
(
users <> "?"
)
AND
(
users <> "U3"
)
AND
(
(
roles = "Customer"
AND roles = "Accounting"
)
OR
(
roles = "Vendor"
AND roles = "Manager"
AND roles = "Accounting"
)
)
)



I am currently looking at the possibility of implementing an HttpModule for
AuthenticateRequest. I found a an example that checks the
SiteMap.CurrentNode.Roles but the siteMapNode only permits allows, not
denys.

I could create my own custom nodes

<siteMapNode
url="~/Default.aspx"
title="Home"
description="Home"
AllowUsers=""
DenyUsers="?, U3"
AllowRoles="(Customer, Accounting), (Vendor, Manager, Accounting)"
DenyRoles=""
/>

I am not sure if this covers Page Access though.


Or, I can figure out how to get the prevailing web.config denys and allows.


I would check online, but the MSDN servers reply with "Server is too busy"
this morning.



Any other ideas?


Thanks,

Doug
 
W

Walter Wang [MSFT]

Hi Douglas,

The roles attribute in <siteMapNode> is used to expand the allowable users,
not to restrict them. This is designed so because Sitemap already
integrates with authentication. In other word, it's the <authorization>
rules in web.config determines which sitemap node will be displayed to user
when a user with specific role logs in. Normally you only need to use roles
attribute on a sitemap node that doesn't have an url attribute. For
example, add roles="*" when the node is a parent type node without actual
url.

I understand that the issue here is that <authorization> rules doesn't
permit AND, OR combination of different roles. The <allow> or <deny> rules
are evaluated from top to down, whenever a rule succeeds, remaining rules
will not be evaluted.

To learn how a HttpModule could be built to handle these authorization
rules, you might want to use Reflector
(http://www.aisto.com/roeder/dotnet/) to view the implementation of
System.Web.Security.UrlAuthorizationModule.

Hope this helps.

Sincerely,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications. If you are using Outlook Express, please make sure you clear the
check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
promptly.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

ASP.NET 2.0 Authorization based on Combination of Allow/Deny Users/Roles. 0
<deny users="?" /> <allow users="*" /> 2
wonky <authorization> (order matters?) 1
Need tips on adding an auth layer to an existing webapp 1
ASP.NET Role Authorization Override 4
Forms Auth/Membership & Roles Providers/Secured Directory 1
authorization different paths and roles 4
Menu disappears on <authorization> change 4

Members online

No members online now.
Total: 29 (members: 1, guests: 28)
Robots: 431

Forum statistics

Threads
473,769
Messages
2,569,580
Members
45,054
Latest member
TrimKetoBoost

Latest Threads

Top