ASP.NET security control

[PK]

Hi All,

I will be writing an asp.net application which require users to log on
before they can view the particular information.
so here the security control is needed and a must for different user who
have various access level.

I am wondering what is the best way or a more reliable way to control the
user ?
my backend using SQL server.

thank you.

 

[William F. Robertson, Jr.]

I have a three objects that assist my team in doing exactly that.

I have a SecurityProvider, Page, SecurityHandler.

The SecurityHandler is an abstract class that holds IsSecurityValid,
CanViewPage, RedirectOnFailure, BuildSecurity. The class derived for each
application must implement these methods.

When my Page object is loading, it looks through the SecurityProvider
(mostly static methods) to see if a SecurityHandler was initialized for the
project (on application start), if it was, it will call IsSecurityValid (if
failure, call BuildSecurity, if failure call RedirectOnFailure), if the
security information is valid, it will call CanViewPage, passing the current
page name for the current request. ( if failure, it calls redirect on
failure ).

Now the SecurityHandler stores a table of pagename, security, and special
permissions that the page object exposes through its Security property (if
the handler was initialized otherwise an exception is thrown). The page
developers can also request special permission for pages ( such as can this
user view change infromation on the page.) The Security property also
stores (as defined in the BuildSecurity method) data on the specific
session, such as name, group, role, etc.. that can be easily accessed at the
page level.

The security for all our apps are driven by Sql and loaded once during page
information.

HTH,

bill

 

[PK]

Could you send some sample application for me ?

I have a three objects that assist my team in doing exactly that.

I have a SecurityProvider, Page, SecurityHandler.

The SecurityHandler is an abstract class that holds IsSecurityValid,
CanViewPage, RedirectOnFailure, BuildSecurity. The class derived for each
application must implement these methods.

When my Page object is loading, it looks through the SecurityProvider
(mostly static methods) to see if a SecurityHandler was initialized for the
project (on application start), if it was, it will call IsSecurityValid (if
failure, call BuildSecurity, if failure call RedirectOnFailure), if the
security information is valid, it will call CanViewPage, passing the current
page name for the current request. ( if failure, it calls redirect on
failure ).

Now the SecurityHandler stores a table of pagename, security, and special
permissions that the page object exposes through its Security property (if
the handler was initialized otherwise an exception is thrown). The page
developers can also request special permission for pages ( such as can this
user view change infromation on the page.) The Security property also
stores (as defined in the BuildSecurity method) data on the specific
session, such as name, group, role, etc.. that can be easily accessed at the
page level.

The security for all our apps are driven by Sql and loaded once during page
information.

HTH,

bill