Best approach for database/windows authentication integration?

Discussion in 'ASP .Net Security' started by Steve, Jan 15, 2004.

  1. Steve

    Steve Guest

    We have an ASP.NET application that consists of about 10 forms and we
    want to be able to control which user has access to which pages. So
    User A should be able to access pages 3, 4 and 10, and User B should
    be able to access pages 1, 2 and 9 etc. We also want to be able to
    mantain these rules using a set of maintenance tables e.g. add pages,
    groups, users and setup which groups have access to which pages.

    At the moment we are going down the path of creating a set of classes
    to integrate the security in to the front-end, with each page having a
    call at the top of the page that passes in the page name and the
    user's login name and the object will return either True or False as
    to whether they can access the page or not.

    The application is currently setup with Anonymous Access off and Basic
    Authentication & Integrated Windows Authentication turned on, so that
    we can get the users login name for database auditing purposes.

    However, I've read bits and pieces on the builtin form authentication
    in ASP.NET and I would like to take advantage of it if it will handle
    the scenario I have described.

    We don't require a user to login, aside from the standard IE
    authentication login, and we want to display a custom message if they
    don't have access to the particular page they are trying to access.
    The most important thing is that the security must be driven by our
    maintainable database tables.

    Is there a feature of ASP.NET that allows us to handle this with
    minimal custom code? Or maybe there's a better ASP.NET way of handling
    this?

    Thanks for any assistance you can give me.

    Steve
    Steve, Jan 15, 2004
    #1
    1. Advertising

  2. Since you are currently using Windows authentication, you might consider
    putting your users into different domain groups and using
    Context.User.IsInRole to determine whether a user is in a certain group or
    not.

    From there, you can decide whether to render the page or show an error. You
    can also use the allow and deny tags in the authorization section of your
    web.config to restrict access to specific pages.

    If you want to switch to Forms authentication, you can do this and still
    take advantage of the same mechanism. The disadvantage is that your code is
    then responsible for building the IPrincipal object that goes in the
    Context.User property and populating the user's role information. With
    Windows authentication, this is all done for you.

    However, you may have a compelling reason to switch to Forms auth (like if
    you can't create the domain groups you need or cannot maintain them the way
    you would like to).

    There are lots of good sample documents on this topic in MSDN.

    Joe K.

    "Steve" <> wrote in message
    news:...
    > We have an ASP.NET application that consists of about 10 forms and we
    > want to be able to control which user has access to which pages. So
    > User A should be able to access pages 3, 4 and 10, and User B should
    > be able to access pages 1, 2 and 9 etc. We also want to be able to
    > mantain these rules using a set of maintenance tables e.g. add pages,
    > groups, users and setup which groups have access to which pages.
    >
    > At the moment we are going down the path of creating a set of classes
    > to integrate the security in to the front-end, with each page having a
    > call at the top of the page that passes in the page name and the
    > user's login name and the object will return either True or False as
    > to whether they can access the page or not.
    >
    > The application is currently setup with Anonymous Access off and Basic
    > Authentication & Integrated Windows Authentication turned on, so that
    > we can get the users login name for database auditing purposes.
    >
    > However, I've read bits and pieces on the builtin form authentication
    > in ASP.NET and I would like to take advantage of it if it will handle
    > the scenario I have described.
    >
    > We don't require a user to login, aside from the standard IE
    > authentication login, and we want to display a custom message if they
    > don't have access to the particular page they are trying to access.
    > The most important thing is that the security must be driven by our
    > maintainable database tables.
    >
    > Is there a feature of ASP.NET that allows us to handle this with
    > minimal custom code? Or maybe there's a better ASP.NET way of handling
    > this?
    >
    > Thanks for any assistance you can give me.
    >
    > Steve
    Joe Kaplan \(MVP - ADSI\), Jan 15, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. news.microsoft.com
    Replies:
    0
    Views:
    528
    news.microsoft.com
    May 3, 2004
  2. Paul Keegstra
    Replies:
    2
    Views:
    210
    Ramadass
    Dec 29, 2004
  3. Greg Hauptmann
    Replies:
    3
    Views:
    218
    David Masover
    Sep 16, 2009
  4. Jeff James
    Replies:
    0
    Views:
    54
    Jeff James
    Dec 23, 2013
  5. Chris Angelico
    Replies:
    0
    Views:
    58
    Chris Angelico
    Dec 23, 2013
Loading...

Share This Page