Best way to implement security scenario

A

Alex Ayzin

Hi,

I'm pretty new to security issues and understand that might question is
pretty basic. But here we go:

I have a simple webform app; In application root (Intepub\wwwroot\appname) I
have a folder that contains a single text file. Only those who has an
access(readOnly) to that folder(or text file within the folder) are able to
view the content of the displayed page. I want create a group of users with
the access(there are only about 10 people or so). Based on that, user
will/or will be able to view the page. Architect wants me to use Windows
security and does not want me to use web.config file(allow/deny).

So, I need to create an WindowsIdentity object, then using it
WindowsPrincipal object. Using IsInRole("CustomGroup") will give me a
boolean determining if the user belongs to a group with an access. I see the
picture, but a little unclear on how to proceed further. Are my initial
steps in the right direction and what are my next steps? Please advise. Any
code samples are welcome.

Thank you,
--Alex
 
K

Ken Schaefer

The easiest way to do this would be to:
a) change the NTFS permissions on the file - remove Everyone, and add the
group you want
b) set windows authentication, and identity impersonate=true in web.config
c) remove Anonymous Access in IIS Manager, and enable either Basic or IWA
authentication

Then ASP.NET will require the user authenticate using a Windows account, and
will use that account when accessing the file. If the user's supplied
credentials do not have NTFS permissions to the file, they'll get an error
(Access Denied). If they do have access, then the page will run.

Obviously, this isn't the most elegant way of doing it, but if it's just a
single page, and you need to get this working in a hurry, that's one
possible method.

Cheers
Ken
 
A

Alex Ayzin

Thank you for replying, Ken.

1. So, if I understand you correctly, no coding is needed at all, right?

2. How's .aspx page is tied to security settings of the that
subfolder(the one with all of the security settings for the custom group)?

Thanks a lot in advance,
---Alex
 
K

Ken Schaefer

Hi,

Sorry to take so long to get back to you.
1. No coding required (well, you need to update web.config)
2. NTFS permissions determine which user accounts can view what pages. Give
whatever users/groups allowed to view the page NTFS Read permissions, and
don't give permissions to other users/groups

Cheers
Ken
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Best way to provide security when need a WindowsIdentity 8
Is there a way to pass this state from component to the fetch? 1
feedback please on asp.net app security scenario 0
Web.config encryption in shared hosting scenario 3
best way to build an absolute spec 2
Best way to implement auto-complete? 3
Need better model to implement this scenario 1
Best Way to Pass Info Between Objects? 34

Members online

No members online now.
Total: 44 (members: 2, guests: 42)
Robots: 209

Forum statistics

Threads
473,763
Messages
2,569,562
Members
45,038
Latest member
OrderProperKetocapsules

Latest Threads

Top