Custom Roles w/ Windows Authentication?

[Steve Kallal]

I have a need to define roles at the web application level, but still use
Windows Authentication. I want the application to authenticate the user from
the network login. But I do not want to use Active Directory to define the
role. Instead I was hoping for a simple mechanism to decide whether a user
has read only or write permissions. Of course I could use Active Directory to
maintain the roles, but I want to avoid this. So far I have been able to use
the <authorization> section of web.config to decide which users can log in.
The
User.IsInRole("admin")
statement looks for the "admin" role on Active Directory. I would like to
redirect the IsInRole function somewhere else more local to the application
if possible.

Can this be done?

 

[Joe Kaplan \(MVP - ADSI\)]

Sure, there are a bunch of possible approaches to this.

The basic thing to consider is where your custom roles come from. For
example, do you want to store them in SQL, AD, XML, etc. Also, you need to
decide if your custom roles will be mapped based just on user identity or
also based on AD group membership.

Microsoft provides a very interesting API for doing application level
role-based security with great AD integration that you should seriously look
at for this.

If you go with a custom route, the mechanics of it are that you will replace
the WindowsPrincipal in the Context.User property with some custom
IPrincipal class that contains your own roles that are mapped in based on
the data you get from the WindowPrincipal that ASP.NET provides you. You
would hook this in either with an HttpModule or with a global.asax event
handler.

I hope this helps.

Joe K.