How can roles be determined for a resource?

Discussion in 'ASP .Net Security' started by Gery D. Dorazio, Aug 14, 2005.

  1. I restricting access to a web folder in the web.config file with entries
    like this:

    <location path="Account" allowOverride="false">
    <system.web>
    <authorization>
    <allow roles="User,Admin" />
    <deny users="*" />
    </authorization>
    </system.web>
    </location>


    I have a menu system that will only shows menu items (URLs) if the user is
    authorized for them. Currently, I manually associate the roles with the URL
    in a menu control file. This essentially duplicates whats in the web.config
    file above. The problem is that the web.config and menu control file can get
    out of sync with each other. If the URL roles could be determined
    programmatically this would not be an issue.

    So how can the roles for a URL be determined programmatically?

    Thanks,
    Gery


    --
    Gery D. Dorazio
    Development Engineer

    EnQue Corporation
    1334 Queens Road
    Charlotte, NC 28207
    (704) 377-3327
    Gery D. Dorazio, Aug 14, 2005
    #1
    1. Advertising

  2. You can really easy check the roles programmatically with
    Context.User.IsInRole, but that doesn't necessarily solve the problem of the
    roles getting out of sync with what you have in the web.config as they are
    in two different places still.

    If you really wanted a single point of configuration for both, I think you
    might have to consider having some kind of a centralized function that takes
    a URL and a IPrincipal and returns true or false for that. You could then
    dynamically build the menu based on that and write a custom HttpModule for
    authorization that also did the same thing.

    You might also attempt to implement a hybrid where you use the existing
    location tags in web.config to use as the store for this function so that
    you could use the existing UrlAuthorizationModule (the thing that enforces
    the <authorization/> tags in web.config). It would be really easy if the
    UrlAuthorizationModule had the method you need already exposed as you would
    be essentially done, but it does not appear to do so.

    HTH,

    Joe K.

    "Gery D. Dorazio" <> wrote in message
    news:%23Kql0$...
    >I restricting access to a web folder in the web.config file with entries
    >like this:
    >
    > <location path="Account" allowOverride="false">
    > <system.web>
    > <authorization>
    > <allow roles="User,Admin" />
    > <deny users="*" />
    > </authorization>
    > </system.web>
    > </location>
    >
    >
    > I have a menu system that will only shows menu items (URLs) if the user is
    > authorized for them. Currently, I manually associate the roles with the
    > URL in a menu control file. This essentially duplicates whats in the
    > web.config file above. The problem is that the web.config and menu control
    > file can get out of sync with each other. If the URL roles could be
    > determined programmatically this would not be an issue.
    >
    > So how can the roles for a URL be determined programmatically?
    >
    > Thanks,
    > Gery
    >
    >
    > --
    > Gery D. Dorazio
    > Development Engineer
    >
    > EnQue Corporation
    > 1334 Queens Road
    > Charlotte, NC 28207
    > (704) 377-3327
    >
    Joe Kaplan \(MVP - ADSI\), Aug 14, 2005
    #2
    1. Advertising

  3. Hi Joe,

    Your observations are exactly what I am running into...some desires would be
    to not write a custom HttpModule and to continue using the existing
    URLAuthorizationModule.

    The centralized function idea appears ideal for this application but that is
    where I am stuck. Here is an initial pass at this function...I don't know
    how to check a URL against an IPrincipal to determine roles:


    String[] allRoles = { "Admin", "User", "Editor" };

    String[] GetUrlAllowableRoles(String targetURL)
    {
    GenericIdentity gi = new GenericIdentity("NoOneInParticular");
    String[] targetRole;
    GenericPrincipal gp;
    for (int i = 0; i < allRoles.Length; i++)
    {
    targetRole[0] = allRoles;
    gp = new GenericPrincipal(gi, targetRole);
    // so now what do I do to check it against the targetURL
    }
    }

    This function would then be used for all the URLs specified in the menu
    control file and the resulting roles added to the menu dataset which is then
    saved as an Application object.


    How can I do the URL to target role check in this function?


    Thanks,
    Gery

    --
    Gery D. Dorazio
    Development Engineer

    EnQue Corporation
    1334 Queens Road
    Charlotte, NC 28207
    (704) 377-3327
    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > You can really easy check the roles programmatically with
    > Context.User.IsInRole, but that doesn't necessarily solve the problem of
    > the roles getting out of sync with what you have in the web.config as they
    > are in two different places still.
    >
    > If you really wanted a single point of configuration for both, I think you
    > might have to consider having some kind of a centralized function that
    > takes a URL and a IPrincipal and returns true or false for that. You
    > could then dynamically build the menu based on that and write a custom
    > HttpModule for authorization that also did the same thing.
    >
    > You might also attempt to implement a hybrid where you use the existing
    > location tags in web.config to use as the store for this function so that
    > you could use the existing UrlAuthorizationModule (the thing that enforces
    > the <authorization/> tags in web.config). It would be really easy if the
    > UrlAuthorizationModule had the method you need already exposed as you
    > would be essentially done, but it does not appear to do so.
    >
    > HTH,
    >
    > Joe K.
    >
    > "Gery D. Dorazio" <> wrote in message
    > news:%23Kql0$...
    >>I restricting access to a web folder in the web.config file with entries
    >>like this:
    >>
    >> <location path="Account" allowOverride="false">
    >> <system.web>
    >> <authorization>
    >> <allow roles="User,Admin" />
    >> <deny users="*" />
    >> </authorization>
    >> </system.web>
    >> </location>
    >>
    >>
    >> I have a menu system that will only shows menu items (URLs) if the user
    >> is authorized for them. Currently, I manually associate the roles with
    >> the URL in a menu control file. This essentially duplicates whats in the
    >> web.config file above. The problem is that the web.config and menu
    >> control file can get out of sync with each other. If the URL roles could
    >> be determined programmatically this would not be an issue.
    >>
    >> So how can the roles for a URL be determined programmatically?
    >>
    >> Thanks,
    >> Gery
    >>
    >>
    >> --
    >> Gery D. Dorazio
    >> Development Engineer
    >>
    >> EnQue Corporation
    >> 1334 Queens Road
    >> Charlotte, NC 28207
    >> (704) 377-3327
    >>

    >
    >
    Gery D. Dorazio, Aug 14, 2005
    #3
  4. Like I said, that part is the hard part as you need to parse the web.config
    file and interpret the authorization tags in each location element.

    If I had to do this, I think I would start by reverse engineering the
    UrlAuthorizationModule using a tool like .NET Reflector to see how they are
    doing it. Then, you could write your own version to implement it as you
    need to. I think you may find that it is a bit complicated under there, but
    hopefully it will help.

    The easier way might be to implement your own function based on a list of
    URLs and allowable roles and just try to keep the two in sync. You'll have
    a bit more maintenance to do, but much less work to do on the front end.

    Best of luck with whatever you decide.

    Joe K.

    "Gery D. Dorazio" <> wrote in message
    news:...
    > Hi Joe,
    >
    > Your observations are exactly what I am running into...some desires would
    > be to not write a custom HttpModule and to continue using the existing
    > URLAuthorizationModule.
    >
    > The centralized function idea appears ideal for this application but that
    > is where I am stuck. Here is an initial pass at this function...I don't
    > know how to check a URL against an IPrincipal to determine roles:
    >
    >
    > String[] allRoles = { "Admin", "User", "Editor" };
    >
    > String[] GetUrlAllowableRoles(String targetURL)
    > {
    > GenericIdentity gi = new GenericIdentity("NoOneInParticular");
    > String[] targetRole;
    > GenericPrincipal gp;
    > for (int i = 0; i < allRoles.Length; i++)
    > {
    > targetRole[0] = allRoles;
    > gp = new GenericPrincipal(gi, targetRole);
    > // so now what do I do to check it against the targetURL
    > }
    > }
    >
    > This function would then be used for all the URLs specified in the menu
    > control file and the resulting roles added to the menu dataset which is
    > then saved as an Application object.
    >
    >
    > How can I do the URL to target role check in this function?
    >
    >
    > Thanks,
    > Gery
    >
    > --
    > Gery D. Dorazio
    > Development Engineer
    >
    > EnQue Corporation
    > 1334 Queens Road
    > Charlotte, NC 28207
    > (704) 377-3327
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:...
    >> You can really easy check the roles programmatically with
    >> Context.User.IsInRole, but that doesn't necessarily solve the problem of
    >> the roles getting out of sync with what you have in the web.config as
    >> they are in two different places still.
    >>
    >> If you really wanted a single point of configuration for both, I think
    >> you might have to consider having some kind of a centralized function
    >> that takes a URL and a IPrincipal and returns true or false for that.
    >> You could then dynamically build the menu based on that and write a
    >> custom HttpModule for authorization that also did the same thing.
    >>
    >> You might also attempt to implement a hybrid where you use the existing
    >> location tags in web.config to use as the store for this function so that
    >> you could use the existing UrlAuthorizationModule (the thing that
    >> enforces the <authorization/> tags in web.config). It would be really
    >> easy if the UrlAuthorizationModule had the method you need already
    >> exposed as you would be essentially done, but it does not appear to do
    >> so.
    >>
    >> HTH,
    >>
    >> Joe K.
    >>
    >> "Gery D. Dorazio" <> wrote in message
    >> news:%23Kql0$...
    >>>I restricting access to a web folder in the web.config file with entries
    >>>like this:
    >>>
    >>> <location path="Account" allowOverride="false">
    >>> <system.web>
    >>> <authorization>
    >>> <allow roles="User,Admin" />
    >>> <deny users="*" />
    >>> </authorization>
    >>> </system.web>
    >>> </location>
    >>>
    >>>
    >>> I have a menu system that will only shows menu items (URLs) if the user
    >>> is authorized for them. Currently, I manually associate the roles with
    >>> the URL in a menu control file. This essentially duplicates whats in the
    >>> web.config file above. The problem is that the web.config and menu
    >>> control file can get out of sync with each other. If the URL roles could
    >>> be determined programmatically this would not be an issue.
    >>>
    >>> So how can the roles for a URL be determined programmatically?
    >>>
    >>> Thanks,
    >>> Gery
    >>>
    >>>
    >>> --
    >>> Gery D. Dorazio
    >>> Development Engineer
    >>>
    >>> EnQue Corporation
    >>> 1334 Queens Road
    >>> Charlotte, NC 28207
    >>> (704) 377-3327
    >>>

    >>
    >>

    >
    >
    Joe Kaplan \(MVP - ADSI\), Aug 14, 2005
    #4
  5. Hello Joe,

    and for 1.1 it is even harder as all the section handler. e.g. the AuthorizationSection
    is internal. So you need plain XML parsing and unlike in 2.0 you get no no
    strongly typed config access. I would also start looking at UrlAuthorizationModule
    with Reflector - it is not that hard - but you have to get your head around
    that.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Like I said, that part is the hard part as you need to parse the
    > web.config file and interpret the authorization tags in each location
    > element.
    >
    > If I had to do this, I think I would start by reverse engineering the
    > UrlAuthorizationModule using a tool like .NET Reflector to see how
    > they are doing it. Then, you could write your own version to
    > implement it as you need to. I think you may find that it is a bit
    > complicated under there, but hopefully it will help.
    >
    > The easier way might be to implement your own function based on a list
    > of URLs and allowable roles and just try to keep the two in sync.
    > You'll have a bit more maintenance to do, but much less work to do on
    > the front end.
    >
    > Best of luck with whatever you decide.
    >
    > Joe K.
    >
    > "Gery D. Dorazio" <> wrote in message
    > news:...
    >
    >> Hi Joe,
    >>
    >> Your observations are exactly what I am running into...some desires
    >> would be to not write a custom HttpModule and to continue using the
    >> existing URLAuthorizationModule.
    >>
    >> The centralized function idea appears ideal for this application but
    >> that is where I am stuck. Here is an initial pass at this
    >> function...I don't know how to check a URL against an IPrincipal to
    >> determine roles:
    >>
    >> String[] allRoles = { "Admin", "User", "Editor" };
    >>
    >> String[] GetUrlAllowableRoles(String targetURL)
    >> {
    >> GenericIdentity gi = new GenericIdentity("NoOneInParticular");
    >> String[] targetRole;
    >> GenericPrincipal gp;
    >> for (int i = 0; i < allRoles.Length; i++)
    >> {
    >> targetRole[0] = allRoles;
    >> gp = new GenericPrincipal(gi, targetRole);
    >> // so now what do I do to check it against the targetURL
    >> }
    >> }
    >> This function would then be used for all the URLs specified in the
    >> menu control file and the resulting roles added to the menu dataset
    >> which is then saved as an Application object.
    >>
    >> How can I do the URL to target role check in this function?
    >>
    >> Thanks,
    >> Gery
    >> --
    >> Gery D. Dorazio
    >> Development Engineer
    >> EnQue Corporation
    >> 1334 Queens Road
    >> Charlotte, NC 28207
    >> (704) 377-3327
    >> "Joe Kaplan (MVP - ADSI)" <>
    >> wrote
    >> in message news:...
    >>> You can really easy check the roles programmatically with
    >>> Context.User.IsInRole, but that doesn't necessarily solve the
    >>> problem of the roles getting out of sync with what you have in the
    >>> web.config as they are in two different places still.
    >>>
    >>> If you really wanted a single point of configuration for both, I
    >>> think you might have to consider having some kind of a centralized
    >>> function that takes a URL and a IPrincipal and returns true or false
    >>> for that. You could then dynamically build the menu based on that
    >>> and write a custom HttpModule for authorization that also did the
    >>> same thing.
    >>>
    >>> You might also attempt to implement a hybrid where you use the
    >>> existing location tags in web.config to use as the store for this
    >>> function so that you could use the existing UrlAuthorizationModule
    >>> (the thing that enforces the <authorization/> tags in web.config).
    >>> It would be really easy if the UrlAuthorizationModule had the method
    >>> you need already exposed as you would be essentially done, but it
    >>> does not appear to do so.
    >>>
    >>> HTH,
    >>>
    >>> Joe K.
    >>>
    >>> "Gery D. Dorazio" <> wrote in message
    >>> news:%23Kql0$...
    >>>
    >>>> I restricting access to a web folder in the web.config file with
    >>>> entries like this:
    >>>>
    >>>> <location path="Account" allowOverride="false">
    >>>> <system.web>
    >>>> <authorization>
    >>>> <allow roles="User,Admin" />
    >>>> <deny users="*" />
    >>>> </authorization>
    >>>> </system.web>
    >>>> </location>
    >>>> I have a menu system that will only shows menu items (URLs) if the
    >>>> user is authorized for them. Currently, I manually associate the
    >>>> roles with the URL in a menu control file. This essentially
    >>>> duplicates whats in the web.config file above. The problem is that
    >>>> the web.config and menu control file can get out of sync with each
    >>>> other. If the URL roles could be determined programmatically this
    >>>> would not be an issue.
    >>>>
    >>>> So how can the roles for a URL be determined programmatically?
    >>>>
    >>>> Thanks,
    >>>> Gery
    >>>> --
    >>>> Gery D. Dorazio
    >>>> Development Engineer
    >>>> EnQue Corporation
    >>>> 1334 Queens Road
    >>>> Charlotte, NC 28207
    >>>> (704) 377-3327
    Dominick Baier [DevelopMentor], Aug 14, 2005
    #5
  6. Thanks Joe and Dominick,

    It was wishfull thinking on my part that there was a programmatic way to use
    some available service to do essentially what the UrlAuthorizationModule is
    doing. I ran into the parsing of the web.config file a while back and that
    whole mechanism is not consistent between the root and other directories
    containing web.config files. (I previously posted that discrepency but heard
    back from no one...) But asside from that, parsing of the web.config file
    and/or using reflection to determine how the UrlAuthorizationModule is doing
    it was where I concluded I should stop as the effort was not worth it. So
    Joe, your conclusion of just keeping them in sync is what I will be doing.

    Another bit of information also helped this decision. You both are probably
    aware but I will make note of it here for others reading this post that
    ASP.NET 2.0 has sitemaps which contain a role based attribute for URLs. They
    also designed in this same capability which they call 'trimming' to remove
    urls from a menu system which the user is not authorized to use. Assuming
    2.0 production release is in the next 6-12 months I can live with the
    syncing issue and just wait for the capabilities in 2.0.

    Joe and Dominick thanks for your feedback. It is always a pleasure to have
    other developers point out the error of my ways and help keep me out of the
    mud.

    Best regards,
    Gery


    --
    Gery D. Dorazio
    Development Engineer

    EnQue Corporation
    1334 Queens Road
    Charlotte, NC 28207
    (704) 377-3327
    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > Like I said, that part is the hard part as you need to parse the
    > web.config file and interpret the authorization tags in each location
    > element.
    >
    > If I had to do this, I think I would start by reverse engineering the
    > UrlAuthorizationModule using a tool like .NET Reflector to see how they
    > are doing it. Then, you could write your own version to implement it as
    > you need to. I think you may find that it is a bit complicated under
    > there, but hopefully it will help.
    >
    > The easier way might be to implement your own function based on a list of
    > URLs and allowable roles and just try to keep the two in sync. You'll
    > have a bit more maintenance to do, but much less work to do on the front
    > end.
    >
    > Best of luck with whatever you decide.
    >
    > Joe K.
    >
    > "Gery D. Dorazio" <> wrote in message
    > news:...
    >> Hi Joe,
    >>
    >> Your observations are exactly what I am running into...some desires would
    >> be to not write a custom HttpModule and to continue using the existing
    >> URLAuthorizationModule.
    >>
    >> The centralized function idea appears ideal for this application but that
    >> is where I am stuck. Here is an initial pass at this function...I don't
    >> know how to check a URL against an IPrincipal to determine roles:
    >>
    >>
    >> String[] allRoles = { "Admin", "User", "Editor" };
    >>
    >> String[] GetUrlAllowableRoles(String targetURL)
    >> {
    >> GenericIdentity gi = new GenericIdentity("NoOneInParticular");
    >> String[] targetRole;
    >> GenericPrincipal gp;
    >> for (int i = 0; i < allRoles.Length; i++)
    >> {
    >> targetRole[0] = allRoles;
    >> gp = new GenericPrincipal(gi, targetRole);
    >> // so now what do I do to check it against the targetURL
    >> }
    >> }
    >>
    >> This function would then be used for all the URLs specified in the menu
    >> control file and the resulting roles added to the menu dataset which is
    >> then saved as an Application object.
    >>
    >>
    >> How can I do the URL to target role check in this function?
    >>
    >>
    >> Thanks,
    >> Gery
    >>
    >> --
    >> Gery D. Dorazio
    >> Development Engineer
    >>
    >> EnQue Corporation
    >> 1334 Queens Road
    >> Charlotte, NC 28207
    >> (704) 377-3327
    >> "Joe Kaplan (MVP - ADSI)" <>
    >> wrote in message news:...
    >>> You can really easy check the roles programmatically with
    >>> Context.User.IsInRole, but that doesn't necessarily solve the problem of
    >>> the roles getting out of sync with what you have in the web.config as
    >>> they are in two different places still.
    >>>
    >>> If you really wanted a single point of configuration for both, I think
    >>> you might have to consider having some kind of a centralized function
    >>> that takes a URL and a IPrincipal and returns true or false for that.
    >>> You could then dynamically build the menu based on that and write a
    >>> custom HttpModule for authorization that also did the same thing.
    >>>
    >>> You might also attempt to implement a hybrid where you use the existing
    >>> location tags in web.config to use as the store for this function so
    >>> that you could use the existing UrlAuthorizationModule (the thing that
    >>> enforces the <authorization/> tags in web.config). It would be really
    >>> easy if the UrlAuthorizationModule had the method you need already
    >>> exposed as you would be essentially done, but it does not appear to do
    >>> so.
    >>>
    >>> HTH,
    >>>
    >>> Joe K.
    >>>
    >>> "Gery D. Dorazio" <> wrote in message
    >>> news:%23Kql0$...
    >>>>I restricting access to a web folder in the web.config file with entries
    >>>>like this:
    >>>>
    >>>> <location path="Account" allowOverride="false">
    >>>> <system.web>
    >>>> <authorization>
    >>>> <allow roles="User,Admin" />
    >>>> <deny users="*" />
    >>>> </authorization>
    >>>> </system.web>
    >>>> </location>
    >>>>
    >>>>
    >>>> I have a menu system that will only shows menu items (URLs) if the user
    >>>> is authorized for them. Currently, I manually associate the roles with
    >>>> the URL in a menu control file. This essentially duplicates whats in
    >>>> the web.config file above. The problem is that the web.config and menu
    >>>> control file can get out of sync with each other. If the URL roles
    >>>> could be determined programmatically this would not be an issue.
    >>>>
    >>>> So how can the roles for a URL be determined programmatically?
    >>>>
    >>>> Thanks,
    >>>> Gery
    >>>>
    >>>>
    >>>> --
    >>>> Gery D. Dorazio
    >>>> Development Engineer
    >>>>
    >>>> EnQue Corporation
    >>>> 1334 Queens Road
    >>>> Charlotte, NC 28207
    >>>> (704) 377-3327
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
    Gery D. Dorazio, Aug 15, 2005
    #6
  7. Ah, I figured 2.0 was a better story and I'm glad to know that it is. I'm
    not really doing a lot with the new ASP.NET features yet as I've been
    concentrating on other 2.0 areas.

    The release date is currently in early November (< 6 months) and there is a
    go-live license for the beta, so you can use it now in production if you
    want.

    Joe K.

    "Gery D. Dorazio" <> wrote in message
    news:...
    > Thanks Joe and Dominick,
    >
    > It was wishfull thinking on my part that there was a programmatic way to
    > use some available service to do essentially what the
    > UrlAuthorizationModule is doing. I ran into the parsing of the web.config
    > file a while back and that whole mechanism is not consistent between the
    > root and other directories containing web.config files. (I previously
    > posted that discrepency but heard back from no one...) But asside from
    > that, parsing of the web.config file and/or using reflection to determine
    > how the UrlAuthorizationModule is doing it was where I concluded I should
    > stop as the effort was not worth it. So Joe, your conclusion of just
    > keeping them in sync is what I will be doing.
    >
    > Another bit of information also helped this decision. You both are
    > probably aware but I will make note of it here for others reading this
    > post that ASP.NET 2.0 has sitemaps which contain a role based attribute
    > for URLs. They also designed in this same capability which they call
    > 'trimming' to remove urls from a menu system which the user is not
    > authorized to use. Assuming 2.0 production release is in the next 6-12
    > months I can live with the syncing issue and just wait for the
    > capabilities in 2.0.
    >
    > Joe and Dominick thanks for your feedback. It is always a pleasure to have
    > other developers point out the error of my ways and help keep me out of
    > the mud.
    >
    > Best regards,
    > Gery
    >
    >
    > --
    > Gery D. Dorazio
    > Development Engineer
    >
    > EnQue Corporation
    > 1334 Queens Road
    > Charlotte, NC 28207
    > (704) 377-3327
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:...
    >> Like I said, that part is the hard part as you need to parse the
    >> web.config file and interpret the authorization tags in each location
    >> element.
    >>
    >> If I had to do this, I think I would start by reverse engineering the
    >> UrlAuthorizationModule using a tool like .NET Reflector to see how they
    >> are doing it. Then, you could write your own version to implement it as
    >> you need to. I think you may find that it is a bit complicated under
    >> there, but hopefully it will help.
    >>
    >> The easier way might be to implement your own function based on a list of
    >> URLs and allowable roles and just try to keep the two in sync. You'll
    >> have a bit more maintenance to do, but much less work to do on the front
    >> end.
    >>
    >> Best of luck with whatever you decide.
    >>
    >> Joe K.
    >>
    >> "Gery D. Dorazio" <> wrote in message
    >> news:...
    >>> Hi Joe,
    >>>
    >>> Your observations are exactly what I am running into...some desires
    >>> would be to not write a custom HttpModule and to continue using the
    >>> existing URLAuthorizationModule.
    >>>
    >>> The centralized function idea appears ideal for this application but
    >>> that is where I am stuck. Here is an initial pass at this function...I
    >>> don't know how to check a URL against an IPrincipal to determine roles:
    >>>
    >>>
    >>> String[] allRoles = { "Admin", "User", "Editor" };
    >>>
    >>> String[] GetUrlAllowableRoles(String targetURL)
    >>> {
    >>> GenericIdentity gi = new GenericIdentity("NoOneInParticular");
    >>> String[] targetRole;
    >>> GenericPrincipal gp;
    >>> for (int i = 0; i < allRoles.Length; i++)
    >>> {
    >>> targetRole[0] = allRoles;
    >>> gp = new GenericPrincipal(gi, targetRole);
    >>> // so now what do I do to check it against the targetURL
    >>> }
    >>> }
    >>>
    >>> This function would then be used for all the URLs specified in the menu
    >>> control file and the resulting roles added to the menu dataset which is
    >>> then saved as an Application object.
    >>>
    >>>
    >>> How can I do the URL to target role check in this function?
    >>>
    >>>
    >>> Thanks,
    >>> Gery
    >>>
    >>> --
    >>> Gery D. Dorazio
    >>> Development Engineer
    >>>
    >>> EnQue Corporation
    >>> 1334 Queens Road
    >>> Charlotte, NC 28207
    >>> (704) 377-3327
    >>> "Joe Kaplan (MVP - ADSI)" <>
    >>> wrote in message news:...
    >>>> You can really easy check the roles programmatically with
    >>>> Context.User.IsInRole, but that doesn't necessarily solve the problem
    >>>> of the roles getting out of sync with what you have in the web.config
    >>>> as they are in two different places still.
    >>>>
    >>>> If you really wanted a single point of configuration for both, I think
    >>>> you might have to consider having some kind of a centralized function
    >>>> that takes a URL and a IPrincipal and returns true or false for that.
    >>>> You could then dynamically build the menu based on that and write a
    >>>> custom HttpModule for authorization that also did the same thing.
    >>>>
    >>>> You might also attempt to implement a hybrid where you use the existing
    >>>> location tags in web.config to use as the store for this function so
    >>>> that you could use the existing UrlAuthorizationModule (the thing that
    >>>> enforces the <authorization/> tags in web.config). It would be really
    >>>> easy if the UrlAuthorizationModule had the method you need already
    >>>> exposed as you would be essentially done, but it does not appear to do
    >>>> so.
    >>>>
    >>>> HTH,
    >>>>
    >>>> Joe K.
    >>>>
    >>>> "Gery D. Dorazio" <> wrote in message
    >>>> news:%23Kql0$...
    >>>>>I restricting access to a web folder in the web.config file with
    >>>>>entries like this:
    >>>>>
    >>>>> <location path="Account" allowOverride="false">
    >>>>> <system.web>
    >>>>> <authorization>
    >>>>> <allow roles="User,Admin" />
    >>>>> <deny users="*" />
    >>>>> </authorization>
    >>>>> </system.web>
    >>>>> </location>
    >>>>>
    >>>>>
    >>>>> I have a menu system that will only shows menu items (URLs) if the
    >>>>> user is authorized for them. Currently, I manually associate the roles
    >>>>> with the URL in a menu control file. This essentially duplicates whats
    >>>>> in the web.config file above. The problem is that the web.config and
    >>>>> menu control file can get out of sync with each other. If the URL
    >>>>> roles could be determined programmatically this would not be an issue.
    >>>>>
    >>>>> So how can the roles for a URL be determined programmatically?
    >>>>>
    >>>>> Thanks,
    >>>>> Gery
    >>>>>
    >>>>>
    >>>>> --
    >>>>> Gery D. Dorazio
    >>>>> Development Engineer
    >>>>>
    >>>>> EnQue Corporation
    >>>>> 1334 Queens Road
    >>>>> Charlotte, NC 28207
    >>>>> (704) 377-3327
    >>>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
    Joe Kaplan \(MVP - ADSI\), Aug 15, 2005
    #7
  8. Gery D. Dorazio

    Guest

    Gery,

    I recently ran into a similar issue and with URLAuthorizationModule. I
    was hoping for a convenience method to perform a quick authorization
    check on a url but, as you know, there is none. However, after bumping
    around for a little bit I came up with this...


    private bool IsAuthorized(string url)
    {
    bool isAuthorized = true;
    HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);

    request.PreAuthenticate = true;
    request.Credentials = CredentialCache.DefaultCredentials;
    HttpWebResponse response = (HttpWebResponse) request.GetResponse();

    if (response.StatusCode == HttpStatusCode.Unauthorized)
    isAuthorized = false;

    response.Close();
    return isAuthorized;
    }

    Now I know this isn't most graceful solution but you could in corporate
    some caching of the allowed URL's and it should be all good.

    Paul Taylor
    Software Programmer
    Northrop Grumman IT
    , Aug 19, 2005
    #8
  9. Hello ,

    but this will only work if impersonation is turned on - something i would
    not recommend.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Gery,
    >
    > I recently ran into a similar issue and with URLAuthorizationModule.
    > I was hoping for a convenience method to perform a quick authorization
    > check on a url but, as you know, there is none. However, after
    > bumping around for a little bit I came up with this...
    >
    > private bool IsAuthorized(string url)
    > {
    > bool isAuthorized = true;
    > HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
    > request.PreAuthenticate = true;
    > request.Credentials = CredentialCache.DefaultCredentials;
    > HttpWebResponse response = (HttpWebResponse)
    > request.GetResponse();
    > if (response.StatusCode == HttpStatusCode.Unauthorized)
    > isAuthorized = false;
    > response.Close();
    > return isAuthorized;
    > }
    > Now I know this isn't most graceful solution but you could in
    > corporate some caching of the allowed URL's and it should be all good.
    >
    > Paul Taylor
    > Software Programmer
    > Northrop Grumman IT
    Dominick Baier [DevelopMentor], Aug 20, 2005
    #9
  10. Gery D. Dorazio

    Paul Taylor Guest

    Dominick,

    I half-agree that impersonation is needed...

    -- The Agreement Part
    In the code snipet I provided earlier, impersonation is nessecary but
    not because URL Authorization requires it. It is nessecary because
    CredentialCache.DefaultCredentials doesn't contain all the user
    principal information needed to do the access check. To get around
    this problem you don't have to turn impersonation on site-wide
    (web.config), just turn it on right before you get the default
    creditals. I agree that impersonation site-wide can be a nasty thing
    to contend with, but using it programmatically, in a small scope, can
    be extremely useful. Like so:

    private bool IsAuthorized(string url)
    {
    bool isAuthorized = true;
    // Impersonate the current user.
    WindowsImpersonationContext user = null;
    if (Context.User != null &&
    Context.User.Identity is WindowsIdentity)
    {
    WindowsIdentity identity = (WindowsIdentity)
    Context.User.Identity;
    user = identity.Impersonate();
    }

    HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
    request.PreAuthenticate = true;
    request.Credentials = CredentialCache.DefaultCredentials;
    HttpWebResponse response = (HttpWebResponse) request.GetResponse();

    if (response.StatusCode == HttpStatusCode.Unauthorized)
    isAuthorized = false;

    response.Close();

    // Undo the impersonation.
    if (user != null)
    user.Undo();

    return isAuthorized;
    }

    -- The Disagree Part
    Below is my web.config, which does not have impersonation enabled.
    Normal page retrieval works as it should. (i.e. aspx pages in the admin
    directory load when I'm in the group, but provide the security prompt
    when I'm not.)

    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
    <system.web>
    <customErrors mode="RemoteOnly"/>
    <authentication mode="Windows"/>
    <authorization>
    <allow users="*"/>
    </authorization>
    <sessionState mode="InProc"
    stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data
    source=127.0.0.1;Trusted_Connection=yes" cookieless="false"
    timeout="20"/>
    </system.web>
    <location path="Admin">
    <system.web>
    <authorization>
    <allow roles="mydomain\mygroup"/>
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>
    </configuration>
    Paul Taylor, Aug 22, 2005
    #10
  11. Impersonation should only be required here if you have applied a Windows
    file system ACL on that directory using that group in addition to the
    location tag.

    Otherwise, I'm not sure what the impersonation is doing here. What
    resources are being accessed in Windows that require impersonation of the
    authenticated user?

    Joe K.

    "Paul Taylor" <> wrote in message
    news:...
    > Dominick,
    >
    > I half-agree that impersonation is needed...
    >
    > -- The Agreement Part
    > In the code snipet I provided earlier, impersonation is nessecary but
    > not because URL Authorization requires it. It is nessecary because
    > CredentialCache.DefaultCredentials doesn't contain all the user
    > principal information needed to do the access check. To get around
    > this problem you don't have to turn impersonation on site-wide
    > (web.config), just turn it on right before you get the default
    > creditals. I agree that impersonation site-wide can be a nasty thing
    > to contend with, but using it programmatically, in a small scope, can
    > be extremely useful. Like so:
    >
    > private bool IsAuthorized(string url)
    > {
    > bool isAuthorized = true;
    > // Impersonate the current user.
    > WindowsImpersonationContext user = null;
    > if (Context.User != null &&
    > Context.User.Identity is WindowsIdentity)
    > {
    > WindowsIdentity identity = (WindowsIdentity)
    > Context.User.Identity;
    > user = identity.Impersonate();
    > }
    >
    > HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
    > request.PreAuthenticate = true;
    > request.Credentials = CredentialCache.DefaultCredentials;
    > HttpWebResponse response = (HttpWebResponse) request.GetResponse();
    >
    > if (response.StatusCode == HttpStatusCode.Unauthorized)
    > isAuthorized = false;
    >
    > response.Close();
    >
    > // Undo the impersonation.
    > if (user != null)
    > user.Undo();
    >
    > return isAuthorized;
    > }
    >
    > -- The Disagree Part
    > Below is my web.config, which does not have impersonation enabled.
    > Normal page retrieval works as it should. (i.e. aspx pages in the admin
    > directory load when I'm in the group, but provide the security prompt
    > when I'm not.)
    >
    > <?xml version="1.0" encoding="utf-8"?>
    > <configuration>
    > <system.web>
    > <customErrors mode="RemoteOnly"/>
    > <authentication mode="Windows"/>
    > <authorization>
    > <allow users="*"/>
    > </authorization>
    > <sessionState mode="InProc"
    > stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data
    > source=127.0.0.1;Trusted_Connection=yes" cookieless="false"
    > timeout="20"/>
    > </system.web>
    > <location path="Admin">
    > <system.web>
    > <authorization>
    > <allow roles="mydomain\mygroup"/>
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    > </configuration>
    >
    Joe Kaplan \(MVP - ADSI\), Aug 22, 2005
    #11
  12. Hello ,

    then we agree both - because i only argued from the code snippet you sent :)

    always do impersonation in a try/finally block - if for whatever reasons
    your code does not take the normal path of execution, e.g by encountering
    an exception you are leaking the thread principal up the call stack. As you
    can imagine, this could lead to interesting results.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Dominick,
    >
    > I half-agree that impersonation is needed...
    >
    > private bool IsAuthorized(string url)
    > {
    > bool isAuthorized = true;
    > // Impersonate the current user.
    > WindowsImpersonationContext user = null;
    > if (Context.User != null &&
    > Context.User.Identity is WindowsIdentity)
    > {
    > WindowsIdentity identity = (WindowsIdentity)
    > Context.User.Identity;
    > user = identity.Impersonate();
    > }
    > HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
    > request.PreAuthenticate = true;
    > request.Credentials = CredentialCache.DefaultCredentials;
    > HttpWebResponse response = (HttpWebResponse)
    > request.GetResponse();
    > if (response.StatusCode == HttpStatusCode.Unauthorized)
    > isAuthorized = false;
    > response.Close();
    >
    > // Undo the impersonation.
    > if (user != null)
    > user.Undo();
    > return isAuthorized;
    > }
    > <?xml version="1.0" encoding="utf-8"?>
    > <configuration>
    > <system.web>
    > <customErrors mode="RemoteOnly"/>
    > <authentication mode="Windows"/>
    > <authorization>
    > <allow users="*"/>
    > </authorization>
    > <sessionState mode="InProc"
    > stateConnectionString="tcpip=127.0.0.1:42424"
    > sqlConnectionString="data
    > source=127.0.0.1;Trusted_Connection=yes" cookieless="false"
    > timeout="20"/>
    > </system.web>
    > <location path="Admin">
    > <system.web>
    > <authorization>
    > <allow roles="mydomain\mygroup"/>
    > <deny users="*"/>
    > </authorization>
    > </system.web>
    > </location>
    > </configuration>
    Dominick Baier [DevelopMentor], Aug 22, 2005
    #12
  13. Joe, read the whole thread :)


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Impersonation should only be required here if you have applied a
    > Windows file system ACL on that directory using that group in addition
    > to the location tag.
    >
    > Otherwise, I'm not sure what the impersonation is doing here. What
    > resources are being accessed in Windows that require impersonation of
    > the authenticated user?
    >
    > Joe K.
    >
    > "Paul Taylor" <> wrote in message
    > news:...
    >
    >> Dominick,
    >>
    >> I half-agree that impersonation is needed...
    >>
    >> -- The Agreement Part
    >> In the code snipet I provided earlier, impersonation is nessecary but
    >> not because URL Authorization requires it. It is nessecary because
    >> CredentialCache.DefaultCredentials doesn't contain all the user
    >> principal information needed to do the access check. To get around
    >> this problem you don't have to turn impersonation on site-wide
    >> (web.config), just turn it on right before you get the default
    >> creditals. I agree that impersonation site-wide can be a nasty thing
    >> to contend with, but using it programmatically, in a small scope, can
    >> be extremely useful. Like so:
    >> private bool IsAuthorized(string url)
    >> {
    >> bool isAuthorized = true;
    >> // Impersonate the current user.
    >> WindowsImpersonationContext user = null;
    >> if (Context.User != null &&
    >> Context.User.Identity is WindowsIdentity)
    >> {
    >> WindowsIdentity identity = (WindowsIdentity)
    >> Context.User.Identity;
    >> user = identity.Impersonate();
    >> }
    >> HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
    >> request.PreAuthenticate = true;
    >> request.Credentials = CredentialCache.DefaultCredentials;
    >> HttpWebResponse response = (HttpWebResponse) request.GetResponse();
    >> if (response.StatusCode == HttpStatusCode.Unauthorized) isAuthorized
    >> = false;
    >>
    >> response.Close();
    >>
    >> // Undo the impersonation.
    >> if (user != null)
    >> user.Undo();
    >> return isAuthorized;
    >> }
    >> -- The Disagree Part
    >> Below is my web.config, which does not have impersonation enabled.
    >> Normal page retrieval works as it should. (i.e. aspx pages in the
    >> admin
    >> directory load when I'm in the group, but provide the security prompt
    >> when I'm not.)
    >> <?xml version="1.0" encoding="utf-8"?>
    >> <configuration>
    >> <system.web>
    >> <customErrors mode="RemoteOnly"/>
    >> <authentication mode="Windows"/>
    >> <authorization>
    >> <allow users="*"/>
    >> </authorization>
    >> <sessionState mode="InProc"
    >> stateConnectionString="tcpip=127.0.0.1:42424"
    >> sqlConnectionString="data
    >> source=127.0.0.1;Trusted_Connection=yes" cookieless="false"
    >> timeout="20"/>
    >> </system.web>
    >> <location path="Admin">
    >> <system.web>
    >> <authorization>
    >> <allow roles="mydomain\mygroup"/>
    >> <deny users="*"/>
    >> </authorization>
    >> </system.web>
    >> </location>
    >> </configuration>
    Dominick Baier [DevelopMentor], Aug 22, 2005
    #13
  14. Doh!

    I actually did read it but misunderstood what he was saying. I somehow
    inverted the meaning of what he was saying in the agree/disagree part. My
    bad. :)

    Joe K.

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Joe, read the whole thread :)
    >
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> Impersonation should only be required here if you have applied a
    >> Windows file system ACL on that directory using that group in addition
    >> to the location tag.
    >>
    >> Otherwise, I'm not sure what the impersonation is doing here. What
    >> resources are being accessed in Windows that require impersonation of
    >> the authenticated user?
    >>
    >> Joe K.
    >>
    >> "Paul Taylor" <> wrote in message
    >> news:...
    >>
    >>> Dominick,
    >>>
    >>> I half-agree that impersonation is needed...
    >>>
    >>> -- The Agreement Part
    >>> In the code snipet I provided earlier, impersonation is nessecary but
    >>> not because URL Authorization requires it. It is nessecary because
    >>> CredentialCache.DefaultCredentials doesn't contain all the user
    >>> principal information needed to do the access check. To get around
    >>> this problem you don't have to turn impersonation on site-wide
    >>> (web.config), just turn it on right before you get the default
    >>> creditals. I agree that impersonation site-wide can be a nasty thing
    >>> to contend with, but using it programmatically, in a small scope, can
    >>> be extremely useful. Like so:
    >>> private bool IsAuthorized(string url)
    >>> {
    >>> bool isAuthorized = true;
    >>> // Impersonate the current user.
    >>> WindowsImpersonationContext user = null;
    >>> if (Context.User != null &&
    >>> Context.User.Identity is WindowsIdentity)
    >>> {
    >>> WindowsIdentity identity = (WindowsIdentity)
    >>> Context.User.Identity;
    >>> user = identity.Impersonate();
    >>> }
    >>> HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
    >>> request.PreAuthenticate = true;
    >>> request.Credentials = CredentialCache.DefaultCredentials;
    >>> HttpWebResponse response = (HttpWebResponse) request.GetResponse();
    >>> if (response.StatusCode == HttpStatusCode.Unauthorized) isAuthorized
    >>> = false;
    >>>
    >>> response.Close();
    >>>
    >>> // Undo the impersonation.
    >>> if (user != null)
    >>> user.Undo();
    >>> return isAuthorized;
    >>> }
    >>> -- The Disagree Part
    >>> Below is my web.config, which does not have impersonation enabled.
    >>> Normal page retrieval works as it should. (i.e. aspx pages in the
    >>> admin
    >>> directory load when I'm in the group, but provide the security prompt
    >>> when I'm not.)
    >>> <?xml version="1.0" encoding="utf-8"?>
    >>> <configuration>
    >>> <system.web>
    >>> <customErrors mode="RemoteOnly"/>
    >>> <authentication mode="Windows"/>
    >>> <authorization>
    >>> <allow users="*"/>
    >>> </authorization>
    >>> <sessionState mode="InProc"
    >>> stateConnectionString="tcpip=127.0.0.1:42424"
    >>> sqlConnectionString="data
    >>> source=127.0.0.1;Trusted_Connection=yes" cookieless="false"
    >>> timeout="20"/>
    >>> </system.web>
    >>> <location path="Admin">
    >>> <system.web>
    >>> <authorization>
    >>> <allow roles="mydomain\mygroup"/>
    >>> <deny users="*"/>
    >>> </authorization>
    >>> </system.web>
    >>> </location>
    >>> </configuration>

    >
    >
    >
    Joe Kaplan \(MVP - ADSI\), Aug 22, 2005
    #14
  15. Gery D. Dorazio

    Paul Taylor Guest

    Dominick,

    Thanks for the try/finally advise!! I'll add it in.

    Paul
    Paul Taylor, Aug 23, 2005
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. have_a_question_!
    Replies:
    1
    Views:
    702
    Mark McDougall
    Nov 21, 2005
  2. Gery D. Dorazio
    Replies:
    3
    Views:
    452
    Martin Honnen
    Sep 7, 2004
  3. Replies:
    5
    Views:
    40,546
    =?ISO-8859-1?Q?Arne_Vajh=F8j?=
    Feb 3, 2007
  4. Jéjé
    Replies:
    0
    Views:
    232
    Jéjé
    Sep 27, 2005
  5. Peter Michaux
    Replies:
    30
    Views:
    330
    John G Harris
    Nov 10, 2006
Loading...

Share This Page