Permission check for secured subfolders?

Discussion in 'ASP .Net Security' started by TK, Jul 12, 2004.

  1. TK

    TK Guest

    I'm building an ASP.NET application works in Forms Authentication mode with
    custom user account database. And it shows clients a list of hyperlinks to
    content pages located in some separated subfolders. This application and
    content pages are entirely secured, so everyone must logon to the
    application. The application pages and most of content pages are accessible
    for every authenticated clients but some of content pages in some specific
    subfolders are served for specific users and groups only. I'm using URL
    authorization to achieve this. Everything works fine now.

    Now what I'm attempting to do is, hide/remove hyperlinks to unacceptable
    contents from the contents list page. To do this, I want to test client's
    access right for every subfolders at server side Page_Load() function, so
    that avoid client user's useless operation. I don't want to show clients the
    access forbidden message any more.

    How can I do it?
    Help me please.

    best regards,
    TK
     
    TK, Jul 12, 2004
    #1
    1. Advertising

  2. It seems like there are a couple options to what you are trying to accomplish. You can either set up the relationships on the database side. IE, user A belongs to group A. Group A has links 1,2,3,4 associated with it. Get the group name associated with the user at login, then get the appropriate links. OR, you could hold a Session variable that checks the user group/link association, and only display the links associated with each group by showing and hiding panels.

    "TK" wrote:

    > I'm building an ASP.NET application works in Forms Authentication mode with
    > custom user account database. And it shows clients a list of hyperlinks to
    > content pages located in some separated subfolders. This application and
    > content pages are entirely secured, so everyone must logon to the
    > application. The application pages and most of content pages are accessible
    > for every authenticated clients but some of content pages in some specific
    > subfolders are served for specific users and groups only. I'm using URL
    > authorization to achieve this. Everything works fine now.
    >
    > Now what I'm attempting to do is, hide/remove hyperlinks to unacceptable
    > contents from the contents list page. To do this, I want to test client's
    > access right for every subfolders at server side Page_Load() function, so
    > that avoid client user's useless operation. I don't want to show clients the
    > access forbidden message any more.
    >
    > How can I do it?
    > Help me please.
    >
    > best regards,
    > TK
    >
    >
     
    David Coe, MCAD, Jul 14, 2004
    #2
    1. Advertising

  3. TK

    TK Guest

    Thank you David.

    I agree with your advise, but it seems not be a smart solution because I
    have to implement access controlling functionality by myself moreover we
    have the URL authorization mechanizm built in ASP.NET. I'm looking for a way
    to easily and quickly test the URL authorization settings in each subfolders
    for each clients/groups at server side.

    Any idea?
    TK

    <David Coe>; "MCAD" <> wrote in
    message news:...
    > It seems like there are a couple options to what you are trying to

    accomplish. You can either set up the relationships on the database side.
    IE, user A belongs to group A. Group A has links 1,2,3,4 associated with
    it. Get the group name associated with the user at login, then get the
    appropriate links. OR, you could hold a Session variable that checks the
    user group/link association, and only display the links associated with each
    group by showing and hiding panels.
    >
    > "TK" wrote:
    >
    > > I'm building an ASP.NET application works in Forms Authentication mode

    with
    > > custom user account database. And it shows clients a list of hyperlinks

    to
    > > content pages located in some separated subfolders. This application and
    > > content pages are entirely secured, so everyone must logon to the
    > > application. The application pages and most of content pages are

    accessible
    > > for every authenticated clients but some of content pages in some

    specific
    > > subfolders are served for specific users and groups only. I'm using URL
    > > authorization to achieve this. Everything works fine now.
    > >
    > > Now what I'm attempting to do is, hide/remove hyperlinks to unacceptable
    > > contents from the contents list page. To do this, I want to test

    client's
    > > access right for every subfolders at server side Page_Load() function,

    so
    > > that avoid client user's useless operation. I don't want to show clients

    the
    > > access forbidden message any more.
    > >
    > > How can I do it?
    > > Help me please.
    > >
    > > best regards,
    > > TK
    > >
    > >
     
    TK, Jul 14, 2004
    #3
  4. It's the UrlAuthorizationModule which will be able to build up the groups
    and users which can access a particular folder. Unfortunately there isn't
    any API presented by it. The only way I can think of at present is to built
    up a webrequest and try and hit the various sub folders. However I'v been
    trying to implement something along these lines myself, but haven't had any
    success as yet.
     
    Andy Mortimer [MS], Jul 14, 2004
    #4
  5. TK

    TK Guest

    Thank you very much Andy.

    You gave me an important fact that there isn't any APIs match to my
    requirement.
    I'll consider if it will be a worth effort to implementing all by myself.

    thanks again,
    TK
     
    TK, Jul 15, 2004
    #5
  6. Ok, we seem to have worked it out. Aparrently, the word is, you should be
    restricting your url's in your top level web.config using the <location>
    element structure .

    Then you need to create a Role for each subfolder, FolderA FolderB etc.

    Then you use that role in the web.config to allow access. (then you never
    touch that part again).

    To allow people access to the folder, you then just add them to the
    appropriate role.

    To then dynamically test for access to folders you use IsInRole. Now
    normally that would just check for membership of the role i.e. if UserA is
    in FolderB role, so we override the IsInRole and have something like:-

    public override bool IsInRole(string Role)
    {
    switch(Role)
    {
    Case "FolderA":
    return test for folder
    permissions
    Break;
    Case "FolderB":
    return test for folder
    permissions
    Break;
    Default:
    Return base.IsInRole(Role)
    Break;
    }
    }

    Now the bit above where it says test for folder permissions, should be
    implemented by creating your own section handler using the provided
    framework classes, to read the auth section of your web.config file
    (because our auth is now in our top level web.config.)

    So, the roles are put in web.config, and the above switch is written, then
    that code never changes (unless you add further folders and roles). To
    add/remove people access to folders, you just add/remove them to
    appropriate role and thejob is done.

    Hope that helps.

    Andy
     
    Andy Mortimer [MS], Jul 23, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Stan
    Replies:
    1
    Views:
    600
    Jacob Yang [MSFT]
    Oct 20, 2003
  2. Maziar Aflatoun

    Form authentication for subfolders only

    Maziar Aflatoun, Jul 2, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    4,895
    John Saunders
    Jul 2, 2004
  3. TK
    Replies:
    3
    Views:
    403
    Jim Cheshire [MSFT]
    Jul 14, 2004
  4. Replies:
    1
    Views:
    480
    Nicole Calinoiu
    May 15, 2006
  5. Daniel Frechette
    Replies:
    2
    Views:
    190
    Thomas 'PointedEars' Lahn
    Apr 10, 2006
Loading...

Share This Page