Permission check for secured subfolders?

Discussion in 'ASP .Net' started by TK, Jul 13, 2004.

  1. TK

    TK Guest

    Excuse me for multiple posting because I've posted this message to
    aspnet.security NG but have not got any response yet.

    I'm building an ASP.NET application works in Forms Authentication mode with
    custom user account database. And it shows clients a list of hyperlinks to
    content pages located in some separated subfolders. This application and
    content pages are entirely secured, so everyone must logon to the
    application. The application pages and most of content pages are accessible
    for every authenticated clients but some of content pages in some specific
    subfolders are served for specific users and groups only. I'm using URL
    authorization to achieve this. Everything works fine now.

    Now what I'm attempting to do is, hide/remove hyperlinks to unacceptable
    contents from the contents list page. To do this, I want to test client's
    access right for every subfolders at server side Page_Load() function, so
    that avoid client user's useless operation. I don't want to show clients the
    access forbidden message any more.

    How can I do it?
    Help me please.

    best regards,
    TK
    TK, Jul 13, 2004
    #1
    1. Advertising

  2. Hi TK,

    I think you may be going about this the wrong way. What you really want to
    do is design your application so that people have access to certain areas
    based upon their role. You can then use User.IsInRole(<role>) to determine
    if a user should see a particular page element. You can also use
    <location> elements within your web.config to limit a user's access to
    certain parts of the application.

    Here's a URL you may find helpful:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html
    /secmod18.asp

    Jim Cheshire [MSFT]
    MCP+I, MCSE, MCSD, MCDBA
    Microsoft Developer Support


    This post is provided "AS-IS" with no warranties and confers no rights.

    --------------------
    >From: "TK" <>
    >Subject: Permission check for secured subfolders?
    >Date: Tue, 13 Jul 2004 17:13:41 +0900
    >Lines: 24
    >MIME-Version: 1.0
    >Content-Type: text/plain;
    > charset="iso-2022-jp"
    >Content-Transfer-Encoding: 7bit
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
    >Message-ID: <>
    >Newsgroups: microsoft.public.dotnet.framework.aspnet
    >NNTP-Posting-Host: q255060.ap.plala.or.jp 220.99.255.60
    >Path:

    cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
    .phx.gbl
    >Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:246546
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    >
    >Excuse me for multiple posting because I've posted this message to
    >aspnet.security NG but have not got any response yet.
    >
    >I'm building an ASP.NET application works in Forms Authentication mode with
    >custom user account database. And it shows clients a list of hyperlinks to
    >content pages located in some separated subfolders. This application and
    >content pages are entirely secured, so everyone must logon to the
    >application. The application pages and most of content pages are accessible
    >for every authenticated clients but some of content pages in some specific
    >subfolders are served for specific users and groups only. I'm using URL
    >authorization to achieve this. Everything works fine now.
    >
    >Now what I'm attempting to do is, hide/remove hyperlinks to unacceptable
    >contents from the contents list page. To do this, I want to test client's
    >access right for every subfolders at server side Page_Load() function, so
    >that avoid client user's useless operation. I don't want to show clients

    the
    >access forbidden message any more.
    >
    >How can I do it?
    >Help me please.
    >
    >best regards,
    >TK
    >
    >
    Jim Cheshire [MSFT], Jul 13, 2004
    #2
    1. Advertising

  3. TK

    TK Guest

    Thank you for your help Jim!

    You made my problem be clear. Yes, I agree with you I should use
    User.IsInRole(<role>) method to check user's access permission. But where I
    can get the <role> definitions? Do I have to manipulate the Web.config by
    myself to get the <allow><deny> configurations for every subfolders?

    In my application, these secured subfolders are not only located at flat
    level but also be configured as an nested tree. And the contents manager
    should be able to configure neccesary security settings to every subfolders
    in everywhere.

    So, if a content page is located at an URL such as
    http://myserver/myapp/folder1/folder2/folder3/content.aspx, then I think I
    have to manipulate Web.config files located in folder3, folder2, folder1,
    myapp and machine.config all by myself.

    Is thing like as above an only way for me?
    Are there any classes/methods for me to make things easier?

    best regards,
    TK



    "Jim Cheshire [MSFT]" <> wrote in message
    news:...
    > Hi TK,
    >
    > I think you may be going about this the wrong way. What you really want

    to
    > do is design your application so that people have access to certain areas
    > based upon their role. You can then use User.IsInRole(<role>) to

    determine
    > if a user should see a particular page element. You can also use
    > <location> elements within your web.config to limit a user's access to
    > certain parts of the application.
    >
    > Here's a URL you may find helpful:
    >
    >

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html
    > /secmod18.asp
    >
    > Jim Cheshire [MSFT]
    > MCP+I, MCSE, MCSD, MCDBA
    > Microsoft Developer Support
    >
    >
    > This post is provided "AS-IS" with no warranties and confers no rights.
    >
    > --------------------
    > >From: "TK" <>
    > >Subject: Permission check for secured subfolders?
    > >Date: Tue, 13 Jul 2004 17:13:41 +0900
    > >Lines: 24
    > >MIME-Version: 1.0
    > >Content-Type: text/plain;
    > > charset="iso-2022-jp"
    > >Content-Transfer-Encoding: 7bit
    > >X-Priority: 3
    > >X-MSMail-Priority: Normal
    > >X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
    > >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
    > >Message-ID: <>
    > >Newsgroups: microsoft.public.dotnet.framework.aspnet
    > >NNTP-Posting-Host: q255060.ap.plala.or.jp 220.99.255.60
    > >Path:

    >

    cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
    > phx.gbl
    > >Xref: cpmsftngxa06.phx.gbl

    microsoft.public.dotnet.framework.aspnet:246546
    > >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    > >
    > >Excuse me for multiple posting because I've posted this message to
    > >aspnet.security NG but have not got any response yet.
    > >
    > >I'm building an ASP.NET application works in Forms Authentication mode

    with
    > >custom user account database. And it shows clients a list of hyperlinks

    to
    > >content pages located in some separated subfolders. This application and
    > >content pages are entirely secured, so everyone must logon to the
    > >application. The application pages and most of content pages are

    accessible
    > >for every authenticated clients but some of content pages in some

    specific
    > >subfolders are served for specific users and groups only. I'm using URL
    > >authorization to achieve this. Everything works fine now.
    > >
    > >Now what I'm attempting to do is, hide/remove hyperlinks to unacceptable
    > >contents from the contents list page. To do this, I want to test client's
    > >access right for every subfolders at server side Page_Load() function, so
    > >that avoid client user's useless operation. I don't want to show clients

    > the
    > >access forbidden message any more.
    > >
    > >How can I do it?
    > >Help me please.
    > >
    > >best regards,
    > >TK
    > >
    > >

    >
    TK, Jul 14, 2004
    #3
  4. TK,

    You assign the roles in the user's database record or simply use the AD
    roles. Doesn't matter.

    As far as assigning which role has access to which resources, <location>
    tags are going to be the best method.

    Jim Cheshire [MSFT]
    MCP+I, MCSE, MCSD, MCDBA
    Microsoft Developer Support


    This post is provided "AS-IS" with no warranties and confers no rights.

    --------------------
    >From: "TK" <>
    >References: <>

    <>
    >Subject: Re: Permission check for secured subfolders?
    >Date: Wed, 14 Jul 2004 10:33:40 +0900
    >Lines: 107
    >MIME-Version: 1.0
    >Content-Type: text/plain;
    > charset="Windows-1252"
    >Content-Transfer-Encoding: 7bit
    >X-Priority: 3
    >X-MSMail-Priority: Normal
    >X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
    >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
    >Message-ID: <>
    >Newsgroups: microsoft.public.dotnet.framework.aspnet
    >NNTP-Posting-Host: q255060.ap.plala.or.jp 220.99.255.60
    >Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
    >Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:246821
    >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    >
    >Thank you for your help Jim!
    >
    >You made my problem be clear. Yes, I agree with you I should use
    >User.IsInRole(<role>) method to check user's access permission. But where I
    >can get the <role> definitions? Do I have to manipulate the Web.config by
    >myself to get the <allow><deny> configurations for every subfolders?
    >
    >In my application, these secured subfolders are not only located at flat
    >level but also be configured as an nested tree. And the contents manager
    >should be able to configure neccesary security settings to every subfolders
    >in everywhere.
    >
    >So, if a content page is located at an URL such as
    >http://myserver/myapp/folder1/folder2/folder3/content.aspx, then I think I
    >have to manipulate Web.config files located in folder3, folder2, folder1,
    >myapp and machine.config all by myself.
    >
    >Is thing like as above an only way for me?
    >Are there any classes/methods for me to make things easier?
    >
    >best regards,
    >TK
    >
    >
    >
    >"Jim Cheshire [MSFT]" <> wrote in message
    >news:...
    >> Hi TK,
    >>
    >> I think you may be going about this the wrong way. What you really want

    >to
    >> do is design your application so that people have access to certain areas
    >> based upon their role. You can then use User.IsInRole(<role>) to

    >determine
    >> if a user should see a particular page element. You can also use
    >> <location> elements within your web.config to limit a user's access to
    >> certain parts of the application.
    >>
    >> Here's a URL you may find helpful:
    >>
    >>

    >http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/htm

    l
    >> /secmod18.asp
    >>
    >> Jim Cheshire [MSFT]
    >> MCP+I, MCSE, MCSD, MCDBA
    >> Microsoft Developer Support
    >>
    >>
    >> This post is provided "AS-IS" with no warranties and confers no rights.
    >>
    >> --------------------
    >> >From: "TK" <>
    >> >Subject: Permission check for secured subfolders?
    >> >Date: Tue, 13 Jul 2004 17:13:41 +0900
    >> >Lines: 24
    >> >MIME-Version: 1.0
    >> >Content-Type: text/plain;
    >> > charset="iso-2022-jp"
    >> >Content-Transfer-Encoding: 7bit
    >> >X-Priority: 3
    >> >X-MSMail-Priority: Normal
    >> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
    >> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
    >> >Message-ID: <>
    >> >Newsgroups: microsoft.public.dotnet.framework.aspnet
    >> >NNTP-Posting-Host: q255060.ap.plala.or.jp 220.99.255.60
    >> >Path:

    >>

    >cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP0

    9
    >> phx.gbl
    >> >Xref: cpmsftngxa06.phx.gbl

    >microsoft.public.dotnet.framework.aspnet:246546
    >> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
    >> >
    >> >Excuse me for multiple posting because I've posted this message to
    >> >aspnet.security NG but have not got any response yet.
    >> >
    >> >I'm building an ASP.NET application works in Forms Authentication mode

    >with
    >> >custom user account database. And it shows clients a list of hyperlinks

    >to
    >> >content pages located in some separated subfolders. This application and
    >> >content pages are entirely secured, so everyone must logon to the
    >> >application. The application pages and most of content pages are

    >accessible
    >> >for every authenticated clients but some of content pages in some

    >specific
    >> >subfolders are served for specific users and groups only. I'm using URL
    >> >authorization to achieve this. Everything works fine now.
    >> >
    >> >Now what I'm attempting to do is, hide/remove hyperlinks to unacceptable
    >> >contents from the contents list page. To do this, I want to test

    client's
    >> >access right for every subfolders at server side Page_Load() function,

    so
    >> >that avoid client user's useless operation. I don't want to show clients

    >> the
    >> >access forbidden message any more.
    >> >
    >> >How can I do it?
    >> >Help me please.
    >> >
    >> >best regards,
    >> >TK
    >> >
    >> >

    >>

    >
    >
    Jim Cheshire [MSFT], Jul 14, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Stan
    Replies:
    1
    Views:
    583
    Jacob Yang [MSFT]
    Oct 20, 2003
  2. Maziar Aflatoun

    Form authentication for subfolders only

    Maziar Aflatoun, Jul 2, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    4,843
    John Saunders
    Jul 2, 2004
  3. Replies:
    1
    Views:
    458
    Nicole Calinoiu
    May 15, 2006
  4. TK

    Permission check for secured subfolders?

    TK, Jul 12, 2004, in forum: ASP .Net Security
    Replies:
    5
    Views:
    138
    Andy Mortimer [MS]
    Jul 23, 2004
  5. Daniel Frechette
    Replies:
    2
    Views:
    169
    Thomas 'PointedEars' Lahn
    Apr 10, 2006
Loading...

Share This Page