Programmatic Forms Authentication

[Tyler Carver]

I'm looking for a provider or some type of programmatic access to beable to
map which URL's in my website need authentication. Using the web.config does
not give me a real time way to say which URL's are authorized. Many of the
URL's in our website are dynamic and allow dynamic authorization schemes.

It seems like there should be an easier way to manage this with 2.0. The
SiteMap provider seems to be a very logical place for me to add roles and
security. I noticed that there is some role use but I believe this is only
for the controls that consume the SiteMap and not for Forms Authentication.

Thanks for any help,
Tyler

 

[Yuan Ren[MSFT]]

Hi Tyler,

Thanks for posting!

For the current issue, my understanding is that you want to management the
authentication of the site. If I have misunderstood anything, please feel
free to let me know.

As far as I know, the "location" element in the web.config file can be used
for the directory or sub directories. I suggest you put the pages which
allow the authorized client to access into the same directory. And then,
you just need mark the path of the directory in the web.config file. The
following link is detail explanation about the "location" element. I hope
this will be helpful.

If you have any issues or concerns, please let me know. It's my pleasure to
be of assistance.

Regards,

Yuan Ren [MSFT]
Microsoft Online Support
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006. Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================

 

[Yuan Ren[MSFT]]

Hi Tyler,

Sorry for carelessness!

The link as below:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/ht
ml/gngrflocationelement.asp

Regards,

Yuan Ren [MSFT]
Microsoft Online Support
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006. Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================

 

[Dominick Baier [DevelopMentor]]

Hi,

you can use Context.User.IsInRole() to check for the role of the user. If
that fails you can call FormsAuthentication.RedirectToLoginPage

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

For the current issue, my understanding is that you want to
management the authentication of the site. If I have misunderstood
anything, please feel free to let me know.

I think you misunderstood my question. I'm not asking how do I apply
forms authentication to a certain directory or file from the
web.config, I'm asking how do I appliy authentication and
authorization to a URL programmatically. For instance let's say I
have the following 2 URLs that I want to apply roles to:

http://myweb.com/doc.aspx?id=1

I want the following roll:
ServiceA
http://myweb.com/doc.aspx?id=2

I want the following roll:
ServiceB
I want the fact that these two URL's have these rolls to be managed in
a database and then when a request comes in for these URL's I want to
let forms authentication know what authorization and roles to apply to
that URL.

As far as I know, the "location" element in the web.config file can
be used for the directory or sub directories. I suggest you put the
pages which allow the authorized client to access into the same
directory. And then, you just need mark the path of the directory in
the web.config file. The following link is detail explanation about
the "location" element. I hope this will be helpful.

If you have any issues or concerns, please let me know. It's my
pleasure to be of assistance.

I appreciate your input here but it has no relevance to my question.
I know how to control authentication and authorization from the
web.config.

Thanks,
Tyler

 

[Tyler Carver]

For the current issue, my understanding is that you want to management the
authentication of the site. If I have misunderstood anything, please feel
free to let me know.

I think you misunderstood my question. I'm not asking how do I apply forms
authentication to a certain directory or file from the web.config, I'm asking
how do I appliy authentication and authorization to a URL programmatically.
For instance let's say I have the following 2 URLs that I want to apply roles
to:

http://myweb.com/doc.aspx?id=1

I want the following roll:
ServiceA

http://myweb.com/doc.aspx?id=2

I want the following roll:
ServiceB

I want the fact that these two URL's have these rolls to be managed in a
database and then when a request comes in for these URL's I want to let forms
authentication know what authorization and roles to apply to that URL.

As far as I know, the "location" element in the web.config file can be used
for the directory or sub directories. I suggest you put the pages which
allow the authorized client to access into the same directory. And then,
you just need mark the path of the directory in the web.config file. The
following link is detail explanation about the "location" element. I hope
this will be helpful.

If you have any issues or concerns, please let me know. It's my pleasure to
be of assistance.

I appreciate your input here but it has no relevance to my question. I know
how to control authentication and authorization from the web.config.

Thanks,
Tyler

 

[Tyler Carver]

you can use Context.User.IsInRole() to check for the role of the user. If
that fails you can call FormsAuthentication.RedirectToLoginPage

Ya I've thought about writing a Http Module that would check the URL and the
assigned rolls and then do this very thing. Of course you can't control
authentication that way but I could control authorization. I just wish MS
would have added a provider for this, I don't know why it has to be hard
coded in the web.config.

I'm considering this as a work around because the right way to do it is to
have Forms do it's normal job and for me to control what authentication is
assigned to what URL. So I am still interested in a programmatic way to
control the <authorization> element of the <system.web> configuration. This
way I can corretly apply full authentication and authorization. (Also, I
don't mean to imply that I want to programmatically change the Web.Config.)

 

[MikeS]

Not sure if this is what you are after but...

The location tag path can't be made unique based on the querystring but
the sitemap url can.

Sitemap:

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
<siteMapNode url="~/" title="Home" roles="*">
<siteMapNode title="ServiceA" roles="ServiceA">
<siteMapNode url="~/doc.aspx?id=1" title="Doc" />
</siteMapNode>
<siteMapNode title="ServiceB" roles="ServiceB">
<siteMapNode url="~/doc.aspx?id=2" title="Doc" />
</siteMapNode>
</siteMapNode>
</siteMap>

web.confg:
<siteMap defaultProvider="default">
<providers>
<add name="default" type="System.Web.XmlSiteMapProvider"
siteMapFile="Web.sitemap" securityTrimmingEnabled="true"/>
</providers>
</siteMap>

<location path="doc.aspx">
<system.web>
<authorization>
<allow roles="ServiceA,ServiceB"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

Or if you want my own cheesy hack then you can spin up your own user
for the specific request...

Protected Sub Application_PostAuthenticateRequest(ByVal sender As
Object, ByVal e As System.EventArgs)
Dim a As HttpApplication = sender
If a.Context.User Is Nothing = False _
AndAlso a.Context.User.Identity.IsAuthenticated _
AndAlso a.Request.AppRelativeCurrentExecutionFilePath =
"~/doc.aspx" _
Then
Dim id As Integer = CInt(Request.QueryString("id"))
Dim gi As GenericIdentity = New
GenericIdentity(a.Context.User.Identity.Name)
Dim r() As String = New String() {"Service" & Chr(64 + id)}
' now supporting A-Z and beyond, TODO: replace with db code.
Dim gp As GenericPrincipal = New GenericPrincipal(gi, r)
a.Context.User = gp
End If
End Sub

This at least breaks the windows rolemanager (Roles.*) for this request
but User.IsInRole, location tag locks and securityTrimming still work.

 

[Tyler Carver]

Hi Mike,

The sitemap stuff looks very interesting.

Sitemap:
...

web.confg:
...

So are you saying that if I add all the roles to the global location, add
only the roles I REALLY want in the site map for the specific location, and
then turn on security trimming, Windows Forms will only use what I have added
as roles in the site map to my specific URL?

If this is true then I can easily write a custom sitemap provider and take
care of all this in the db. Of course I will have to make sure that there
are no security holes in my website given the fact that I have added all
roles to the root. Also, if this is true then I may be peeing in my pants.

Time to get testing. Thanks!

Tyler

 

[Yuan Ren[MSFT]]

Hi Tyler,

Sorry for misunderstood! I think the issue is related to ASP.NET v1.1.

If you want to use the SiteMap to approach your issue, as Michael
mentioned, the security is still be controlled from location. So, your idea
is appropriate, you can write your own provider for current issue. Thanks
for your understanding!

Regards,

Yuan Ren [MSFT]
Microsoft Online Support
======================================================
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006. Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
======================================================
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
======================================================