Programmatic Forms Authentication

Discussion in 'ASP .Net Security' started by Tyler Carver, Feb 21, 2006.

  1. Tyler Carver

    Tyler Carver Guest

    I'm looking for a provider or some type of programmatic access to beable to
    map which URL's in my website need authentication. Using the web.config does
    not give me a real time way to say which URL's are authorized. Many of the
    URL's in our website are dynamic and allow dynamic authorization schemes.

    It seems like there should be an easier way to manage this with 2.0. The
    SiteMap provider seems to be a very logical place for me to add roles and
    security. I noticed that there is some role use but I believe this is only
    for the controls that consume the SiteMap and not for Forms Authentication.

    Thanks for any help,
    Tyler


    --
    ------------------
    Tyler Carver
    tylercarver.com
     
    Tyler Carver, Feb 21, 2006
    #1
    1. Advertising

  2. Hi Tyler,

    Thanks for posting!

    For the current issue, my understanding is that you want to management the
    authentication of the site. If I have misunderstood anything, please feel
    free to let me know.

    As far as I know, the "location" element in the web.config file can be used
    for the directory or sub directories. I suggest you put the pages which
    allow the authorized client to access into the same directory. And then,
    you just need mark the path of the directory in the web.config file. The
    following link is detail explanation about the "location" element. I hope
    this will be helpful.

    If you have any issues or concerns, please let me know. It's my pleasure to
    be of assistance.

    Regards,

    Yuan Ren [MSFT]
    Microsoft Online Support
    ======================================================
    PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
    updated on February 14, 2006. Please complete a re-registration process
    by entering the secure code mmpng06 when prompted. Once you have
    entered the secure code mmpng06, you will be able to update your profile
    and access the partner newsgroups.
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader
    so that others may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    ======================================================
     
    Yuan Ren[MSFT], Feb 22, 2006
    #2
    1. Advertising

  3. Hi Tyler,

    Sorry for carelessness!

    The link as below:
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/ht
    ml/gngrflocationelement.asp

    Regards,

    Yuan Ren [MSFT]
    Microsoft Online Support
    ======================================================
    PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
    updated on February 14, 2006. Please complete a re-registration process
    by entering the secure code mmpng06 when prompted. Once you have
    entered the secure code mmpng06, you will be able to update your profile
    and access the partner newsgroups.
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader
    so that others may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    ======================================================
     
    Yuan Ren[MSFT], Feb 22, 2006
    #3
  4. Hi,

    you can use Context.User.IsInRole() to check for the role of the user. If
    that fails you can call FormsAuthentication.RedirectToLoginPage

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > ""Yuan Ren[MSFT]"" wrote:
    >
    >> For the current issue, my understanding is that you want to
    >> management the authentication of the site. If I have misunderstood
    >> anything, please feel free to let me know.
    >>

    > I think you misunderstood my question. I'm not asking how do I apply
    > forms authentication to a certain directory or file from the
    > web.config, I'm asking how do I appliy authentication and
    > authorization to a URL programmatically. For instance let's say I
    > have the following 2 URLs that I want to apply roles to:
    >
    > http://myweb.com/doc.aspx?id=1
    >
    > I want the following roll:
    > ServiceA
    > http://myweb.com/doc.aspx?id=2
    >
    > I want the following roll:
    > ServiceB
    > I want the fact that these two URL's have these rolls to be managed in
    > a database and then when a request comes in for these URL's I want to
    > let forms authentication know what authorization and roles to apply to
    > that URL.
    >
    >> As far as I know, the "location" element in the web.config file can
    >> be used for the directory or sub directories. I suggest you put the
    >> pages which allow the authorized client to access into the same
    >> directory. And then, you just need mark the path of the directory in
    >> the web.config file. The following link is detail explanation about
    >> the "location" element. I hope this will be helpful.
    >>
    >> If you have any issues or concerns, please let me know. It's my
    >> pleasure to be of assistance.
    >>

    > I appreciate your input here but it has no relevance to my question.
    > I know how to control authentication and authorization from the
    > web.config.
    >
    > Thanks,
    > Tyler
     
    Dominick Baier [DevelopMentor], Feb 22, 2006
    #4
  5. Tyler Carver

    Tyler Carver Guest

    ""Yuan Ren[MSFT]"" wrote:
    > For the current issue, my understanding is that you want to management the
    > authentication of the site. If I have misunderstood anything, please feel
    > free to let me know.


    I think you misunderstood my question. I'm not asking how do I apply forms
    authentication to a certain directory or file from the web.config, I'm asking
    how do I appliy authentication and authorization to a URL programmatically.
    For instance let's say I have the following 2 URLs that I want to apply roles
    to:

    http://myweb.com/doc.aspx?id=1

    I want the following roll:
    ServiceA

    http://myweb.com/doc.aspx?id=2

    I want the following roll:
    ServiceB

    I want the fact that these two URL's have these rolls to be managed in a
    database and then when a request comes in for these URL's I want to let forms
    authentication know what authorization and roles to apply to that URL.

    > As far as I know, the "location" element in the web.config file can be used
    > for the directory or sub directories. I suggest you put the pages which
    > allow the authorized client to access into the same directory. And then,
    > you just need mark the path of the directory in the web.config file. The
    > following link is detail explanation about the "location" element. I hope
    > this will be helpful.
    >
    > If you have any issues or concerns, please let me know. It's my pleasure to
    > be of assistance.


    I appreciate your input here but it has no relevance to my question. I know
    how to control authentication and authorization from the web.config.

    Thanks,
    Tyler
     
    Tyler Carver, Feb 22, 2006
    #5
  6. Tyler Carver

    Tyler Carver Guest

    "Dominick Baier [DevelopMentor]" wrote:
    > you can use Context.User.IsInRole() to check for the role of the user. If
    > that fails you can call FormsAuthentication.RedirectToLoginPage


    Ya I've thought about writing a Http Module that would check the URL and the
    assigned rolls and then do this very thing. Of course you can't control
    authentication that way but I could control authorization. I just wish MS
    would have added a provider for this, I don't know why it has to be hard
    coded in the web.config.

    I'm considering this as a work around because the right way to do it is to
    have Forms do it's normal job and for me to control what authentication is
    assigned to what URL. So I am still interested in a programmatic way to
    control the <authorization> element of the <system.web> configuration. This
    way I can corretly apply full authentication and authorization. (Also, I
    don't mean to imply that I want to programmatically change the Web.Config.)
     
    Tyler Carver, Feb 22, 2006
    #6
  7. Tyler Carver

    MikeS Guest

    Not sure if this is what you are after but...

    The location tag path can't be made unique based on the querystring but
    the sitemap url can.

    Sitemap:

    <?xml version="1.0" encoding="utf-8" ?>
    <siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
    <siteMapNode url="~/" title="Home" roles="*">
    <siteMapNode title="ServiceA" roles="ServiceA">
    <siteMapNode url="~/doc.aspx?id=1" title="Doc" />
    </siteMapNode>
    <siteMapNode title="ServiceB" roles="ServiceB">
    <siteMapNode url="~/doc.aspx?id=2" title="Doc" />
    </siteMapNode>
    </siteMapNode>
    </siteMap>

    web.confg:
    <siteMap defaultProvider="default">
    <providers>
    <add name="default" type="System.Web.XmlSiteMapProvider"
    siteMapFile="Web.sitemap" securityTrimmingEnabled="true"/>
    </providers>
    </siteMap>

    <location path="doc.aspx">
    <system.web>
    <authorization>
    <allow roles="ServiceA,ServiceB"/>
    <deny users="*"/>
    </authorization>
    </system.web>
    </location>

    Or if you want my own cheesy hack then you can spin up your own user
    for the specific request...

    Protected Sub Application_PostAuthenticateRequest(ByVal sender As
    Object, ByVal e As System.EventArgs)
    Dim a As HttpApplication = sender
    If a.Context.User Is Nothing = False _
    AndAlso a.Context.User.Identity.IsAuthenticated _
    AndAlso a.Request.AppRelativeCurrentExecutionFilePath =
    "~/doc.aspx" _
    Then
    Dim id As Integer = CInt(Request.QueryString("id"))
    Dim gi As GenericIdentity = New
    GenericIdentity(a.Context.User.Identity.Name)
    Dim r() As String = New String() {"Service" & Chr(64 + id)}
    ' now supporting A-Z and beyond, TODO: replace with db code.
    Dim gp As GenericPrincipal = New GenericPrincipal(gi, r)
    a.Context.User = gp
    End If
    End Sub

    This at least breaks the windows rolemanager (Roles.*) for this request
    but User.IsInRole, location tag locks and securityTrimming still work.
     
    MikeS, Feb 23, 2006
    #7
  8. Tyler Carver

    Tyler Carver Guest

    Hi Mike,

    The sitemap stuff looks very interesting.

    "MikeS" wrote:
    > Sitemap:
    > ...
    >
    > web.confg:
    > ...


    So are you saying that if I add all the roles to the global location, add
    only the roles I REALLY want in the site map for the specific location, and
    then turn on security trimming, Windows Forms will only use what I have added
    as roles in the site map to my specific URL?

    If this is true then I can easily write a custom sitemap provider and take
    care of all this in the db. Of course I will have to make sure that there
    are no security holes in my website given the fact that I have added all
    roles to the root. Also, if this is true then I may be peeing in my pants.

    Time to get testing. Thanks!

    Tyler
     
    Tyler Carver, Feb 23, 2006
    #8
  9. Hi Tyler,

    Sorry for misunderstood! I think the issue is related to ASP.NET v1.1.

    If you want to use the SiteMap to approach your issue, as Michael
    mentioned, the security is still be controlled from location. So, your idea
    is appropriate, you can write your own provider for current issue. Thanks
    for your understanding!

    Regards,

    Yuan Ren [MSFT]
    Microsoft Online Support
    ======================================================
    PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
    updated on February 14, 2006. Please complete a re-registration process
    by entering the secure code mmpng06 when prompted. Once you have
    entered the secure code mmpng06, you will be able to update your profile
    and access the partner newsgroups.
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader
    so that others may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.
    ======================================================
     
    Yuan Ren[MSFT], Feb 24, 2006
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric
    Replies:
    2
    Views:
    1,562
    Tommy
    Feb 13, 2004
  2. Kevin
    Replies:
    0
    Views:
    603
    Kevin
    Jun 7, 2004
  3. JEFF
    Replies:
    1
    Views:
    1,053
    =?Utf-8?B?YnJpYW5zW01DU0Rd?=
    Nov 12, 2007
  4. Keltex
    Replies:
    1
    Views:
    452
    Dominick Baier [DevelopMentor]
    Jan 24, 2006
  5. Eric
    Replies:
    2
    Views:
    643
Loading...

Share This Page