Restrict users using Application_AcquireRequestState?

Discussion in 'ASP .Net' started by =?Utf-8?B?RGF2ZQ==?=, Mar 2, 2005.

  1. We have an intranet application that is under Integrated security. So in
    theory, anyone who has an Active Directory account in the company can access
    my app.

    So, to allow only certain users, I created a user table of domain accounts
    and check these in the Application_AcquireRequestState event by comparing the
    Identity.Name to names in my table. If OK, I set a session variable
    HasAccess to "1" since sessions are available in this event.

    Then, on subsequent page requests, this event checks the
    Request.IsAuthenticated and then the Session["HasAccess"] to allow them in
    or not.

    Is this approach valid or is there a better way? It seems to work OK,
    except I have webservices on the site as well which, when requested, also
    fires the Application_AcquireRequestState event BUT when I try to access the
    Session variables, it returns a null object reference because it seems the
    Session is never actually created by a webservice request.
     
    =?Utf-8?B?RGF2ZQ==?=, Mar 2, 2005
    #1
    1. Advertisements

  2. =?Utf-8?B?RGF2ZQ==?=

    Scott Allen Guest

    Hi Dave:

    Session state is disabled by default for asmx, but you can change the
    default.

    Another idea is to organize authorized users into an Active Directory
    group in your domain. Then you add an <authorization> section to
    web.config and restrict the app to just members of the group. No extra
    code required!

    --
    Scott
    http://www.OdeToCode.com/blogs/scott/

    On Wed, 2 Mar 2005 09:59:06 -0800, "Dave"
    <> wrote:

    >We have an intranet application that is under Integrated security. So in
    >theory, anyone who has an Active Directory account in the company can access
    >my app.
    >
    >So, to allow only certain users, I created a user table of domain accounts
    >and check these in the Application_AcquireRequestState event by comparing the
    >Identity.Name to names in my table. If OK, I set a session variable
    >HasAccess to "1" since sessions are available in this event.
    >
    >Then, on subsequent page requests, this event checks the
    >Request.IsAuthenticated and then the Session["HasAccess"] to allow them in
    >or not.
    >
    >Is this approach valid or is there a better way? It seems to work OK,
    >except I have webservices on the site as well which, when requested, also
    >fires the Application_AcquireRequestState event BUT when I try to access the
    >Session variables, it returns a null object reference because it seems the
    >Session is never actually created by a webservice request.
    >
     
    Scott Allen, Mar 2, 2005
    #2
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Sara rafiee
    Replies:
    3
    Views:
    1,324
    Scott Allen
    Oct 4, 2004
  2. Sunil Miriyala
    Replies:
    0
    Views:
    935
    Sunil Miriyala
    Mar 1, 2004
  3. bitshift
    Replies:
    1
    Views:
    712
    bruce barker
    Jun 22, 2007
  4. Replies:
    0
    Views:
    775
  5. Gerhard

    restrict number of users

    Gerhard, Jul 7, 2009, in forum: ASP .Net
    Replies:
    11
    Views:
    793
    Gregory A. Beamer
    Jul 8, 2009
  6. Kylin

    <deny users="?" /> <allow users="*" />

    Kylin, May 17, 2005, in forum: ASP .Net Security
    Replies:
    2
    Views:
    1,189
    Ravichandran J.V.
    May 19, 2005
  7. Sara rafiee

    Help me in making users/deleting users in active directory

    Sara rafiee, Oct 3, 2004, in forum: ASP .Net Web Controls
    Replies:
    1
    Views:
    543
    Robert Koritnik
    Oct 4, 2004
  8. Bernie Beattie

    WebParts - can you transfer one users choice to all users?

    Bernie Beattie, Sep 6, 2006, in forum: ASP .Net Web Controls
    Replies:
    0
    Views:
    279
    Bernie Beattie
    Sep 6, 2006
Loading...