Role based security question

Discussion in 'ASP .Net Security' started by clsmith66, Jan 19, 2006.

  1. clsmith66

    clsmith66 Guest

    I am a fairly new developer and need some help setting up some security for a
    site I am helping to build. The site should allow any one who goes there to
    view and use some basic pages, but should also give the option of signing in
    and then being redirected to the appropriate area of the application. I have
    found some code to implement role base security (which is exactly what I'm
    looking for) using Forms Authentication, but doesn't that force every one
    accessing the web site to sign in? How can I restrict access to portions of
    the site unless the appropriate login is provided, but not require a login
    for the site as a whole?

    Any help would be greatly appreciated.

    Chris
     
    clsmith66, Jan 19, 2006
    #1
    1. Advertising

  2. hi,

    partition your site in public and authenticated areas.

    use a location element to restrict access to the authenticated area,

    e.g. by restricting to specific roles

    <location path="autharea">
    <system.web>
    <authorization>
    <allow roles="Role1, Role2" />
    <deny users="*" />
    </authorization>
    </system.web>

    or generally deyning un-authenticated access

    <location path="autharea">
    <system.web>
    <authorization>
    <deny users="?" />
    </authorization>
    </system.web>

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I am a fairly new developer and need some help setting up some
    > security for a site I am helping to build. The site should allow any
    > one who goes there to view and use some basic pages, but should also
    > give the option of signing in and then being redirected to the
    > appropriate area of the application. I have found some code to
    > implement role base security (which is exactly what I'm looking for)
    > using Forms Authentication, but doesn't that force every one accessing
    > the web site to sign in? How can I restrict access to portions of the
    > site unless the appropriate login is provided, but not require a login
    > for the site as a whole?
    >
    > Any help would be greatly appreciated.
    >
    > Chris
    >
     
    Dominick Baier [DevelopMentor], Jan 19, 2006
    #2
    1. Advertising

  3. clsmith66

    clsmith66 Guest

    Thank you for your rapid response.

    If I set the public side to allow anonymous user, will the Forms
    Authentication be skipped? Once I have a user loged in, how do I direct them
    to a "start" page based on their role? I need administrators to go to one
    section, and registered customers to go somewhere else.

    Chris

    "Dominick Baier [DevelopMentor]" wrote:

    > hi,
    >
    > partition your site in public and authenticated areas.
    >
    > use a location element to restrict access to the authenticated area,
    >
    > e.g. by restricting to specific roles
    >
    > <location path="autharea">
    > <system.web>
    > <authorization>
    > <allow roles="Role1, Role2" />
    > <deny users="*" />
    > </authorization>
    > </system.web>
    >
    > or generally deyning un-authenticated access
    >
    > <location path="autharea">
    > <system.web>
    > <authorization>
    > <deny users="?" />
    > </authorization>
    > </system.web>
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > I am a fairly new developer and need some help setting up some
    > > security for a site I am helping to build. The site should allow any
    > > one who goes there to view and use some basic pages, but should also
    > > give the option of signing in and then being redirected to the
    > > appropriate area of the application. I have found some code to
    > > implement role base security (which is exactly what I'm looking for)
    > > using Forms Authentication, but doesn't that force every one accessing
    > > the web site to sign in? How can I restrict access to portions of the
    > > site unless the appropriate login is provided, but not require a login
    > > for the site as a whole?
    > >
    > > Any help would be greatly appreciated.
    > >
    > > Chris
    > >

    >
    >
    >
     
    clsmith66, Jan 19, 2006
    #3
  4. hi,

    you could do that in your login page - query the roles and do a response
    redirect..

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Thank you for your rapid response.
    >
    > If I set the public side to allow anonymous user, will the Forms
    > Authentication be skipped? Once I have a user loged in, how do I
    > direct them to a "start" page based on their role? I need
    > administrators to go to one section, and registered customers to go
    > somewhere else.
    >
    > Chris
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> hi,
    >>
    >> partition your site in public and authenticated areas.
    >>
    >> use a location element to restrict access to the authenticated area,
    >>
    >> e.g. by restricting to specific roles
    >>
    >> <location path="autharea">
    >> <system.web>
    >> <authorization>
    >> <allow roles="Role1, Role2" />
    >> <deny users="*" />
    >> </authorization>
    >> </system.web>
    >> or generally deyning un-authenticated access
    >>
    >> <location path="autharea">
    >> <system.web>
    >> <authorization>
    >> <deny users="?" />
    >> </authorization>
    >> </system.web>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> I am a fairly new developer and need some help setting up some
    >>> security for a site I am helping to build. The site should allow
    >>> any one who goes there to view and use some basic pages, but should
    >>> also give the option of signing in and then being redirected to the
    >>> appropriate area of the application. I have found some code to
    >>> implement role base security (which is exactly what I'm looking for)
    >>> using Forms Authentication, but doesn't that force every one
    >>> accessing the web site to sign in? How can I restrict access to
    >>> portions of the site unless the appropriate login is provided, but
    >>> not require a login for the site as a whole?
    >>>
    >>> Any help would be greatly appreciated.
    >>>
    >>> Chris
    >>>
     
    Dominick Baier [DevelopMentor], Jan 19, 2006
    #4
  5. clsmith66

    clsmith66 Guest

    Thanks for your help. Acutally thought for a minute and think I answered my
    own questions.

    Chris

    "Dominick Baier [DevelopMentor]" wrote:

    > hi,
    >
    > partition your site in public and authenticated areas.
    >
    > use a location element to restrict access to the authenticated area,
    >
    > e.g. by restricting to specific roles
    >
    > <location path="autharea">
    > <system.web>
    > <authorization>
    > <allow roles="Role1, Role2" />
    > <deny users="*" />
    > </authorization>
    > </system.web>
    >
    > or generally deyning un-authenticated access
    >
    > <location path="autharea">
    > <system.web>
    > <authorization>
    > <deny users="?" />
    > </authorization>
    > </system.web>
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > I am a fairly new developer and need some help setting up some
    > > security for a site I am helping to build. The site should allow any
    > > one who goes there to view and use some basic pages, but should also
    > > give the option of signing in and then being redirected to the
    > > appropriate area of the application. I have found some code to
    > > implement role base security (which is exactly what I'm looking for)
    > > using Forms Authentication, but doesn't that force every one accessing
    > > the web site to sign in? How can I restrict access to portions of the
    > > site unless the appropriate login is provided, but not require a login
    > > for the site as a whole?
    > >
    > > Any help would be greatly appreciated.
    > >
    > > Chris
    > >

    >
    >
    >
     
    clsmith66, Jan 19, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jesper Stocholm
    Replies:
    2
    Views:
    8,214
    John Saunders
    Aug 23, 2003
  2. Liet Kynes
    Replies:
    0
    Views:
    527
    Liet Kynes
    Nov 26, 2003
  3. =?Utf-8?B?TWlrZSBMb2dhbg==?=

    Role Based Security Question

    =?Utf-8?B?TWlrZSBMb2dhbg==?=, Dec 17, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    418
    Steven Cheng[MSFT]
    Dec 20, 2004
  4. =?Utf-8?B?TWlrZSBMb2dhbg==?=

    Role Based Security Question

    =?Utf-8?B?TWlrZSBMb2dhbg==?=, Dec 17, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    712
    =?Utf-8?B?UGF0cmljay5PLklnZQ==?=
    Dec 20, 2004
  5. Kursat
    Replies:
    1
    Views:
    334
    Dominick Baier
    May 7, 2007
Loading...

Share This Page