Roles - Access Rule Storage

Discussion in 'ASP .Net Security' started by Matt, Aug 9, 2006.

  1. Matt

    Matt Guest

    Can anyone tell me if is is possible to override how a web application stores/retrieves the Access Rules for roles? Instead of using the web.config to store the following:

    <system.web>
    <authorization>
    <allow roles="Admin" />
    </authorization>
    </system.web>

    I would like to store this information in a database table and have the system pull the access role from the table when needed.

    Thanks,

    Matt
    Matt, Aug 9, 2006
    #1
    1. Advertising

  2. Are you talking about the roles that are applied to the user who is
    authenticated, or are you talking about the authorization policy that is
    applied to any given URL in terms of who can access it?

    If you want to make the latter dynamic, you can just code this in your pages
    directly or write your own HTTP Module that does it. If you look at the
    UrlAuthorizationModule (use Reflector to see the code), you can see how it
    reads in the authorization configuration applied to the current URL path and
    then decides whether the current user has access or not. You could do the
    exact same thing in your module, but store the authorization policy in the
    database instead and look it up by URL or something. After that, applying
    the policy and doing the proper responses is easy and something you could
    basically copy from Microsoft's code.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Matt" <-SEND-SPAM.com> wrote in message
    news:uZRFch$...
    Can anyone tell me if is is possible to override how a web application
    stores/retrieves the Access Rules for roles? Instead of using the
    web.config to store the following:

    <system.web>
    <authorization>
    <allow roles="Admin" />
    </authorization>
    </system.web>

    I would like to store this information in a database table and have the
    system pull the access role from the table when needed.

    Thanks,

    Matt
    Joe Kaplan \(MVP - ADSI\), Aug 9, 2006
    #2
    1. Advertising

  3. You might also want to look at the Authorization Manager (AzMan) API if you
    want something very flexible and powerful for doing role-based authorization
    in an application. I'm not exactly sure how I would apply it given what I
    know about your app (not much :)), but it is good to know about.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Matt" <-SEND-SPAM.com> wrote in message
    news:uUC4Tw$...
    Joe,

    WOW, quick response!

    You hit the nail on the head. I want to use a table for URL and file
    authorization. I have read a ton about Membership and Roles and custom
    providers and not one mentioned the UrlAuthorizationModule. I will look
    into finding the namespace to find the dll and definitly will fire up
    reflector to see what is going on.

    I am working on an application that 42 different organization units will be
    using from the same site and none of them want to use the same role names.
    I began thinking that even if they only have 5 roles per organization that
    it will become a nightmare to maintain the roles via web.config files.

    Thanks again,

    Matt


    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:uybUgq$...
    Are you talking about the roles that are applied to the user who is
    authenticated, or are you talking about the authorization policy that is
    applied to any given URL in terms of who can access it?

    If you want to make the latter dynamic, you can just code this in your pages
    directly or write your own HTTP Module that does it. If you look at the

    (use Reflector to see the code), you can see how it
    reads in the authorization configuration applied to the current URL path and
    then decides whether the current user has access or not. You could do the
    exact same thing in your module, but store the authorization policy in the
    database instead and look it up by URL or something. After that, applying
    the policy and doing the proper responses is easy and something you could
    basically copy from Microsoft's code.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Matt" <-SEND-SPAM.com> wrote in message
    news:uZRFch$...
    Can anyone tell me if is is possible to override how a web application
    stores/retrieves the Access Rules for roles? Instead of using the
    web.config to store the following:

    <system.web>
    <authorization>
    <allow roles="Admin" />
    </authorization>
    </system.web>

    I would like to store this information in a database table and have the
    system pull the access role from the table when needed.

    Thanks,

    Matt
    Joe Kaplan \(MVP - ADSI\), Aug 10, 2006
    #3
  4. The suggestion with Reflector was mostly just to look at the code to see how
    it works and maybe borrow a little bit of its core logic. I wasn't
    recommending that you try to completely recompile and debug it!

    The UrlAuthorizationModule is driven by the <allow> and <deny> tags in
    web.config, so if you don't have any of those, it won't do anything. You
    can also remove it from list of HTTP Modules for your app by using the
    appropriate XML syntax in web.config in the <httpModules> tag (the MSDN
    reference as the proper syntax).

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Matt" <-SEND-SPAM.com> wrote in message
    news:...
    Joe,

    I will take a look at AzMan, I had not heard of it before.

    Two more questions. I used reflector to create the attached probject of the
    UrlAuthorizationModule. I thought I could just compile it and debug it's
    process to see how it works but I can't get it to compile. It contains some
    errors that I have never seen before while compiling. Could you give me
    some idea on how to clean this up?

    Also, let's say I get it compiled or create my own HttpModule to do the same
    thing, how would I tell ASP.Net not to perform it's process and that I am
    going to take care of it?

    Thanks a lot for your help,

    Matt


    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    You might also want to look at the Authorization Manager (AzMan) API if you
    want something very flexible and powerful for doing role-based authorization
    in an application. I'm not exactly sure how I would apply it given what I
    know about your app (not much :)), but it is good to know about.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Matt" <-SEND-SPAM.com> wrote in message
    news:uUC4Tw$...
    Joe,

    WOW, quick response!

    You hit the nail on the head. I want to use a table for URL and file
    authorization. I have read a ton about Membership and Roles and custom
    providers and not one mentioned the UrlAuthorizationModule. I will look
    into finding the namespace to find the dll and definitly will fire up
    reflector to see what is going on.

    I am working on an application that 42 different organization units will be
    using from the same site and none of them want to use the same role names.
    I began thinking that even if they only have 5 roles per organization that
    it will become a nightmare to maintain the roles via web.config files.

    Thanks again,

    Matt


    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:uybUgq$...
    Are you talking about the roles that are applied to the user who is
    authenticated, or are you talking about the authorization policy that is
    applied to any given URL in terms of who can access it?

    If you want to make the latter dynamic, you can just code this in your pages
    directly or write your own HTTP Module that does it. If you look at the

    (use Reflector to see the code), you can see how it
    reads in the authorization configuration applied to the current URL path and
    then decides whether the current user has access or not. You could do the
    exact same thing in your module, but store the authorization policy in the
    database instead and look it up by URL or something. After that, applying
    the policy and doing the proper responses is easy and something you could
    basically copy from Microsoft's code.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Matt" <-SEND-SPAM.com> wrote in message
    news:uZRFch$...
    Can anyone tell me if is is possible to override how a web application
    stores/retrieves the Access Rules for roles? Instead of using the
    web.config to store the following:

    <system.web>
    <authorization>
    <allow roles="Admin" />
    </authorization>
    </system.web>

    I would like to store this information in a database table and have the
    system pull the access role from the table when needed.

    Thanks,

    Matt
    Joe Kaplan \(MVP - ADSI\), Aug 10, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mr Newbie
    Replies:
    10
    Views:
    765
    Mr Newbie
    Nov 22, 2005
  2. Replies:
    0
    Views:
    1,360
  3. sarathy
    Replies:
    2
    Views:
    660
    sarathy
    Jul 17, 2006
  4. =?Utf-8?B?QmVha2Vy?=

    Is it possiable to create an access rule for a file?

    =?Utf-8?B?QmVha2Vy?=, Mar 20, 2007, in forum: ASP .Net
    Replies:
    1
    Views:
    359
    Jeff T
    Mar 20, 2007
  5. Jéjé
    Replies:
    0
    Views:
    233
    Jéjé
    Sep 27, 2005
Loading...

Share This Page