Site security config file and directories

Discussion in 'ASP .Net Security' started by steven scaife, Jun 12, 2006.

  1. I am creating a site for the intranet at the company i work for, but there
    are 3 levels of security and a login form.

    All users have to authenticate with the system. Logins are stored in a DB,
    but i use windows authentication to find the account, this is working fine,
    and i have set the forms login XML bit in the web.config.

    However the 3 levels of security are as follows.

    Standard
    The user gets to fill out requests, search and view current requests.

    Managers
    They get to verify requests that are then sent to the directors plus the
    standard pages

    Directors
    They get to authorise requests. plus they get the standard pages.

    I am just wondering what the best way of setting security is, placing pages
    into appropriate directories and using a web.config file to set the security,
    or adding location paths tags to the web.config file, or writing my own
    mechanism for verifying access.

    What do you think is the best way, also i have my ASP.net exam coming up and
    no doubt a question similar to this will pop-up, so it would be good to know.

    regards
     
    steven scaife, Jun 12, 2006
    #1
    1. Advertising

  2. if page/directory authorization is granular enough - use the <authorization>
    element. Otherwise use intra-page calles to Context.User.IsInrole.

    I personally recommend using <location> elements in root config to have all
    config settings in one place - but technically there is no difference to
    putting separate web.config files into sub directories (MS emphasizes this
    approach)

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > I am creating a site for the intranet at the company i work for, but
    > there are 3 levels of security and a login form.
    >
    > All users have to authenticate with the system. Logins are stored in
    > a DB, but i use windows authentication to find the account, this is
    > working fine, and i have set the forms login XML bit in the
    > web.config.
    >
    > However the 3 levels of security are as follows.
    >
    > Standard
    > The user gets to fill out requests, search and view current requests.
    > Managers
    > They get to verify requests that are then sent to the directors plus
    > the
    > standard pages
    > Directors
    > They get to authorise requests. plus they get the standard pages.
    > I am just wondering what the best way of setting security is, placing
    > pages into appropriate directories and using a web.config file to set
    > the security, or adding location paths tags to the web.config file, or
    > writing my own mechanism for verifying access.
    >
    > What do you think is the best way, also i have my ASP.net exam coming
    > up and no doubt a question similar to this will pop-up, so it would be
    > good to know.
    >
    > regards
    >
     
    Dominick Baier [DevelopMentor], Jun 12, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Joel Finkel
    Replies:
    0
    Views:
    511
    Joel Finkel
    Sep 12, 2003
  2. Jeffry van de Vuurst
    Replies:
    2
    Views:
    552
    Jeffry van de Vuurst
    Jul 30, 2003
  3. CSharpner
    Replies:
    0
    Views:
    1,148
    CSharpner
    Apr 9, 2007
  4. Adam Petrie
    Replies:
    8
    Views:
    338
    Adam Petrie
    Oct 11, 2004
  5. Ron Smith
    Replies:
    5
    Views:
    168
    Michele Dondi
    Nov 2, 2004
Loading...

Share This Page