Using two membership providers

Discussion in 'ASP .Net Security' started by Daniel, Oct 6, 2006.

  1. Daniel

    Daniel Guest

    Hello,

    imagine an application that has two membership providers installed. The
    first provider is used for public user to access some restricted
    functions, e.g. a forum, his mailbox, or others.

    The second provider is used for administrative purposes. Obviosly only
    select users have such an account.

    Almost every user (for sake of simplicity let's say every) has an
    account with the first membership provider. Some select users with the
    second as well. Now to the problem I have - which is not setting up
    those providers.

    First, I want to limit access to some folders (administrative part of
    the site) to users that are logged in over the second provider, only.
    At that point I do not care whether they are logged into the first
    provider. How can I set up this scenario in the web.config?

    Second, I want to know in the public part whether the user is logged
    into the public account (first provider) and at the same time is logged
    into a administrative account (second provider).

    How can I achieve those two goals?

    Thanks in advance,
    Daniel
    Daniel, Oct 6, 2006
    #1
    1. Advertising

  2. Why two providers? Why not multiple roles? Attach users to the roles and you
    can easily check if the user is in a certain role. Using the web.sitemap and
    web.config you can restrict pages and menus without any additional work.

    --
    Gregory A. Beamer
    MVP; MCP: +I, SE, SD, DBA
    http://gregorybeamer.spaces.live.com

    *************************************************
    Think outside of the box!
    *************************************************
    "Daniel" <> wrote in message
    news:...
    > Hello,
    >
    > imagine an application that has two membership providers installed. The
    > first provider is used for public user to access some restricted
    > functions, e.g. a forum, his mailbox, or others.
    >
    > The second provider is used for administrative purposes. Obviosly only
    > select users have such an account.
    >
    > Almost every user (for sake of simplicity let's say every) has an
    > account with the first membership provider. Some select users with the
    > second as well. Now to the problem I have - which is not setting up
    > those providers.
    >
    > First, I want to limit access to some folders (administrative part of
    > the site) to users that are logged in over the second provider, only.
    > At that point I do not care whether they are logged into the first
    > provider. How can I set up this scenario in the web.config?
    >
    > Second, I want to know in the public part whether the user is logged
    > into the public account (first provider) and at the same time is logged
    > into a administrative account (second provider).
    >
    > How can I achieve those two goals?
    >
    > Thanks in advance,
    > Daniel
    >
    Cowboy \(Gregory A. Beamer\), Oct 7, 2006
    #2
    1. Advertising

  3. Daniel

    Daniel Guest

    Pretty simple because we use AD-authorization in some cases for the
    administrative part and the same username sometimes is already taken by
    a community member. So just using roles is *NOT* the solution. For the
    community users we do not us AD-authentication obviosly.

    Now before some of you flame, it is a multi-tiered environment. The
    administrative part will be done on a server behind a firewall which is
    called staging server. The community will only visit the so-called live
    server. Both are the same architecture and the administrative users can
    use the staging server in the same way visitors use the live server
    (for testing purposes). So we need two different membership providers.

    Any answer to my question now?

    Cowboy (Gregory A. Beamer) wrote:
    > Why two providers? Why not multiple roles? Attach users to the roles and you
    > can easily check if the user is in a certain role. Using the web.sitemap and
    > web.config you can restrict pages and menus without any additional work.
    >
    > --
    > Gregory A. Beamer
    > MVP; MCP: +I, SE, SD, DBA
    > http://gregorybeamer.spaces.live.com
    >
    > *************************************************
    > Think outside of the box!
    > *************************************************
    > "Daniel" <> wrote in message
    > news:...
    > > Hello,
    > >
    > > imagine an application that has two membership providers installed. The
    > > first provider is used for public user to access some restricted
    > > functions, e.g. a forum, his mailbox, or others.
    > >
    > > The second provider is used for administrative purposes. Obviosly only
    > > select users have such an account.
    > >
    > > Almost every user (for sake of simplicity let's say every) has an
    > > account with the first membership provider. Some select users with the
    > > second as well. Now to the problem I have - which is not setting up
    > > those providers.
    > >
    > > First, I want to limit access to some folders (administrative part of
    > > the site) to users that are logged in over the second provider, only.
    > > At that point I do not care whether they are logged into the first
    > > provider. How can I set up this scenario in the web.config?
    > >
    > > Second, I want to know in the public part whether the user is logged
    > > into the public account (first provider) and at the same time is logged
    > > into a administrative account (second provider).
    > >
    > > How can I achieve those two goals?
    > >
    > > Thanks in advance,
    > > Daniel
    > >
    Daniel, Oct 7, 2006
    #3
  4. Daniel

    Daniel Guest

    Thanks for your answer, but it did not aim at my questions.

    Gaurav Vaish (www.EdujiniOnline.com) wrote:
    > > Pretty simple because we use AD-authorization in some cases for the
    > > administrative part and the same username sometimes is already taken by
    > > a community member. So just using roles is *NOT* the solution. For the
    > > community users we do not us AD-authentication obviosly.

    >
    > Have a templated Login control with an added DropDownList with the entries
    > pointing to the type of server (AD, CommunityServer etc).
    >
    > Just before authentication, select the appropriate provider...
    >
    > loginControl.MembershipProvider = "Provider_Name_Based_On_DDL_Selection"
    >
    >
    >
    > --
    > Happy Hacking,
    > Gaurav Vaish | www.mastergaurav.com
    > www.edujinionline.com
    > http://articles.edujinionline.com/webservices
    > -----------------------------------------
    Daniel, Oct 7, 2006
    #4
  5. I see where you are going, but you are not truly using the same application
    100%. There is nothing inherently wrong with this, of course.

    What I would consider is abstracting out the provider so each app makes the
    same call, but the application is configured to either hit AD or the
    database. In this way, the majority of your application logic would be
    identical; the only disparate part would be the actual call for
    authentication.

    To restrict certain sections, you can still use a role based system, with
    the admin role only available on the internal site. This could also be a
    configuration point for the application (ie, you can add a key that says
    "this site never has this type of super user" and add saftery in your code).
    The role based bits make it easy to restrict access to particular pages.

    In the case of the external application, none of the users can ever hit the
    bits that allow full admin. If they try, they keep getting kick back to
    login. Not pretty, but you are not going to tell them those bits are there.

    You could also, potentially, segregate out the super user functionality into
    a "subweb" type of site that only exists on the internal servers. This would
    add an additional layer of security.

    --
    Gregory A. Beamer
    MVP; MCP: +I, SE, SD, DBA
    http://gregorybeamer.spaces.live.com

    *************************************************
    Think outside of the box!
    *************************************************
    "Daniel" <> wrote in message
    news:...
    > Pretty simple because we use AD-authorization in some cases for the
    > administrative part and the same username sometimes is already taken by
    > a community member. So just using roles is *NOT* the solution. For the
    > community users we do not us AD-authentication obviosly.
    >
    > Now before some of you flame, it is a multi-tiered environment. The
    > administrative part will be done on a server behind a firewall which is
    > called staging server. The community will only visit the so-called live
    > server. Both are the same architecture and the administrative users can
    > use the staging server in the same way visitors use the live server
    > (for testing purposes). So we need two different membership providers.
    >
    > Any answer to my question now?
    >
    > Cowboy (Gregory A. Beamer) wrote:
    >> Why two providers? Why not multiple roles? Attach users to the roles and
    >> you
    >> can easily check if the user is in a certain role. Using the web.sitemap
    >> and
    >> web.config you can restrict pages and menus without any additional work.
    >>
    >> --
    >> Gregory A. Beamer
    >> MVP; MCP: +I, SE, SD, DBA
    >> http://gregorybeamer.spaces.live.com
    >>
    >> *************************************************
    >> Think outside of the box!
    >> *************************************************
    >> "Daniel" <> wrote in message
    >> news:...
    >> > Hello,
    >> >
    >> > imagine an application that has two membership providers installed. The
    >> > first provider is used for public user to access some restricted
    >> > functions, e.g. a forum, his mailbox, or others.
    >> >
    >> > The second provider is used for administrative purposes. Obviosly only
    >> > select users have such an account.
    >> >
    >> > Almost every user (for sake of simplicity let's say every) has an
    >> > account with the first membership provider. Some select users with the
    >> > second as well. Now to the problem I have - which is not setting up
    >> > those providers.
    >> >
    >> > First, I want to limit access to some folders (administrative part of
    >> > the site) to users that are logged in over the second provider, only.
    >> > At that point I do not care whether they are logged into the first
    >> > provider. How can I set up this scenario in the web.config?
    >> >
    >> > Second, I want to know in the public part whether the user is logged
    >> > into the public account (first provider) and at the same time is logged
    >> > into a administrative account (second provider).
    >> >
    >> > How can I achieve those two goals?
    >> >
    >> > Thanks in advance,
    >> > Daniel
    >> >

    >
    Cowboy \(Gregory A. Beamer\), Oct 8, 2006
    #5
  6. Daniel

    Daniel Guest

    Sorry for the delayed reply.

    I think this is getting close to what I need and I would be sincerely
    thankful if you could show me a sample of how to accomplish this. In
    the end I probably would be getting it to work in a general way :)

    Thanks in advance and I'll be checking here regularly, for sure,
    Daniel

    On Oct 8, 1:15 am, "Gaurav Vaish \(www.EdujiniOnline.com\)"
    <> wrote:
    > > Thanks for your answer, but it did not aim at my questions.Basically, what you are looking at is:

    >
    > 1. Single Sign-On
    > 2. Custom provider that will in turn work with other-multiple-providers...
    >
    > There are three ways to accomplish this:
    >
    > a. Short cut: Add an event handler to the event Authenticate and do the
    > authentication
    >
    > b. Longer way: Sub-class Login and override OnAuthenticate. This method does
    > the authentication part if there's no handler to the event Authenticate.
    >
    > c. Create a custom membership provider that will in turn talk to other
    > providers and do the ValidateUser.
    >
    > Personally, I would prefer 'c' with, may be, a custom section for 'my
    > membership provider'.
    >
    > Well, suddenly in idea for implementation came to my mind... probably, you
    > can revisit this thread after about a week. I should be posting up a
    > solution for Single-Sign-On using multiple providers!
    >
    > --
    > Happy Hacking,
    > Gaurav Vaish |www.mastergaurav.comwww.edujinionline.comhttp://eduzine.edujinionline.com
    > -----------------------------------------
    Daniel, Oct 9, 2006
    #6
  7. On 6 Oct 2006 12:50:56 -0700, "Daniel" <> wrote:

    >Hello,
    >
    >imagine an application that has two membership providers installed. The
    >first provider is used for public user to access some restricted
    >functions, e.g. a forum, his mailbox, or others.
    >
    >The second provider is used for administrative purposes. Obviosly only
    >select users have such an account.
    >

    I've designed something similar.
    >Almost every user (for sake of simplicity let's say every) has an
    >account with the first membership provider. Some select users with the
    >second as well. Now to the problem I have - which is not setting up
    >those providers.
    >
    >First, I want to limit access to some folders (administrative part of
    >the site) to users that are logged in over the second provider, only.
    >At that point I do not care whether they are logged into the first
    >provider. How can I set up this scenario in the web.config?
    >

    Each folder can have its own web.config file but...
    >Second, I want to know in the public part whether the user is logged
    >into the public account (first provider) and at the same time is logged
    >into a administrative account (second provider).
    >

    A derived MembershipUser type could 'know' this but...
    >How can I achieve those two goals?
    >

    Consider basing access upon Role instead of Membership. Each folder's
    web.config file can define each folder's Role-based security.

    regards
    A.G.
    Registered User, Oct 9, 2006
    #7
  8. Daniel

    Daniel Guest

    > Consider basing access upon Role instead of Membership. Each folder's
    > web.config file can define each folder's Role-based security.
    >

    As outlined above that is not an aproach we can take. We looked into it
    and it just will not work.

    Regards,
    Daniel
    Daniel, Oct 11, 2006
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mehdi
    Replies:
    0
    Views:
    371
    mehdi
    Nov 30, 2006
  2. Andy Fish
    Replies:
    3
    Views:
    505
    sloan
    Dec 6, 2007
  3. Roar Nestegard

    ASP.NET 2.0 security with two membership providers

    Roar Nestegard, Feb 21, 2005, in forum: ASP .Net Security
    Replies:
    0
    Views:
    137
    Roar Nestegard
    Feb 21, 2005
  4. Bill

    Using Custom Membership/Role Providers?

    Bill, Dec 17, 2005, in forum: ASP .Net Security
    Replies:
    3
    Views:
    236
    Dominick Baier [DevelopMentor]
    Dec 17, 2005
  5. David C
    Replies:
    1
    Views:
    284
    Dominick Baier [DevelopMentor]
    Apr 4, 2006
Loading...

Share This Page