using web config to allow access to domain users only

[Carlos]

Hi all,

is it possible to configute an asp .net app using web config, to allow
access to users within a particular domain only?.

Any help is greatly appreciated.

Thanks in advance,

Carlos

 

[John Timney \(ASP.NET MVP\)]

I think you want the role tag

<authorization>
<allow users="*" allow role="domain\group" />
<deny users="*" />
</authorization>
--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director

 

[Alan Samet]

I'm making the assumption that you're using windows Authentication for
your web application.

I would recommend doing this security check in the Application's
AuthorizeRequest event. You can set the domain in an appSetting in your
web.config file. The following code is untested:

Web.config:

<configuration>
<appSettings>
<add key="AuthorizedDomainName" value="Watusi" />
</appSettings>
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="notauthorized.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>

global.asax

void Application_AuthorizeRequest(object sender, EventArgs e)
{
if
(!User.Identity.Name.StartsWith(ConfigurationSettings.AppSettings["AuthorizedDomainName"]
+ "\\")) HttpContext.Current.Response.Redirect("notauthorized.aspx");
}

-Alan

 

[Carlos]

Alan,

Thank you for your prompt response. When testing the code
I found out that it takes a long time to redirect from within
Application_AuthenticateRequest to the notauthorized page.

Is there any reason for that?

Thanks,

Carlos

I'm making the assumption that you're using windows Authentication for
your web application.

I would recommend doing this security check in the Application's
AuthorizeRequest event. You can set the domain in an appSetting in your
web.config file. The following code is untested:

Web.config:

<configuration>
<appSettings>
<add key="AuthorizedDomainName" value="Watusi" />
</appSettings>
<system.web>
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
</system.web>
<location path="notauthorized.aspx">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
</configuration>

global.asax

void Application_AuthorizeRequest(object sender, EventArgs e)
{
if
(!User.Identity.Name.StartsWith(ConfigurationSettings.AppSettings["AuthorizedDomainName"]
+ "\\")) HttpContext.Current.Response.Redirect("notauthorized.aspx");
}

-Alan

Hi all,

is it possible to configute an asp .net app using web config, to allow
access to users within a particular domain only?.

Any help is greatly appreciated.

Thanks in advance,

Carlos

 

[Alan Samet]

That I don't know. An HttpResponse.Redirect sends a header to the
browser requesting that the browser do the redirect. It may be the
browser you're using taking its time to do the redirect; the first
time, of course, you'd have to deal with the delay of the page
compiling. Perhaps the first time the WindowsPrincipal is queried for
the identity it may have to do some kind of domain lookup. I'm not
sure.

-Alan