What is the best approach?

Discussion in 'ASP .Net Security' started by Andrew, Dec 21, 2005.

  1. Andrew

    Andrew Guest

    Hello, friends,

    I implemented Forms Authentication in my asp.net app, it worked fine.
    However, now I have another problem:

    Although a user can be authenticated, but he/she may still not be allowed to
    view certain pages and folders. For exampl, a junior member can not view
    pages for senior memebers, although he/she can log into the web site. What is
    the best approach to do this?

    Any reference papers, sample code? Thanks.
    Andrew, Dec 21, 2005
    #1
    1. Advertising

  2. Hello Andrew,

    have a look at the <authorization> element in web.config.


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hello, friends,
    >
    > I implemented Forms Authentication in my asp.net app, it worked fine.
    > However, now I have another problem:
    >
    > Although a user can be authenticated, but he/she may still not be
    > allowed to view certain pages and folders. For exampl, a junior member
    > can not view pages for senior memebers, although he/she can log into
    > the web site. What is the best approach to do this?
    >
    > Any reference papers, sample code? Thanks.
    >
    Dominick Baier [DevelopMentor], Dec 21, 2005
    #2
    1. Advertising

  3. Andrew

    Andrew Guest

    <configuration>
    <system.web>
    <authorization>
    <deny users="*"/>
    <allow roles="Admins"/>
    </authorization>
    </system.web>
    </configuration>

    this requires me "manually" add each new registered members into a
    predefined role, say "Junior", "Senior", right?

    "Dominick Baier [DevelopMentor]" wrote:

    > Hello Andrew,
    >
    > have a look at the <authorization> element in web.config.
    >
    >
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > Hello, friends,
    > >
    > > I implemented Forms Authentication in my asp.net app, it worked fine.
    > > However, now I have another problem:
    > >
    > > Although a user can be authenticated, but he/she may still not be
    > > allowed to view certain pages and folders. For exampl, a junior member
    > > can not view pages for senior memebers, although he/she can log into
    > > the web site. What is the best approach to do this?
    > >
    > > Any reference papers, sample code? Thanks.
    > >

    >
    >
    >
    Andrew, Dec 21, 2005
    #3
  4. Hello Andrew,

    right

    also read this:
    http://www.leastprivilege.com/ASPNETAuthorizationSettings.aspx
    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > <configuration>
    > <system.web>
    > <authorization>
    > <deny users="*"/>
    > <allow roles="Admins"/>
    > </authorization>
    > </system.web>
    > </configuration>
    > this requires me "manually" add each new registered members into a
    > predefined role, say "Junior", "Senior", right?
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> Hello Andrew,
    >>
    >> have a look at the <authorization> element in web.config.
    >>
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> Hello, friends,
    >>>
    >>> I implemented Forms Authentication in my asp.net app, it worked
    >>> fine. However, now I have another problem:
    >>>
    >>> Although a user can be authenticated, but he/she may still not be
    >>> allowed to view certain pages and folders. For exampl, a junior
    >>> member can not view pages for senior memebers, although he/she can
    >>> log into the web site. What is the best approach to do this?
    >>>
    >>> Any reference papers, sample code? Thanks.
    >>>
    Dominick Baier [DevelopMentor], Dec 21, 2005
    #4
  5. Andrew

    Andrew Guest

    That is not good to us:

    After a user (a Junior) registered in my website, he/she should be able to
    access all pages, except pages for Senior members, right away.

    He/she can not wait for us to manually add them into a role, because we may
    not check new member for days.

    Any other automatic ways? Thanks...

    "Dominick Baier [DevelopMentor]" wrote:

    > Hello Andrew,
    >
    > right
    >
    > also read this:
    > http://www.leastprivilege.com/ASPNETAuthorizationSettings.aspx
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > <configuration>
    > > <system.web>
    > > <authorization>
    > > <deny users="*"/>
    > > <allow roles="Admins"/>
    > > </authorization>
    > > </system.web>
    > > </configuration>
    > > this requires me "manually" add each new registered members into a
    > > predefined role, say "Junior", "Senior", right?
    > >
    > > "Dominick Baier [DevelopMentor]" wrote:
    > >
    > >> Hello Andrew,
    > >>
    > >> have a look at the <authorization> element in web.config.
    > >>
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
    > >>> Hello, friends,
    > >>>
    > >>> I implemented Forms Authentication in my asp.net app, it worked
    > >>> fine. However, now I have another problem:
    > >>>
    > >>> Although a user can be authenticated, but he/she may still not be
    > >>> allowed to view certain pages and folders. For exampl, a junior
    > >>> member can not view pages for senior memebers, although he/she can
    > >>> log into the web site. What is the best approach to do this?
    > >>>
    > >>> Any reference papers, sample code? Thanks.
    > >>>

    >
    >
    >
    Andrew, Dec 21, 2005
    #5
  6. This depends on how your roles are being generated and how your identity
    lifecycle works. For example, if you store your users in SQL and keep your
    role definitions in SQL, then the user would just need to do something that
    would trigger their addition to the new role. Then, a new logon should give
    them the new role.

    If you were using Windows authentication, then the role membership would
    come directly from the user's AD groups.

    The bottom line is that you can make it work however you want. The key is
    to getting the users in the right roles and having that data provided to the
    forms authentication system. The <authorization> element is just a nice way
    to declaratively determine who gets to access to what using the built-in
    UrlAuthorizationModule.

    Joe K.

    "Andrew" <> wrote in message
    news:...
    > That is not good to us:
    >
    > After a user (a Junior) registered in my website, he/she should be able to
    > access all pages, except pages for Senior members, right away.
    >
    > He/she can not wait for us to manually add them into a role, because we
    > may
    > not check new member for days.
    >
    > Any other automatic ways? Thanks...
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> Hello Andrew,
    >>
    >> right
    >>
    >> also read this:
    >> http://www.leastprivilege.com/ASPNETAuthorizationSettings.aspx
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>
    >> > <configuration>
    >> > <system.web>
    >> > <authorization>
    >> > <deny users="*"/>
    >> > <allow roles="Admins"/>
    >> > </authorization>
    >> > </system.web>
    >> > </configuration>
    >> > this requires me "manually" add each new registered members into a
    >> > predefined role, say "Junior", "Senior", right?
    >> >
    >> > "Dominick Baier [DevelopMentor]" wrote:
    >> >
    >> >> Hello Andrew,
    >> >>
    >> >> have a look at the <authorization> element in web.config.
    >> >>
    >> >> ---------------------------------------
    >> >> Dominick Baier - DevelopMentor
    >> >> http://www.leastprivilege.com
    >> >>> Hello, friends,
    >> >>>
    >> >>> I implemented Forms Authentication in my asp.net app, it worked
    >> >>> fine. However, now I have another problem:
    >> >>>
    >> >>> Although a user can be authenticated, but he/she may still not be
    >> >>> allowed to view certain pages and folders. For exampl, a junior
    >> >>> member can not view pages for senior memebers, although he/she can
    >> >>> log into the web site. What is the best approach to do this?
    >> >>>
    >> >>> Any reference papers, sample code? Thanks.
    >> >>>

    >>
    >>
    >>
    Joe Kaplan \(MVP - ADSI\), Dec 21, 2005
    #6
  7. Hello Andrew,

    why not add them to a role programmatically upon registration?
    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > That is not good to us:
    >
    > After a user (a Junior) registered in my website, he/she should be
    > able to access all pages, except pages for Senior members, right away.
    >
    > He/she can not wait for us to manually add them into a role, because
    > we may not check new member for days.
    >
    > Any other automatic ways? Thanks...
    >
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> Hello Andrew,
    >>
    >> right
    >>
    >> also read this:
    >> http://www.leastprivilege.com/ASPNETAuthorizationSettings.aspx
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> <configuration>
    >>> <system.web>
    >>> <authorization>
    >>> <deny users="*"/>
    >>> <allow roles="Admins"/>
    >>> </authorization>
    >>> </system.web>
    >>> </configuration>
    >>> this requires me "manually" add each new registered members into a
    >>> predefined role, say "Junior", "Senior", right?
    >>> "Dominick Baier [DevelopMentor]" wrote:
    >>>
    >>>> Hello Andrew,
    >>>>
    >>>> have a look at the <authorization> element in web.config.
    >>>>
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> Hello, friends,
    >>>>>
    >>>>> I implemented Forms Authentication in my asp.net app, it worked
    >>>>> fine. However, now I have another problem:
    >>>>>
    >>>>> Although a user can be authenticated, but he/she may still not be
    >>>>> allowed to view certain pages and folders. For exampl, a junior
    >>>>> member can not view pages for senior memebers, although he/she can
    >>>>> log into the web site. What is the best approach to do this?
    >>>>>
    >>>>> Any reference papers, sample code? Thanks.
    >>>>>
    Dominick Baier [DevelopMentor], Dec 21, 2005
    #7
  8. Andrew

    Andrew Guest

    good idea, and how, :)
    any sample source code or reference papers?
    thanks....

    "Dominick Baier [DevelopMentor]" wrote:

    > Hello Andrew,
    >
    > why not add them to a role programmatically upon registration?
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    > > That is not good to us:
    > >
    > > After a user (a Junior) registered in my website, he/she should be
    > > able to access all pages, except pages for Senior members, right away.
    > >
    > > He/she can not wait for us to manually add them into a role, because
    > > we may not check new member for days.
    > >
    > > Any other automatic ways? Thanks...
    > >
    > > "Dominick Baier [DevelopMentor]" wrote:
    > >
    > >> Hello Andrew,
    > >>
    > >> right
    > >>
    > >> also read this:
    > >> http://www.leastprivilege.com/ASPNETAuthorizationSettings.aspx
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
    > >>> <configuration>
    > >>> <system.web>
    > >>> <authorization>
    > >>> <deny users="*"/>
    > >>> <allow roles="Admins"/>
    > >>> </authorization>
    > >>> </system.web>
    > >>> </configuration>
    > >>> this requires me "manually" add each new registered members into a
    > >>> predefined role, say "Junior", "Senior", right?
    > >>> "Dominick Baier [DevelopMentor]" wrote:
    > >>>
    > >>>> Hello Andrew,
    > >>>>
    > >>>> have a look at the <authorization> element in web.config.
    > >>>>
    > >>>> ---------------------------------------
    > >>>> Dominick Baier - DevelopMentor
    > >>>> http://www.leastprivilege.com
    > >>>>> Hello, friends,
    > >>>>>
    > >>>>> I implemented Forms Authentication in my asp.net app, it worked
    > >>>>> fine. However, now I have another problem:
    > >>>>>
    > >>>>> Although a user can be authenticated, but he/she may still not be
    > >>>>> allowed to view certain pages and folders. For exampl, a junior
    > >>>>> member can not view pages for senior memebers, although he/she can
    > >>>>> log into the web site. What is the best approach to do this?
    > >>>>>
    > >>>>> Any reference papers, sample code? Thanks.
    > >>>>>

    >
    >
    >
    Andrew, Dec 21, 2005
    #8
  9. Andrew

    Andrew Guest

    any reference papers that contain more details on what you mentioned?

    thanks...

    "Joe Kaplan (MVP - ADSI)" wrote:

    > This depends on how your roles are being generated and how your identity
    > lifecycle works. For example, if you store your users in SQL and keep your
    > role definitions in SQL, then the user would just need to do something that
    > would trigger their addition to the new role. Then, a new logon should give
    > them the new role.
    >
    > If you were using Windows authentication, then the role membership would
    > come directly from the user's AD groups.
    >
    > The bottom line is that you can make it work however you want. The key is
    > to getting the users in the right roles and having that data provided to the
    > forms authentication system. The <authorization> element is just a nice way
    > to declaratively determine who gets to access to what using the built-in
    > UrlAuthorizationModule.
    >
    > Joe K.
    >
    > "Andrew" <> wrote in message
    > news:...
    > > That is not good to us:
    > >
    > > After a user (a Junior) registered in my website, he/she should be able to
    > > access all pages, except pages for Senior members, right away.
    > >
    > > He/she can not wait for us to manually add them into a role, because we
    > > may
    > > not check new member for days.
    > >
    > > Any other automatic ways? Thanks...
    > >
    > > "Dominick Baier [DevelopMentor]" wrote:
    > >
    > >> Hello Andrew,
    > >>
    > >> right
    > >>
    > >> also read this:
    > >> http://www.leastprivilege.com/ASPNETAuthorizationSettings.aspx
    > >> ---------------------------------------
    > >> Dominick Baier - DevelopMentor
    > >> http://www.leastprivilege.com
    > >>
    > >> > <configuration>
    > >> > <system.web>
    > >> > <authorization>
    > >> > <deny users="*"/>
    > >> > <allow roles="Admins"/>
    > >> > </authorization>
    > >> > </system.web>
    > >> > </configuration>
    > >> > this requires me "manually" add each new registered members into a
    > >> > predefined role, say "Junior", "Senior", right?
    > >> >
    > >> > "Dominick Baier [DevelopMentor]" wrote:
    > >> >
    > >> >> Hello Andrew,
    > >> >>
    > >> >> have a look at the <authorization> element in web.config.
    > >> >>
    > >> >> ---------------------------------------
    > >> >> Dominick Baier - DevelopMentor
    > >> >> http://www.leastprivilege.com
    > >> >>> Hello, friends,
    > >> >>>
    > >> >>> I implemented Forms Authentication in my asp.net app, it worked
    > >> >>> fine. However, now I have another problem:
    > >> >>>
    > >> >>> Although a user can be authenticated, but he/she may still not be
    > >> >>> allowed to view certain pages and folders. For exampl, a junior
    > >> >>> member can not view pages for senior memebers, although he/she can
    > >> >>> log into the web site. What is the best approach to do this?
    > >> >>>
    > >> >>> Any reference papers, sample code? Thanks.
    > >> >>>
    > >>
    > >>
    > >>

    >
    >
    >
    Andrew, Dec 21, 2005
    #9
  10. I think a Google search on "designing role-based authorization .NET" will
    get you started. There are also many great books around.

    Joe K.

    "Andrew" <> wrote in message
    news:...
    > any reference papers that contain more details on what you mentioned?
    >
    > thanks...
    >
    > "Joe Kaplan (MVP - ADSI)" wrote:
    >
    >> This depends on how your roles are being generated and how your identity
    >> lifecycle works. For example, if you store your users in SQL and keep
    >> your
    >> role definitions in SQL, then the user would just need to do something
    >> that
    >> would trigger their addition to the new role. Then, a new logon should
    >> give
    >> them the new role.
    >>
    >> If you were using Windows authentication, then the role membership would
    >> come directly from the user's AD groups.
    >>
    >> The bottom line is that you can make it work however you want. The key
    >> is
    >> to getting the users in the right roles and having that data provided to
    >> the
    >> forms authentication system. The <authorization> element is just a nice
    >> way
    >> to declaratively determine who gets to access to what using the built-in
    >> UrlAuthorizationModule.
    >>
    >> Joe K.
    >>
    >> "Andrew" <> wrote in message
    >> news:...
    >> > That is not good to us:
    >> >
    >> > After a user (a Junior) registered in my website, he/she should be able
    >> > to
    >> > access all pages, except pages for Senior members, right away.
    >> >
    >> > He/she can not wait for us to manually add them into a role, because we
    >> > may
    >> > not check new member for days.
    >> >
    >> > Any other automatic ways? Thanks...
    >> >
    >> > "Dominick Baier [DevelopMentor]" wrote:
    >> >
    >> >> Hello Andrew,
    >> >>
    >> >> right
    >> >>
    >> >> also read this:
    >> >> http://www.leastprivilege.com/ASPNETAuthorizationSettings.aspx
    >> >> ---------------------------------------
    >> >> Dominick Baier - DevelopMentor
    >> >> http://www.leastprivilege.com
    >> >>
    >> >> > <configuration>
    >> >> > <system.web>
    >> >> > <authorization>
    >> >> > <deny users="*"/>
    >> >> > <allow roles="Admins"/>
    >> >> > </authorization>
    >> >> > </system.web>
    >> >> > </configuration>
    >> >> > this requires me "manually" add each new registered members into a
    >> >> > predefined role, say "Junior", "Senior", right?
    >> >> >
    >> >> > "Dominick Baier [DevelopMentor]" wrote:
    >> >> >
    >> >> >> Hello Andrew,
    >> >> >>
    >> >> >> have a look at the <authorization> element in web.config.
    >> >> >>
    >> >> >> ---------------------------------------
    >> >> >> Dominick Baier - DevelopMentor
    >> >> >> http://www.leastprivilege.com
    >> >> >>> Hello, friends,
    >> >> >>>
    >> >> >>> I implemented Forms Authentication in my asp.net app, it worked
    >> >> >>> fine. However, now I have another problem:
    >> >> >>>
    >> >> >>> Although a user can be authenticated, but he/she may still not be
    >> >> >>> allowed to view certain pages and folders. For exampl, a junior
    >> >> >>> member can not view pages for senior memebers, although he/she can
    >> >> >>> log into the web site. What is the best approach to do this?
    >> >> >>>
    >> >> >>> Any reference papers, sample code? Thanks.
    >> >> >>>
    >> >>
    >> >>
    >> >>

    >>
    >>
    >>
    Joe Kaplan \(MVP - ADSI\), Dec 21, 2005
    #10
  11. Hello Andrew,

    where are your roles stored?

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > good idea, and how, :)
    > any sample source code or reference papers?
    > thanks....
    > "Dominick Baier [DevelopMentor]" wrote:
    >
    >> Hello Andrew,
    >>
    >> why not add them to a role programmatically upon registration?
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> That is not good to us:
    >>>
    >>> After a user (a Junior) registered in my website, he/she should be
    >>> able to access all pages, except pages for Senior members, right
    >>> away.
    >>>
    >>> He/she can not wait for us to manually add them into a role, because
    >>> we may not check new member for days.
    >>>
    >>> Any other automatic ways? Thanks...
    >>>
    >>> "Dominick Baier [DevelopMentor]" wrote:
    >>>
    >>>> Hello Andrew,
    >>>>
    >>>> right
    >>>>
    >>>> also read this:
    >>>> http://www.leastprivilege.com/ASPNETAuthorizationSettings.aspx
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> <configuration>
    >>>>> <system.web>
    >>>>> <authorization>
    >>>>> <deny users="*"/>
    >>>>> <allow roles="Admins"/>
    >>>>> </authorization>
    >>>>> </system.web>
    >>>>> </configuration>
    >>>>> this requires me "manually" add each new registered members into a
    >>>>> predefined role, say "Junior", "Senior", right?
    >>>>> "Dominick Baier [DevelopMentor]" wrote:
    >>>>>> Hello Andrew,
    >>>>>>
    >>>>>> have a look at the <authorization> element in web.config.
    >>>>>>
    >>>>>> ---------------------------------------
    >>>>>> Dominick Baier - DevelopMentor
    >>>>>> http://www.leastprivilege.com
    >>>>>>> Hello, friends,
    >>>>>>>
    >>>>>>> I implemented Forms Authentication in my asp.net app, it worked
    >>>>>>> fine. However, now I have another problem:
    >>>>>>>
    >>>>>>> Although a user can be authenticated, but he/she may still not
    >>>>>>> be allowed to view certain pages and folders. For exampl, a
    >>>>>>> junior member can not view pages for senior memebers, although
    >>>>>>> he/she can log into the web site. What is the best approach to
    >>>>>>> do this?
    >>>>>>>
    >>>>>>> Any reference papers, sample code? Thanks.
    >>>>>>>
    Dominick Baier [DevelopMentor], Dec 21, 2005
    #11
  12. If you add someone automatically to a role upon registration there I almost
    don't even see a need for a role. If everybody gets it there is no need to
    deny access to it. So that part of the application would have no authority
    checking at all. Almost like creating and maintaining a role called "Every
    Single User". If everybody gets that role, what is the point of having the
    role.

    This may be my ignorance. Feel free to bust me wide open.

    Patrick

    "Dominick Baier [DevelopMentor]" <>
    wrote in message news:...
    > Hello Andrew,
    >
    > why not add them to a role programmatically upon registration?
    > ---------------------------------------
    > Dominick Baier - DevelopMentor
    > http://www.leastprivilege.com
    >
    >> That is not good to us:
    >>
    >> After a user (a Junior) registered in my website, he/she should be
    >> able to access all pages, except pages for Senior members, right away.
    >>
    >> He/she can not wait for us to manually add them into a role, because
    >> we may not check new member for days.
    >>
    >> Any other automatic ways? Thanks...
    >>
    >> "Dominick Baier [DevelopMentor]" wrote:
    >>
    >>> Hello Andrew,
    >>>
    >>> right
    >>>
    >>> also read this:
    >>> http://www.leastprivilege.com/ASPNETAuthorizationSettings.aspx
    >>> ---------------------------------------
    >>> Dominick Baier - DevelopMentor
    >>> http://www.leastprivilege.com
    >>>> <configuration>
    >>>> <system.web>
    >>>> <authorization>
    >>>> <deny users="*"/>
    >>>> <allow roles="Admins"/>
    >>>> </authorization>
    >>>> </system.web>
    >>>> </configuration>
    >>>> this requires me "manually" add each new registered members into a
    >>>> predefined role, say "Junior", "Senior", right?
    >>>> "Dominick Baier [DevelopMentor]" wrote:
    >>>>
    >>>>> Hello Andrew,
    >>>>>
    >>>>> have a look at the <authorization> element in web.config.
    >>>>>
    >>>>> ---------------------------------------
    >>>>> Dominick Baier - DevelopMentor
    >>>>> http://www.leastprivilege.com
    >>>>>> Hello, friends,
    >>>>>>
    >>>>>> I implemented Forms Authentication in my asp.net app, it worked
    >>>>>> fine. However, now I have another problem:
    >>>>>>
    >>>>>> Although a user can be authenticated, but he/she may still not be
    >>>>>> allowed to view certain pages and folders. For exampl, a junior
    >>>>>> member can not view pages for senior memebers, although he/she can
    >>>>>> log into the web site. What is the best approach to do this?
    >>>>>>
    >>>>>> Any reference papers, sample code? Thanks.
    >>>>>>

    >
    >
    Patrick Allmond - Focus Consulting Inc, Dec 22, 2005
    #12
  13. hi,

    whats the point of "everyone" or "authenticated users" in Windows??

    Management is clearer - when you have a subdir where only registered users
    have access you can allow the "user" role - maybe you also have "premium
    users" and maybe also other roles - is it easier to make the distinction
    between users by looking at their role membership - or do you rather like
    to look at users with roles and users without roles...

    well thats a matter of taste.

    I don't think it is unusual to put users into a standard role after registration.


    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > If you add someone automatically to a role upon registration there I
    > almost don't even see a need for a role. If everybody gets it there is
    > no need to deny access to it. So that part of the application would
    > have no authority checking at all. Almost like creating and
    > maintaining a role called "Every Single User". If everybody gets that
    > role, what is the point of having the role.
    >
    > This may be my ignorance. Feel free to bust me wide open.
    >
    > Patrick
    >
    > "Dominick Baier [DevelopMentor]"
    > <> wrote in message
    > news:...
    >
    >> Hello Andrew,
    >>
    >> why not add them to a role programmatically upon registration?
    >> ---------------------------------------
    >> Dominick Baier - DevelopMentor
    >> http://www.leastprivilege.com
    >>> That is not good to us:
    >>>
    >>> After a user (a Junior) registered in my website, he/she should be
    >>> able to access all pages, except pages for Senior members, right
    >>> away.
    >>>
    >>> He/she can not wait for us to manually add them into a role, because
    >>> we may not check new member for days.
    >>>
    >>> Any other automatic ways? Thanks...
    >>>
    >>> "Dominick Baier [DevelopMentor]" wrote:
    >>>
    >>>> Hello Andrew,
    >>>>
    >>>> right
    >>>>
    >>>> also read this:
    >>>> http://www.leastprivilege.com/ASPNETAuthorizationSettings.aspx
    >>>> ---------------------------------------
    >>>> Dominick Baier - DevelopMentor
    >>>> http://www.leastprivilege.com
    >>>>> <configuration>
    >>>>> <system.web>
    >>>>> <authorization>
    >>>>> <deny users="*"/>
    >>>>> <allow roles="Admins"/>
    >>>>> </authorization>
    >>>>> </system.web>
    >>>>> </configuration>
    >>>>> this requires me "manually" add each new registered members into a
    >>>>> predefined role, say "Junior", "Senior", right?
    >>>>> "Dominick Baier [DevelopMentor]" wrote:
    >>>>>> Hello Andrew,
    >>>>>>
    >>>>>> have a look at the <authorization> element in web.config.
    >>>>>>
    >>>>>> ---------------------------------------
    >>>>>> Dominick Baier - DevelopMentor
    >>>>>> http://www.leastprivilege.com
    >>>>>>> Hello, friends,
    >>>>>>>
    >>>>>>> I implemented Forms Authentication in my asp.net app, it worked
    >>>>>>> fine. However, now I have another problem:
    >>>>>>>
    >>>>>>> Although a user can be authenticated, but he/she may still not
    >>>>>>> be allowed to view certain pages and folders. For exampl, a
    >>>>>>> junior member can not view pages for senior memebers, although
    >>>>>>> he/she can log into the web site. What is the best approach to
    >>>>>>> do this?
    >>>>>>>
    >>>>>>> Any reference papers, sample code? Thanks.
    >>>>>>>
    Dominick Baier [DevelopMentor], Dec 22, 2005
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Greg Linwood
    Replies:
    4
    Views:
    546
    Greg Linwood
    Dec 3, 2003
  2. Paul
    Replies:
    3
    Views:
    426
    Scott Allen
    Apr 30, 2004
  3. milesm
    Replies:
    1
    Views:
    355
    Steve C. Orr [MVP, MCSD]
    May 6, 2004
  4. D. Shane Fowlkes
    Replies:
    0
    Views:
    583
    D. Shane Fowlkes
    May 11, 2004
  5. Larry Rekow
    Replies:
    1
    Views:
    514
    Hermit Dave
    Aug 31, 2004
Loading...

Share This Page