Windows authentication with custom user store

Discussion in 'ASP .Net Security' started by Danny Vucinec, May 23, 2007.

  1. I'm building a solution that uses Windows authentication. However, the
    Windows users that are allowed to login and use the application are defined
    in a custom user store. If a user is successfully authenticated by Windows,
    access should be denied to if the user isn't in the custom user store.

    Using roles to authorize the users would be a good solution, but the fact
    is, that the web application uses both asp.net and classical asp. What other
    options could be used? I'm thinking of a custom SessionStateUtility that only
    issues a new session after the authenticated user is located in the user
    store.
    Danny Vucinec, May 23, 2007
    #1
    1. Advertising

  2. Another option could be the use of a custom "authentication cookie" that is
    issued after the user is located in the user store. This cookie should then
    be checked in every request. What would be a good technique for this solution?
    Danny Vucinec, May 23, 2007
    #2
    1. Advertising

  3. You can write an HttpModule that handles AuthorizeRequest (or in global.asax
    for a start)

    in this event you can check your userstore and see if the user is in the
    allowed list.

    This event gets called on every request - once you have this working, you
    can think about optimizations, like a cookie or a flag in the cache...


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > Another option could be the use of a custom "authentication cookie"
    > that is issued after the user is located in the user store. This
    > cookie should then be checked in every request. What would be a good
    > technique for this solution?
    >
    Dominick Baier, May 23, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark
    Replies:
    0
    Views:
    676
  2. =?Utf-8?B?UnVkeQ==?=

    to store or not to store an image

    =?Utf-8?B?UnVkeQ==?=, Mar 29, 2005, in forum: ASP .Net
    Replies:
    6
    Views:
    635
    =?Utf-8?B?UnVkeQ==?=
    Mar 30, 2005
  3. Will
    Replies:
    5
    Views:
    2,613
  4. Dadi
    Replies:
    2
    Views:
    184
    Scott Scott
    Sep 16, 2003
  5. Fabio Gouw

    ASP.NET Authentication and Windows Authentication

    Fabio Gouw, Nov 15, 2004, in forum: ASP .Net Security
    Replies:
    2
    Views:
    142
    Ken Schaefer
    Nov 16, 2004
Loading...

Share This Page