Windows + Custom Security hybrid??

[Chris Cichocki]

We have an ASP.Net 1.0 application that has a proprietary database with role
information in it. The site is configured to use Windows authentication,
then it uses your Windows ID as the key to load your role information and
store it in a custom object along with some other user attributes. Now I
need to implement this same functionality in ASP.Net 2.0 with Membership and
Roles Providers, and extend the Membership User to add the extra attributes
for the user. I'm not quite sure where to start with this one though...

One of the keys to the current (as well as new) implementation is that all
the information is loaded behind the scenes and the user never has to go
through a sign-in process.

I need to get the Windows identity because that is going to be the key for
loading the extended user attributes as well as role list, but I need to use
"custom" membership and role providers (I think).

Your suggestions are appreciated!
Chris

 

[Steven Cheng[MSFT]]

Hello Chris,

From your description, you have an ASP.NET 1.1 application which use
windows authentication and does authorization based on the roles of each
windows user (access control check in application), also each user has some
application specific data associated with him. Currently, you're going to
upgrade the application to ASP.NET 2.0 and want to utilize the new
membership/role provider features to do the same task, correct?

Based on my understanding, you could reimplement the security mechanism in
ASP.NET 2.0 through the following approach:

** still configured IIS to use intergrated windows and make ASP.NET use
windows authentication.

** and the role based <authorization> setting still remain the same(define
role based acccess control for individual pages or sub directory...)

** change the application to use SqlRoleProvider so that we can store our
custom roles for windows user(based on windows username) in SqlServer
database.

here is a good blog article(from scottgu's weblog) which has demonstrate a
typical sampe application similar to your scenario.

#Recipe: Implementing Role-Based Security with ASP.NET 2.0 using Windows
Authentication and SQL Server
http://weblogs.asp.net/scottgu/pages/Recipe_3A00_-Implementing-Role_2D00_Bas
ed-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server.asp
x

In addition, since you mentioned that you also want to add some additional
cuatom datas associated with each user, you can consider use the Profile
service in ASP.NET 2.0 whicn can help store some per-user specific data and
is also provider based(default provider is sqlserver provider).


#ASP.NET Profile Properties Overview
http://msdn2.microsoft.com/en-us/library/2y3fs9xs.aspx

#ASP.NET Profile Properties
http://msdn2.microsoft.com/en-us/library/at64shx3.aspx

Hope this helps. If you have any further questions on this, please feel
free to let me know.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.