Advice: Authentication

P

PK

Hi folks,

I hope to get some of your advice on an authentication question that
came up during the planning of web app. I'm a bit new to asp.net, so if
you can offer some experience, I'd greatly appreciate it!

I like form-based authentication because the usernames and passwords can
be stored in a database rather than in Windows (which, for security
reasons, can only be maintained by a specific person or two). Also, I'd
like to give my users the ability to log out, which is not something
I've seen in Windows authentication.

One of the main purposes of this app is to provide a search to find and
download (via resulting links) sensitive files. Forms/database
authentication is great for this, because the stored procedure that does
the search can be altered to make sure the logged-in username has rights
to download the results.

However, we would like to apply Windows security on the files to be
downloaded *just in case* a user navigates to the path of a file they
would otherwise not have permissions to. How can I mix the two types to
get what I want out of each -- without prompting the user to log in
twice!

Has anyone encountered a similiar issue?

Thanks!

PK
 
J

Jim Cheshire [MSFT]

PK,

You first need to realize that you cannot set the authentication method
below the application root. If you want to control access to these files,
your best bet is to store them outside of the content area and then use
BinaryWrite to write a byte array to the HTTP stream. That way, you can
decide via code whether or not your BinaryWrite code should run and no one
will be able to browse directly to the files.

Jim Cheshire, MCSE, MCSD [MSFT]
ASP.NET
Developer Support
(e-mail address removed)

This post is provided "AS-IS" with no warranties and confers no rights.

--------------------
 
P

PK

Actually, I found two great articles on this subject. The one I found
most useful was:

http://www.dotnetbips.com/displayarticle.aspx?id=201

It's a great article about how you have the functionality of Windows
authentication with the behavior of Forms authentication using the Win32
API LogonUser().

Another is pretty good as well, but didn't cover exactly what I was
looking for is:

http://msdn.microsoft.com/asp.net/using/understanding/security/default.a
spx?pull=/library/en-us/dnaspp/html/MixedSecurity.asp
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Advice for programming career 3
Advice on learning to code? 3
Windows Authentication to SQL Server? 6
Some advice on getting into coding? 5
Python programmer looking at transitioning to Java. Any advice or resources? 3
Mixed Mode (Forms & Windows) Authentication 6
Trying to access hdml from an open browser using Python. 1
Beginner's Guide to getting CipherSweet working with PDO and MYSQL 1

Members online

Total: 20 (members: 2, guests: 18)
Robots: 366

Forum statistics

Threads
473,769
Messages
2,569,582
Members
45,066
Latest member
VytoKetoReviews

Latest Threads

Top