Since you are using Windows Integrated Security and all the other parts
that make life wonderful I would agree with Joe Kaplan and look into the
token that is available on every page you request. At least it is
available on every page if anonymous authentication is also off or
web.config only allows authenticated users, or a some acl set somewhere
forces the authentication. But anyways on to the references...
Dan Appleman wrote a nice E-Book on Amazon that covers ways to use
reflection to call private members of the framework to get at a Tokens
Groups. It is really cool but not a secure practice. With the 1.1
framework you can run the web application in partial trusted modes that
disallow reflection, which is good. Here is the link called Hijacking
..Net Vol 1: Role Based Security [DOWNLOAD: PDF]
http://www.amazon.com/exec/obidos/t..._dtl_eb/104-6955238-2682323?v=glance&s=ebooks
Another way to get the user groups from a token is through PInvoke of
the Win32 APIs. Keith Brown wrote a COM component to that we as c#
developers can call through COM Interop rather than the laborious
PInvoke process that it would take in C#. Look at the code and you will
see. Here is the link
http://www.pluralsight.com/keith/security/code/tokdumpsrv.zip
Their site is brand new so I actually had to infer this link. Look in
the bin directory and register the dll. If you need some help getting
it to work before they have the site running let me know. Or see the
next item.
I have worked on a HttpModule that hosts the tokdumpsrv.dll. The module
is setup of to accept providers. I wrote a sample provider that
contains the HttpModule. It is all in a solution with a sample web app
just to demo how it could work when I am done. Basically there is just
a default.aspx page that does nothing more than show you who the user is
requesting the page. Add the querystring (?DCtrace=true) to the end of
the url and out dumps the full token dump of the thread token and the
process token. My intension for this are to be able to trouble shoot
developer and production web servers experiencing authentication and
authorization craziness...
Check out a screen dump and down load a zip of the solution here in my
blog.
[
http://www.deploymentcentric.com/Blogs/joe/PermaLink.aspx?guid=5c549203-fa43-434d-84a0-a445a870cdbb]
Send me your questions and maybe I can get back to working on it.
I am hoping that the 2.0 framework will have some of these features
built in. IsInRole is nice but you have to know the roles ahead of
time. That is great for standard role based security.