Thanks Joe and Dominick,
It was wishfull thinking on my part that there was a programmatic way to
use some available service to do essentially what the
UrlAuthorizationModule is doing. I ran into the parsing of the web.config
file a while back and that whole mechanism is not consistent between the
root and other directories containing web.config files. (I previously
posted that discrepency but heard back from no one...) But asside from
that, parsing of the web.config file and/or using reflection to determine
how the UrlAuthorizationModule is doing it was where I concluded I should
stop as the effort was not worth it. So Joe, your conclusion of just
keeping them in sync is what I will be doing.
Another bit of information also helped this decision. You both are
probably aware but I will make note of it here for others reading this
post that ASP.NET 2.0 has sitemaps which contain a role based attribute
for URLs. They also designed in this same capability which they call
'trimming' to remove urls from a menu system which the user is not
authorized to use. Assuming 2.0 production release is in the next 6-12
months I can live with the syncing issue and just wait for the
capabilities in 2.0.
Joe and Dominick thanks for your feedback. It is always a pleasure to have
other developers point out the error of my ways and help keep me out of
the mud.
Best regards,
Gery
--
Gery D. Dorazio
Development Engineer
EnQue Corporation
1334 Queens Road
Charlotte, NC 28207
(704) 377-3327
Joe Kaplan (MVP - ADSI) said:
Like I said, that part is the hard part as you need to parse the
web.config file and interpret the authorization tags in each location
element.
If I had to do this, I think I would start by reverse engineering the
UrlAuthorizationModule using a tool like .NET Reflector to see how they
are doing it. Then, you could write your own version to implement it as
you need to. I think you may find that it is a bit complicated under
there, but hopefully it will help.
The easier way might be to implement your own function based on a list of
URLs and allowable roles and just try to keep the two in sync. You'll
have a bit more maintenance to do, but much less work to do on the front
end.
Best of luck with whatever you decide.
Joe K.
Gery D. Dorazio said:
Hi Joe,
Your observations are exactly what I am running into...some desires
would be to not write a custom HttpModule and to continue using the
existing URLAuthorizationModule.
The centralized function idea appears ideal for this application but
that is where I am stuck. Here is an initial pass at this function...I
don't know how to check a URL against an IPrincipal to determine roles:
String[] allRoles = { "Admin", "User", "Editor" };
String[] GetUrlAllowableRoles(String targetURL)
{
GenericIdentity gi = new GenericIdentity("NoOneInParticular");
String[] targetRole;
GenericPrincipal gp;
for (int i = 0; i < allRoles.Length; i++)
{
targetRole[0] = allRoles
;
gp = new GenericPrincipal(gi, targetRole);
// so now what do I do to check it against the targetURL
}
}
This function would then be used for all the URLs specified in the menu
control file and the resulting roles added to the menu dataset which is
then saved as an Application object.
How can I do the URL to target role check in this function?
Thanks,
Gery
--
Gery D. Dorazio
Development Engineer
EnQue Corporation
1334 Queens Road
Charlotte, NC 28207
(704) 377-3327
"Joe Kaplan (MVP - ADSI)" <[email protected]>
wrote in message You can really easy check the roles programmatically with
Context.User.IsInRole, but that doesn't necessarily solve the problem
of the roles getting out of sync with what you have in the web.config
as they are in two different places still.
If you really wanted a single point of configuration for both, I think
you might have to consider having some kind of a centralized function
that takes a URL and a IPrincipal and returns true or false for that.
You could then dynamically build the menu based on that and write a
custom HttpModule for authorization that also did the same thing.
You might also attempt to implement a hybrid where you use the existing
location tags in web.config to use as the store for this function so
that you could use the existing UrlAuthorizationModule (the thing that
enforces the <authorization/> tags in web.config). It would be really
easy if the UrlAuthorizationModule had the method you need already
exposed as you would be essentially done, but it does not appear to do
so.
HTH,
Joe K.
I restricting access to a web folder in the web.config file with
entries like this:
<location path="Account" allowOverride="false">
<system.web>
<authorization>
<allow roles="User,Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
I have a menu system that will only shows menu items (URLs) if the
user is authorized for them. Currently, I manually associate the roles
with the URL in a menu control file. This essentially duplicates whats
in the web.config file above. The problem is that the web.config and
menu control file can get out of sync with each other. If the URL
roles could be determined programmatically this would not be an issue.
So how can the roles for a URL be determined programmatically?
Thanks,
Gery
--
Gery D. Dorazio
Development Engineer
EnQue Corporation
1334 Queens Road
Charlotte, NC 28207
(704) 377-3327