How can roles be determined for a resource?

[Gery D. Dorazio]

I restricting access to a web folder in the web.config file with entries
like this:

<location path="Account" allowOverride="false">
<system.web>
<authorization>
<allow roles="User,Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>


I have a menu system that will only shows menu items (URLs) if the user is
authorized for them. Currently, I manually associate the roles with the URL
in a menu control file. This essentially duplicates whats in the web.config
file above. The problem is that the web.config and menu control file can get
out of sync with each other. If the URL roles could be determined
programmatically this would not be an issue.

So how can the roles for a URL be determined programmatically?

Thanks,
Gery


--
Gery D. Dorazio
Development Engineer

EnQue Corporation
1334 Queens Road
Charlotte, NC 28207
(704) 377-3327

 

[Joe Kaplan \(MVP - ADSI\)]

You can really easy check the roles programmatically with
Context.User.IsInRole, but that doesn't necessarily solve the problem of the
roles getting out of sync with what you have in the web.config as they are
in two different places still.

If you really wanted a single point of configuration for both, I think you
might have to consider having some kind of a centralized function that takes
a URL and a IPrincipal and returns true or false for that. You could then
dynamically build the menu based on that and write a custom HttpModule for
authorization that also did the same thing.

You might also attempt to implement a hybrid where you use the existing
location tags in web.config to use as the store for this function so that
you could use the existing UrlAuthorizationModule (the thing that enforces
the <authorization/> tags in web.config). It would be really easy if the
UrlAuthorizationModule had the method you need already exposed as you would
be essentially done, but it does not appear to do so.

HTH,

Joe K.

 

[Gery D. Dorazio]

Hi Joe,

Your observations are exactly what I am running into...some desires would be
to not write a custom HttpModule and to continue using the existing
URLAuthorizationModule.

The centralized function idea appears ideal for this application but that is
where I am stuck. Here is an initial pass at this function...I don't know
how to check a URL against an IPrincipal to determine roles:


String[] allRoles = { "Admin", "User", "Editor" };

String[] GetUrlAllowableRoles(String targetURL)
{
GenericIdentity gi = new GenericIdentity("NoOneInParticular");
String[] targetRole;
GenericPrincipal gp;
for (int i = 0; i < allRoles.Length; i++)
{
targetRole[0] = allRoles;
gp = new GenericPrincipal(gi, targetRole);
// so now what do I do to check it against the targetURL
}
}

This function would then be used for all the URLs specified in the menu
control file and the resulting roles added to the menu dataset which is then
saved as an Application object.


How can I do the URL to target role check in this function?


Thanks,
Gery

--
Gery D. Dorazio
Development Engineer

EnQue Corporation
1334 Queens Road
Charlotte, NC 28207
(704) 377-3327

 

[Joe Kaplan \(MVP - ADSI\)]

Like I said, that part is the hard part as you need to parse the web.config
file and interpret the authorization tags in each location element.

If I had to do this, I think I would start by reverse engineering the
UrlAuthorizationModule using a tool like .NET Reflector to see how they are
doing it. Then, you could write your own version to implement it as you
need to. I think you may find that it is a bit complicated under there, but
hopefully it will help.

The easier way might be to implement your own function based on a list of
URLs and allowable roles and just try to keep the two in sync. You'll have
a bit more maintenance to do, but much less work to do on the front end.

Best of luck with whatever you decide.

Joe K.

Hi Joe,

Your observations are exactly what I am running into...some desires would
be to not write a custom HttpModule and to continue using the existing
URLAuthorizationModule.

The centralized function idea appears ideal for this application but that
is where I am stuck. Here is an initial pass at this function...I don't
know how to check a URL against an IPrincipal to determine roles:


String[] allRoles = { "Admin", "User", "Editor" };

String[] GetUrlAllowableRoles(String targetURL)
{
GenericIdentity gi = new GenericIdentity("NoOneInParticular");
String[] targetRole;
GenericPrincipal gp;
for (int i = 0; i < allRoles.Length; i++)
{
targetRole[0] = allRoles;
gp = new GenericPrincipal(gi, targetRole);
// so now what do I do to check it against the targetURL
}
}

This function would then be used for all the URLs specified in the menu
control file and the resulting roles added to the menu dataset which is
then saved as an Application object.


How can I do the URL to target role check in this function?


Thanks,
Gery

--
Gery D. Dorazio
Development Engineer

EnQue Corporation
1334 Queens Road
Charlotte, NC 28207
(704) 377-3327

You can really easy check the roles programmatically with
Context.User.IsInRole, but that doesn't necessarily solve the problem of
the roles getting out of sync with what you have in the web.config as
they are in two different places still.

If you really wanted a single point of configuration for both, I think
you might have to consider having some kind of a centralized function
that takes a URL and a IPrincipal and returns true or false for that.
You could then dynamically build the menu based on that and write a
custom HttpModule for authorization that also did the same thing.

You might also attempt to implement a hybrid where you use the existing
location tags in web.config to use as the store for this function so that
you could use the existing UrlAuthorizationModule (the thing that
enforces the <authorization/> tags in web.config). It would be really
easy if the UrlAuthorizationModule had the method you need already
exposed as you would be essentially done, but it does not appear to do
so.

HTH,

Joe K.

 

[Dominick Baier [DevelopMentor]]

Hello Joe,

and for 1.1 it is even harder as all the section handler. e.g. the AuthorizationSection
is internal. So you need plain XML parsing and unlike in 2.0 you get no no
strongly typed config access. I would also start looking at UrlAuthorizationModule
with Reflector - it is not that hard - but you have to get your head around
that.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Like I said, that part is the hard part as you need to parse the
web.config file and interpret the authorization tags in each location
element.

If I had to do this, I think I would start by reverse engineering the
UrlAuthorizationModule using a tool like .NET Reflector to see how
they are doing it. Then, you could write your own version to
implement it as you need to. I think you may find that it is a bit
complicated under there, but hopefully it will help.

The easier way might be to implement your own function based on a list
of URLs and allowable roles and just try to keep the two in sync.
You'll have a bit more maintenance to do, but much less work to do on
the front end.

Best of luck with whatever you decide.

Joe K.

Hi Joe,

Your observations are exactly what I am running into...some desires
would be to not write a custom HttpModule and to continue using the
existing URLAuthorizationModule.

The centralized function idea appears ideal for this application but
that is where I am stuck. Here is an initial pass at this
function...I don't know how to check a URL against an IPrincipal to
determine roles:

String[] allRoles = { "Admin", "User", "Editor" };

String[] GetUrlAllowableRoles(String targetURL)
{
GenericIdentity gi = new GenericIdentity("NoOneInParticular");
String[] targetRole;
GenericPrincipal gp;
for (int i = 0; i < allRoles.Length; i++)
{
targetRole[0] = allRoles;
gp = new GenericPrincipal(gi, targetRole);
// so now what do I do to check it against the targetURL
}
}
This function would then be used for all the URLs specified in the
menu control file and the resulting roles added to the menu dataset
which is then saved as an Application object.

How can I do the URL to target role check in this function?

Thanks,
Gery
--
Gery D. Dorazio
Development Engineer
EnQue Corporation
1334 Queens Road
Charlotte, NC 28207
(704) 377-3327
"Joe Kaplan (MVP - ADSI)" <[email protected]>
wrote
in message news:[email protected]...

You can really easy check the roles programmatically with
Context.User.IsInRole, but that doesn't necessarily solve the
problem of the roles getting out of sync with what you have in the
web.config as they are in two different places still.

If you really wanted a single point of configuration for both, I
think you might have to consider having some kind of a centralized
function that takes a URL and a IPrincipal and returns true or false
for that. You could then dynamically build the menu based on that
and write a custom HttpModule for authorization that also did the
same thing.

You might also attempt to implement a hybrid where you use the
existing location tags in web.config to use as the store for this
function so that you could use the existing UrlAuthorizationModule
(the thing that enforces the <authorization/> tags in web.config).
It would be really easy if the UrlAuthorizationModule had the method
you need already exposed as you would be essentially done, but it
does not appear to do so.

HTH,

Joe K.


I restricting access to a web folder in the web.config file with
entries like this:

<location path="Account" allowOverride="false">
<system.web>
<authorization>
<allow roles="User,Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
I have a menu system that will only shows menu items (URLs) if the
user is authorized for them. Currently, I manually associate the
roles with the URL in a menu control file. This essentially
duplicates whats in the web.config file above. The problem is that
the web.config and menu control file can get out of sync with each
other. If the URL roles could be determined programmatically this
would not be an issue.

So how can the roles for a URL be determined programmatically?

Thanks,
Gery
--
Gery D. Dorazio
Development Engineer
EnQue Corporation
1334 Queens Road
Charlotte, NC 28207
(704) 377-3327

 

[Gery D. Dorazio]

Thanks Joe and Dominick,

It was wishfull thinking on my part that there was a programmatic way to use
some available service to do essentially what the UrlAuthorizationModule is
doing. I ran into the parsing of the web.config file a while back and that
whole mechanism is not consistent between the root and other directories
containing web.config files. (I previously posted that discrepency but heard
back from no one...) But asside from that, parsing of the web.config file
and/or using reflection to determine how the UrlAuthorizationModule is doing
it was where I concluded I should stop as the effort was not worth it. So
Joe, your conclusion of just keeping them in sync is what I will be doing.

Another bit of information also helped this decision. You both are probably
aware but I will make note of it here for others reading this post that
ASP.NET 2.0 has sitemaps which contain a role based attribute for URLs. They
also designed in this same capability which they call 'trimming' to remove
urls from a menu system which the user is not authorized to use. Assuming
2.0 production release is in the next 6-12 months I can live with the
syncing issue and just wait for the capabilities in 2.0.

Joe and Dominick thanks for your feedback. It is always a pleasure to have
other developers point out the error of my ways and help keep me out of the
mud.

Best regards,
Gery


--
Gery D. Dorazio
Development Engineer

EnQue Corporation
1334 Queens Road
Charlotte, NC 28207
(704) 377-3327

Like I said, that part is the hard part as you need to parse the
web.config file and interpret the authorization tags in each location
element.

If I had to do this, I think I would start by reverse engineering the
UrlAuthorizationModule using a tool like .NET Reflector to see how they
are doing it. Then, you could write your own version to implement it as
you need to. I think you may find that it is a bit complicated under
there, but hopefully it will help.

The easier way might be to implement your own function based on a list of
URLs and allowable roles and just try to keep the two in sync. You'll
have a bit more maintenance to do, but much less work to do on the front
end.

Best of luck with whatever you decide.

Joe K.

Hi Joe,

Your observations are exactly what I am running into...some desires would
be to not write a custom HttpModule and to continue using the existing
URLAuthorizationModule.

The centralized function idea appears ideal for this application but that
is where I am stuck. Here is an initial pass at this function...I don't
know how to check a URL against an IPrincipal to determine roles:


String[] allRoles = { "Admin", "User", "Editor" };

String[] GetUrlAllowableRoles(String targetURL)
{
GenericIdentity gi = new GenericIdentity("NoOneInParticular");
String[] targetRole;
GenericPrincipal gp;
for (int i = 0; i < allRoles.Length; i++)
{
targetRole[0] = allRoles;
gp = new GenericPrincipal(gi, targetRole);
// so now what do I do to check it against the targetURL
}
}

This function would then be used for all the URLs specified in the menu
control file and the resulting roles added to the menu dataset which is
then saved as an Application object.


How can I do the URL to target role check in this function?


Thanks,
Gery

--
Gery D. Dorazio
Development Engineer

EnQue Corporation
1334 Queens Road
Charlotte, NC 28207
(704) 377-3327

You can really easy check the roles programmatically with
Context.User.IsInRole, but that doesn't necessarily solve the problem of
the roles getting out of sync with what you have in the web.config as
they are in two different places still.

If you really wanted a single point of configuration for both, I think
you might have to consider having some kind of a centralized function
that takes a URL and a IPrincipal and returns true or false for that.
You could then dynamically build the menu based on that and write a
custom HttpModule for authorization that also did the same thing.

You might also attempt to implement a hybrid where you use the existing
location tags in web.config to use as the store for this function so
that you could use the existing UrlAuthorizationModule (the thing that
enforces the <authorization/> tags in web.config). It would be really
easy if the UrlAuthorizationModule had the method you need already
exposed as you would be essentially done, but it does not appear to do
so.

HTH,

Joe K.

I restricting access to a web folder in the web.config file with entries
like this:

<location path="Account" allowOverride="false">
<system.web>
<authorization>
<allow roles="User,Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>


I have a menu system that will only shows menu items (URLs) if the user
is authorized for them. Currently, I manually associate the roles with
the URL in a menu control file. This essentially duplicates whats in
the web.config file above. The problem is that the web.config and menu
control file can get out of sync with each other. If the URL roles
could be determined programmatically this would not be an issue.

So how can the roles for a URL be determined programmatically?

Thanks,
Gery


--
Gery D. Dorazio
Development Engineer

EnQue Corporation
1334 Queens Road
Charlotte, NC 28207
(704) 377-3327

 

[Joe Kaplan \(MVP - ADSI\)]

Ah, I figured 2.0 was a better story and I'm glad to know that it is. I'm
not really doing a lot with the new ASP.NET features yet as I've been
concentrating on other 2.0 areas.

The release date is currently in early November (< 6 months) and there is a
go-live license for the beta, so you can use it now in production if you
want.

Joe K.

Thanks Joe and Dominick,

It was wishfull thinking on my part that there was a programmatic way to
use some available service to do essentially what the
UrlAuthorizationModule is doing. I ran into the parsing of the web.config
file a while back and that whole mechanism is not consistent between the
root and other directories containing web.config files. (I previously
posted that discrepency but heard back from no one...) But asside from
that, parsing of the web.config file and/or using reflection to determine
how the UrlAuthorizationModule is doing it was where I concluded I should
stop as the effort was not worth it. So Joe, your conclusion of just
keeping them in sync is what I will be doing.

Another bit of information also helped this decision. You both are
probably aware but I will make note of it here for others reading this
post that ASP.NET 2.0 has sitemaps which contain a role based attribute
for URLs. They also designed in this same capability which they call
'trimming' to remove urls from a menu system which the user is not
authorized to use. Assuming 2.0 production release is in the next 6-12
months I can live with the syncing issue and just wait for the
capabilities in 2.0.

Joe and Dominick thanks for your feedback. It is always a pleasure to have
other developers point out the error of my ways and help keep me out of
the mud.

Best regards,
Gery


--
Gery D. Dorazio
Development Engineer

EnQue Corporation
1334 Queens Road
Charlotte, NC 28207
(704) 377-3327

Like I said, that part is the hard part as you need to parse the
web.config file and interpret the authorization tags in each location
element.

If I had to do this, I think I would start by reverse engineering the
UrlAuthorizationModule using a tool like .NET Reflector to see how they
are doing it. Then, you could write your own version to implement it as
you need to. I think you may find that it is a bit complicated under
there, but hopefully it will help.

The easier way might be to implement your own function based on a list of
URLs and allowable roles and just try to keep the two in sync. You'll
have a bit more maintenance to do, but much less work to do on the front
end.

Best of luck with whatever you decide.

Joe K.

Hi Joe,

Your observations are exactly what I am running into...some desires
would be to not write a custom HttpModule and to continue using the
existing URLAuthorizationModule.

The centralized function idea appears ideal for this application but
that is where I am stuck. Here is an initial pass at this function...I
don't know how to check a URL against an IPrincipal to determine roles:


String[] allRoles = { "Admin", "User", "Editor" };

String[] GetUrlAllowableRoles(String targetURL)
{
GenericIdentity gi = new GenericIdentity("NoOneInParticular");
String[] targetRole;
GenericPrincipal gp;
for (int i = 0; i < allRoles.Length; i++)
{
targetRole[0] = allRoles;
gp = new GenericPrincipal(gi, targetRole);
// so now what do I do to check it against the targetURL
}
}

This function would then be used for all the URLs specified in the menu
control file and the resulting roles added to the menu dataset which is
then saved as an Application object.


How can I do the URL to target role check in this function?


Thanks,
Gery

--
Gery D. Dorazio
Development Engineer

EnQue Corporation
1334 Queens Road
Charlotte, NC 28207
(704) 377-3327
"Joe Kaplan (MVP - ADSI)" <[email protected]>
wrote in message You can really easy check the roles programmatically with
Context.User.IsInRole, but that doesn't necessarily solve the problem
of the roles getting out of sync with what you have in the web.config
as they are in two different places still.

If you really wanted a single point of configuration for both, I think
you might have to consider having some kind of a centralized function
that takes a URL and a IPrincipal and returns true or false for that.
You could then dynamically build the menu based on that and write a
custom HttpModule for authorization that also did the same thing.

You might also attempt to implement a hybrid where you use the existing
location tags in web.config to use as the store for this function so
that you could use the existing UrlAuthorizationModule (the thing that
enforces the <authorization/> tags in web.config). It would be really
easy if the UrlAuthorizationModule had the method you need already
exposed as you would be essentially done, but it does not appear to do
so.

HTH,

Joe K.

I restricting access to a web folder in the web.config file with
entries like this:

<location path="Account" allowOverride="false">
<system.web>
<authorization>
<allow roles="User,Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>


I have a menu system that will only shows menu items (URLs) if the
user is authorized for them. Currently, I manually associate the roles
with the URL in a menu control file. This essentially duplicates whats
in the web.config file above. The problem is that the web.config and
menu control file can get out of sync with each other. If the URL
roles could be determined programmatically this would not be an issue.

So how can the roles for a URL be determined programmatically?

Thanks,
Gery


--
Gery D. Dorazio
Development Engineer

EnQue Corporation
1334 Queens Road
Charlotte, NC 28207
(704) 377-3327

 

[paul.taylor.ctr]

Gery,

I recently ran into a similar issue and with URLAuthorizationModule. I
was hoping for a convenience method to perform a quick authorization
check on a url but, as you know, there is none. However, after bumping
around for a little bit I came up with this...


private bool IsAuthorized(string url)
{
bool isAuthorized = true;
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);

request.PreAuthenticate = true;
request.Credentials = CredentialCache.DefaultCredentials;
HttpWebResponse response = (HttpWebResponse) request.GetResponse();

if (response.StatusCode == HttpStatusCode.Unauthorized)
isAuthorized = false;

response.Close();
return isAuthorized;
}

Now I know this isn't most graceful solution but you could in corporate
some caching of the allowed URL's and it should be all good.

Paul Taylor
Software Programmer
Northrop Grumman IT

 

[Dominick Baier [DevelopMentor]]

Hello (e-mail address removed),

but this will only work if impersonation is turned on - something i would
not recommend.

 

[Paul Taylor]

Dominick,

I half-agree that impersonation is needed...

-- The Agreement Part
In the code snipet I provided earlier, impersonation is nessecary but
not because URL Authorization requires it. It is nessecary because
CredentialCache.DefaultCredentials doesn't contain all the user
principal information needed to do the access check. To get around
this problem you don't have to turn impersonation on site-wide
(web.config), just turn it on right before you get the default
creditals. I agree that impersonation site-wide can be a nasty thing
to contend with, but using it programmatically, in a small scope, can
be extremely useful. Like so:

private bool IsAuthorized(string url)
{
bool isAuthorized = true;
// Impersonate the current user.
WindowsImpersonationContext user = null;
if (Context.User != null &&
Context.User.Identity is WindowsIdentity)
{
WindowsIdentity identity = (WindowsIdentity)
Context.User.Identity;
user = identity.Impersonate();
}

HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
request.PreAuthenticate = true;
request.Credentials = CredentialCache.DefaultCredentials;
HttpWebResponse response = (HttpWebResponse) request.GetResponse();

if (response.StatusCode == HttpStatusCode.Unauthorized)
isAuthorized = false;

response.Close();

// Undo the impersonation.
if (user != null)
user.Undo();

return isAuthorized;
}

-- The Disagree Part
Below is my web.config, which does not have impersonation enabled.
Normal page retrieval works as it should. (i.e. aspx pages in the admin
directory load when I'm in the group, but provide the security prompt
when I'm not.)

<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.web>
<customErrors mode="RemoteOnly"/>
<authentication mode="Windows"/>
<authorization>
<allow users="*"/>
</authorization>
<sessionState mode="InProc"
stateConnectionString="tcpip=127.0.0.1:42424" sqlConnectionString="data
source=127.0.0.1;Trusted_Connection=yes" cookieless="false"
timeout="20"/>
</system.web>
<location path="Admin">
<system.web>
<authorization>
<allow roles="mydomain\mygroup"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
</configuration>

 

[Joe Kaplan \(MVP - ADSI\)]

Impersonation should only be required here if you have applied a Windows
file system ACL on that directory using that group in addition to the
location tag.

Otherwise, I'm not sure what the impersonation is doing here. What
resources are being accessed in Windows that require impersonation of the
authenticated user?

Joe K.

 

[Dominick Baier [DevelopMentor]]

Hello (e-mail address removed),

then we agree both - because i only argued from the code snippet you sent

always do impersonation in a try/finally block - if for whatever reasons
your code does not take the normal path of execution, e.g by encountering
an exception you are leaking the thread principal up the call stack. As you
can imagine, this could lead to interesting results.

 

[Dominick Baier [DevelopMentor]]

Joe, read the whole thread

 

[Joe Kaplan \(MVP - ADSI\)]

Doh!

I actually did read it but misunderstood what he was saying. I somehow
inverted the meaning of what he was saying in the agree/disagree part. My
bad.

Joe K.

 

[Paul Taylor]

Dominick,

Thanks for the try/finally advise!! I'll add it in.

Paul