Windows Authenticaiton with custom Roles

[charles]

Hi,

I am trying to port my ASP application to ASP.Net 2.0

My application is sold to large corporations that have many thousands
of users. So I do not use Forms authentication. To make it more
convenient for them I developed a custom hybrid model of authentication
and authorization.

You see, the site administrator is often a non-technical person and
doesn't have the rights to create Windows Groups or Windows Accounts
or assign Windows Users to Windows Groups.

For this reason, I created a web interface that allows an administrator
to create and edit "Site Roles" (as I call them). All he must do is
associate an existing Windows User Group with the Site Role, and then
decide which security contexts that Site Role may access.

When a user accesses the site, he's authenticated using Windows
Authentication (Integrated). Then in the Session_OnStart event I have
code that determines which Roles that user belongs to and which
Security Contexts that user has permission to. I store these in Session
variables for that user.

If a Windows User is not a member of any Windows Group associated to a
Site Role, they do not get access.

Each page that has security contexts has code that checks the session
variable to make sure that user has access or not to that context. If
not, they are presented with an error message popup after being
redirected to the page they came from (or the default page if no
referrer was found).

What I want to do is build a similar method of authorization in my .Net
application. I know there are many new security features in .Net; I
just haven't learned them all so I can't make an informed decision
as to how to proceed.

Anyone have any suggestions or examples of Windows Authentication but
using custom Role based authorization?

 

[Patrick.O.Ige]

Look through at this articles:-
http://aspalliance.com/553
http://msdn2.microsoft.com/en-us/library/ms172766(VS.80).aspx
Patrick

 

[Erik Funkenbusch]

What I want to do is build a similar method of authorization in my .Net
application. I know there are many new security features in .Net; I
just haven't learned them all so I can't make an informed decision
as to how to proceed.

You may want to look into AuthorizationManager (aka AzMan). It does
basically the same thing you're talking about, without having to write any
code.

 

[charles]

Thanks for your replies guys.

I think I have a way to use the Windows user with my own set of custom
Roles. I'm not exactly clear how to impliment the idea yet though.

Note that the application is impersonating domain account so I'm not
using "WindowsIdentity.GetCurrent()" (That would return the
impersonated account name) but instead I'm using "Page.User.Identity"
to get the current logged in user.


Dim myIdentity As WindowsIdentity
Dim myPrincipal As GenericPrincipal 'WindowsPrincipal

Dim UserRoles(1) As String

myIdentity = Page.User.Identity

' ...
' This is where I will test to see which Windows User groups
' this user belongs to, then associate "Roles" for the user
based on those groups
' Each custom "Role" will be a context security such as "allow
publish"
' ...
UserRoles(0) = "Allow Publish"

' Create the identity and the principal
'myIdentity = New GenericIdentity(txtUserName.Text)
myPrincipal = New GenericPrincipal(myIdentity, UserRoles)

' Assign the context

Thread.CurrentPrincipal = myPrincipal

I'm not sure if this will work, but it's my only idea at this point. If
anyone has any ASP.Net 2.0 examples of the above idea in VB I would be
eternally grateful.

I would like to use the new Navigation controls in Visual Studio 2005,
such as the TreeView to provide navigation to users, I'm hoping that I
can use these custom roles to prevent some links from being listed on
the navigation controls. I have no idea how to do that either.