asp.net 2. 0 security

[ireallyneedtoknow2007]

hi all
I have to secure an internet application to only allow certain users
and have come up with the following page load and web.config code.
basically I allow all users access then catch their user name in the
page load and allow/deny access based on <add key="allowed"
value="user1"/> in web config (this could be a database call).

I did not use <allow users="user"/> <deny users="*"></deny> because I
want to redirect users to an error page.

Also, I do not have the option of making users sign in so using forms
based security will not work.

my question: given all that I have said, what are the flaws with my
approach?

my page load includes the following:

using System.Security.Principal;

string[] allowed =
ConfigurationManager.AppSettings["allowed"].ToString().Split(Convert.ToChar(','));
bool b = false;
string us=WindowsIdentity.GetCurrent().ToString();
WindowsPrincipal winPrincipal =
(WindowsPrincipal)HttpContext.Current.User;
us = winPrincipal.Identity.Name;

// remove domain from domain/user
string[] split=us.Split(Convert.ToChar('\\'));

foreach (string s in allowed)
{
if (split[1].ToLower().Equals(s.ToLower()))
{
b = true;
break;
}
}
if (!b)
{
Response.Redirect("http://xxx.html");
}


web.config:

<add key="allowed" value="user1"/>

<authentication mode="Windows"> </authentication>
<authorization> <allow users="*"/> </authorization>

 

[Vapordan]

Nothing wrong inherently. Oh, you have now exposed the user list in the
config file. To sleep soundly at night, I would just encrypt it instead of
having it plain text, something .NET supports out of the box. Slight
performance hit but sure zzzz at nights.

You are also in a bit of hot water with the domain portion since Jenny from
the config file will match with MAPLE\Jenny and/or PINE\Jenny.

--
Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
The O.W.C. Black Book, 2nd Edition
Exclusively on www.lulu.com/owc $19.99

 

[ireallyneedtoknow2007]

thanks for the suggestions - I will use encryption!

Nothing wrong inherently. Oh, you have now exposed the user list in the
config file. To sleep soundly at night, I would just encrypt it instead of
having it plain text, something .NET supports out of the box. Slight
performance hit but sure zzzz at nights.

You are also in a bit of hot water with the domain portion since Jenny from
the config file will match with MAPLE\Jenny and/or PINE\Jenny.

--
Regards,
Alvin Bruney [MVP ASP.NET]

[Shameless Author plug]
The O.W.C. Black Book, 2nd Edition
Exclusively onwww.lulu.com/owc$19.99

hi all
I have to secure an internet application to only allow certain users
and have come up with the following page load and web.config code.
basically I allow all users access then catch their user name in the
page load and allow/deny access based on <add key="allowed"
value="user1"/> in web config (this could be a database call).

I did not use <allow users="user"/> <deny users="*"></deny> because I
want to redirect users to an error page.

Also, I do not have the option of making users sign in so using forms
based security will not work.

my question: given all that I have said, what are the flaws with my
approach?

my page load includes the following:

using System.Security.Principal;

string[] allowed =
ConfigurationManager.AppSettings["allowed"].ToString().Split(Convert.ToChar-(','));
bool b = false;
string us=WindowsIdentity.GetCurrent().ToString();
WindowsPrincipal winPrincipal =
(WindowsPrincipal)HttpContext.Current.User;
us = winPrincipal.Identity.Name;

// remove domain from domain/user
string[] split=us.Split(Convert.ToChar('\\'));

foreach (string s in allowed)
{
if (split[1].ToLower().Equals(s.ToLower()))
{
b = true;
break;
}
}
if (!b)
{
Response.Redirect("http://xxx.html");
}

web.config:

<add key="allowed" value="user1"/>

<authentication mode="Windows"> </authentication>
<authorization> <allow users="*"/> </authorization>- Hide quoted text -

- Show quoted text -