Roles and Authentication

[trullock]

Hi,

I need to control access to certain pages in my site, via the use of
forms based authentication and roles.

Now i've got the pages i want protected by a login form and thats all
working great. However, I need to implement an "access level" system
where once logged in, you can only access certain pages depending on
the roles you have assigned to you.

For example, user Joe can access page A, B and C, but user Bob can
only access page B.
At the moment im controlling this by only showing the respective links
on my navigation menu, by doing:

link.visible = user.isinrole("Level 2")

However, you could still access the page by typing in the url.... So
ive put this at the top of my class definition for each page:

[PrincipalPermissionAttribute(SecurityAction.Demand, Role = "Level
2")]

But when an unauthorized user accesses the page i get a security
exception

How do i handle this exception? Am i going about this whole thing the
right way?

Thanks for any advice

Andrew

 

[Kevin Spencer]

Use a SiteMapProvider. It sounds like you are using a RoleProvider to do
your Forms Authentication. A SiteMapProvider can be used to control access
to various directories and pages using roles. It can be used with the Menu
and TreeView Controls to auto-generate menus and tree views that
automatically hide or show the various URLs in your site, and will also
prevent direct access to those folders and pages.

See http://msdn2.microsoft.com/en-us/library/system.web.sitemapprovider.aspx

--
HTH,

Kevin Spencer
Microsoft MVP

Printing Components, Email Components,
FTP Client Classes, Enhanced Data Controls, much more.
DSI PrintManager, Miradyne Component Libraries:
http://www.miradyne.net

 

[GroupReader]

In the Page_Load of each page, check to see if the user has access to
that page. If not, then redirect them to your "NotAuthorized.html"
page.

There are various ways of setting this up - some more elegant than
others. The main drawback is making sure that your developers
remember to put this check on every page and that it is coded
correctly. You can solve most of that by putting the logic in a "base
page" and having all of your pages derive from that base page. Keep
all roles and access permissions stored in the database instead of
hard-coded in the pages. That way you can build administration pages,
etc. if time permits.

It's *okay* to hide/show/enable/disable buttons and other controls on
the front-end based on roles, etc... but *NEVER* control the access to
your pages with front-end logic. One can *always* and usually easily
bypass front-end logic. You need to do the checking on the SERVER-
SIDE.

OKAY, I just re-read your post and it sounds like you know all that
already. How do you handle that SecurityException? Do you have a
default error page set up in your web.config? Can you trap that
error in the Global.asax's Application_Error function?

Hope that helps.