URL Authorization

[Leonard Rutkowski]

Hi All,
I am trying to write several applications, for external users. They will
use forms authentication to login. My question concerns url authorization.
Each user will have access to various url's within the applications,
depending on the users group/role, that is stored in a sql server database.
The database also contains the url. I will build the user's menu, based on
the urls that user has access to. According to the various articles and
books that I have read, the url authorization is in the web.config file,
allow user="some user" roles="some roles". This won't work for me, because I
need the roles\groups to be dynamic, as well as the urls that the user can
access. In the database, there is a table for user, groups, and roles. The
user does not have to belong to a group or a role(but they may). There is a
table for url's, and a cross reference table between users and url's. If the
user has access, then I will put it on the menu. I will also check in the
application, to see if the user is authorized. If so, then the user can
access the web page. The same applies to groups and roles.

So what is the best way to implement something like this?

Thanks, Leonard

 

[MattC]

Len,

You've Almost entirely done it!

What I would do is create a base class that all secure pages derive from.
In the OnInit method perform a database call that passes in the users ID and
the page filename(using this.Request.Url.LocalPath or something) then do a
select where the user ID is the ID you passed AND the respective URL in the
row matches the filename you passed in.

Do an ExecuteScalar if you get DBNull.Value then the page access is a no-no
(redirect away), otherwise let 'em in.

Does that kinda solve your problem?

Lemme know if I have misunderstood at all?

MattC

 

[Leonard Rutkowski]

Hi Matt,
That was what I kind of had in mind. However, I wasn't sure if I should
use the forms identity, and load roles into it. Doing that has it's own set
of problems. I just wanted to see if there were any other ideas that I may
have not considered. I am going to create a stored proc, that will return a
true or false, to see if the user has access to a page, and like you said,
put it on the page. There are some additional user data, that I retrieve
from the database, that will be used in the various applications. Should I
create a generic principal, and use the User data area, or store it in
session variables? This data will go across applications. I am not that
familiar with any of this stuff, as I haven't been doing it long.

Thanks,
Leonard

 

[MattC]

Well I store my user in the session becuase of other information I need.

However, across applications you say, do you mean different web apps, that
will be more difficult, can you elaborate?

 

[Leonard Rutkowski]

Hi Matt,
My session variables don't carry over to my application. I login using
/login/login.aspx, for example. I set my session variable, then redirect to
/myapplication/default.aspx. When I check the session variable in
/myapplication/default.aspx, it is empty.

Sub btnLogin_Click(ByVal sender As Object, ByVal e As EventArgs) Handles
btnLogin.Click
Dim AppLogin As New AppSecurity
If AppLogin.Logon(txtClientNo.Text, _
txtUsername.Text, txtEmailAddr.Text, txtPassword.Text) Then
Dim authTicket As New FormsAuthenticationTicket(1, "name",
DateTime.Now, DateTime.Now.AddMinutes(60), False, "test")
Dim encryptedTicket As String =
FormsAuthentication.Encrypt(authTicket)
Dim authCookie As New
HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
Context.Response.Cookies.Set(authCookie)
Session("UserId") = "Test"
Response.Redirect("/CustomerService/default.aspx")

'Response.Redirect(FormsAuthentication.GetRedirectUrl(authTicket.Name, False))
Else
lblErrorMsg.Text = "Login is invalid"
End If
End Sub


Thanks, Leonard

 

[MattC]

Is /login and /myapplication set as different web apps in IIS. If so, then
no you wont be able to carry across as the session object is fixed per
client session per app domain.

MattC

 

[Alex I]

'Best solution':
from a stored procedure return XML with all URLs that the user can asscess.
In you ASP retrieve the result with ExecuteXML.
Write XSLT to transform URLs to menu items HTML.
Assign this menu HTML to a Text propery of an asp-label.
You can also store the retrieved XML in a session variable and check against
it, not to query the database.
Alex I