What is the best approach?

[Andrew]

Hello, friends,

I implemented Forms Authentication in my asp.net app, it worked fine.
However, now I have another problem:

Although a user can be authenticated, but he/she may still not be allowed to
view certain pages and folders. For exampl, a junior member can not view
pages for senior memebers, although he/she can log into the web site. What is
the best approach to do this?

Any reference papers, sample code? Thanks.

 

[Dominick Baier [DevelopMentor]]

Hello Andrew,

have a look at the <authorization> element in web.config.

 

[Andrew]

<configuration>
<system.web>
<authorization>
<deny users="*"/>
<allow roles="Admins"/>
</authorization>
</system.web>
</configuration>

this requires me "manually" add each new registered members into a
predefined role, say "Junior", "Senior", right?

 

[Dominick Baier [DevelopMentor]]

Hello Andrew,

right

also read this:
http://www.leastprivilege.com/ASPNETAuthorizationSettings.aspx

 

[Andrew]

That is not good to us:

After a user (a Junior) registered in my website, he/she should be able to
access all pages, except pages for Senior members, right away.

He/she can not wait for us to manually add them into a role, because we may
not check new member for days.

Any other automatic ways? Thanks...

 

[Joe Kaplan \(MVP - ADSI\)]

This depends on how your roles are being generated and how your identity
lifecycle works. For example, if you store your users in SQL and keep your
role definitions in SQL, then the user would just need to do something that
would trigger their addition to the new role. Then, a new logon should give
them the new role.

If you were using Windows authentication, then the role membership would
come directly from the user's AD groups.

The bottom line is that you can make it work however you want. The key is
to getting the users in the right roles and having that data provided to the
forms authentication system. The <authorization> element is just a nice way
to declaratively determine who gets to access to what using the built-in
UrlAuthorizationModule.

Joe K.

 

[Dominick Baier [DevelopMentor]]

Hello Andrew,

why not add them to a role programmatically upon registration?

 

[Andrew]

good idea, and how,
any sample source code or reference papers?
thanks....

 

[Andrew]

any reference papers that contain more details on what you mentioned?

thanks...

 

[Joe Kaplan \(MVP - ADSI\)]

I think a Google search on "designing role-based authorization .NET" will
get you started. There are also many great books around.

Joe K.

 

[Dominick Baier [DevelopMentor]]

Hello Andrew,

where are your roles stored?

 

[Patrick Allmond - Focus Consulting Inc]

If you add someone automatically to a role upon registration there I almost
don't even see a need for a role. If everybody gets it there is no need to
deny access to it. So that part of the application would have no authority
checking at all. Almost like creating and maintaining a role called "Every
Single User". If everybody gets that role, what is the point of having the
role.

This may be my ignorance. Feel free to bust me wide open.

Patrick

 

[Dominick Baier [DevelopMentor]]

hi,

whats the point of "everyone" or "authenticated users" in Windows??

Management is clearer - when you have a subdir where only registered users
have access you can allow the "user" role - maybe you also have "premium
users" and maybe also other roles - is it easier to make the distinction
between users by looking at their role membership - or do you rather like
to look at users with roles and users without roles...

well thats a matter of taste.

I don't think it is unusual to put users into a standard role after registration.