im using asp.net with c#,
I want to check whether a user is on certain active directory group.
Im doing this check:
if (HttpContext.Current.User.IsInRole(ConfigurationSettings.AppSettings["Group"]))
{
}
The thing is: where do I place this code?
The site has several pages and I want the validation to be on all pages.
Do I put this on the master page?
Thanks.
What do you want to do if the user is not in the required role? Depending on the answer to that question, you could:
check it in the Master page
check it in a base Page from which your Page code-behind classes derive
check it in global.asax, for example in the Application_AuthorizeRequest event handler
... etc ...
Related
I am using master pages for authorization. I have three different user types: Readers, Authors and Admins.
I have a Main.Master which has the fundamental things of my pages. Then I have,
Reader.Master
Author.Master
Admin.Master
These inherited from the Main.Master. I am checking if the user really logged in (Session is not null) and if the UserType is true in Reader.Master, Author.Master, Admin.Masters Page_Init() functions.
First question: Is that a good practice? Please consider that I have zero experience of using other ASP.NET built-in stuff for user management, authorization etc..
Second question: There are some pages like ForgotPassword.aspx which all UserTypes should access the same page. In my structure, I need to create three different pages inherited from three different Master's. How to solve this issue?
To your first question: I use it similar. I'm not sure if it is a good solution but it works for me.
Second question: You can define ContentPlaceHolder in your master pages.
<asp:ContentPlaceHolder ID="MyId" runat="server" />
In your aspx site you define for each ContentPlaceHolder one Content container.
<asp:Content ContentPlaceHolderID="PageContent" runat="server">
<!-- content for this area -->
</asp:Content>
If you define in your three user type master pages ContentPlaceHolder with the same ID you can use in a page like Forgot.aspx the same content for each master page.
Second question: There are some pages like ForgotPassword.aspx which all UserTypes should access the same page. In my structure, I need to create three different pages inherited from three different Master's. How to solve this issue?
Create User.Master and Guest.Master with same way and you will have masters for all kind of users.
User.Master will check only if user is logged in.
well, authentication in master pages is acceptable, if not the best practice. I have seen many books that start with these kind of tutorial. however you may face some issues when your website scales, also handling authentication related data in other than pages like in haldlers or global.asax can be a pain.
However this kind of authentication will be OK when the scope of website is limited and you doesn't require advanced function.
regarding you 2nd question then yes what you are getting is the side effect of the method being used. what you can do is create only one page using any of three masterpages. in that master page where you are checking for authentication, there you get the name of the page, and if the page name is same as forgot.aspx or what ever just ignore get out of the normal process.
eg
if (System.IO.Path.GetFileName(Request.PhysicalPath).ToLower() == "forgot.aspx")
{
}
else
{
doauthentication();
}
just make it as a normal webform page without master page, users can't log in if they forgot password, you only need to show them a normal page like the login page
Currently if I want to test a user control, I add my custom tags into an existing .aspx page (or create a new one if I have to), and then view this page in the browser.
Is there a quicker, better way to test User Controls which I'm not aware of?
You cannot run a user control like you would a page. You could create a simple test form for testing it...
I have an ASP.Net(VB.Net) project which has various modules/functionality. I want to give users the freedom to set their own default startup page.
I don't know how to get a head-start implementing this feature.
Also, I am NOT using MVC
On the master page place some control to choose current page as default (i.e. button or checkbox). After user has select current page as default you can store the page address to user's profile or any storage you like.
Set the site start page like Default.aspx and in the Page_Load method of this page read user's saved default page if exists and redirect to it.
You'd want to set up a way for the User to store their preferred home page in your database (or your preferred method). Once that's done you should be able to do this in a simple fashion:
ASP.NET WebForms:
On the Master Page / Default page, check to see if they're logged in in your Page_Load event.
If they are, check to see if they have a start up page saved, if they do then use Response.Redirect and send them to their preferred location.
If they don't, or aren't logged in, then show them the default page.
ASP.NET MVC:
On the HomeController's Index method check to see if they're logged in.
If they are, check to see if they have a start up page saved, if they do then use RedirectToAction and send them to their preferred location.
If they don't, or aren't logged in, then show them the default view.
There are probably plenty of other ways to accomplish this as well, but this should be a straight forward way to get your started.
Is there a way to only add a script manager to your Web User Control if there is not one already on the page (on the main page or if you are using the Web User Control multiple times)?
Same question about adding javascript files to the page, many times I have controls that add the javascript into the head of the page for the control.
Regarding ScriptManager:
I would use master pages, and include the script manager on your master page. Alternatively, if you have something like Header.ascx which you know is included on every page, you could put it there also.
Regarding javascript files:
Use the ClientScriptManager.RegisterStartupScript method to include javascript on your page. It will not produce duplicates if they share the same key name parameter.
http://msdn.microsoft.com/en-us/library/z9h4dk8y.aspx
I'm using the ASP.NET Login Controls and Forms Authentication for membership/credentials for an ASP.NET web application.
I've got two roles:
Users
Administrators
I want pages to be viewable by four different groups:
Everyone (Default, Help)
Anonymous (CreateUser, Login, PasswordRecovery)
Users (ChangePassword, DataEntry)
Administrators (Report)
Expanding on the example in the ASP.NET HOW DO I Video Series: Membership and Roles, I've put those page files into such folders:
And I used the ASP.NET Web Site Administration Tool to set up access rules for each folder.
It works but seems kludgy to me and it creates issues when Login.aspx is not at the root and with the ReturnUrl parameter of Login.aspx.
Is there a better way to do this? Is there perhaps a simple way I can set permissions at the page level rather than at the folder level?
A couple solutions off the top of my head.
You could set up restrictions for each page in your web.config file. This would allow you to have whatever folder hierarchy you wish to use. However, it will require that you keep the web.config file up to date whenever you add additional pages. The nice part of having the folder structure determine accessibility is that you don't have to think about it when you add in new pages.
Have your pages inherit from custom classes (i.e. EveryonePage, UserPage, AdminPage, etc.) and put a role check in the Page_Load routine.
One solution I've used in the past is this:
Create a base page called 'SecurePage' or something to that effect.
Add a property 'AllowedUserRoles' to the base page that is a generic list of user roles List or List where int is the role id.
In the Page_Load event of any page extending SecurePage you add each allowed user role to the AllowedUserroles property.
In the base page override OnLoad() and check if the current user has one of the roles listed in AllowedUserRoles.
This allows each page to be customized without you having to put tons of stuff in your web.config to control each page.
In the master page I define a public property that toggles security checking, defaulted to true. I also declare a string that is a ; delimited list of roles needed for that page.
in the page load of my master page I do the following
if (_secure)
{
if (Request.IsAuthenticated)
{
if (_role.Length > 0)
{
if (PortalSecurity.IsInRoles(_role))
{
return;
}
else
{
accessDenied = true;
}
}
else
{
return;
}
}
}
//do whatever you wanna do to people who dont have access.. bump to a login page or whatever
also you'll have to put
at the top of your pages so you can access the extended properties of your master page