I developed an ASP.NET Intranet application. Now I was asked to add authentication for the application - it should be based on Active Directory. The user should not fill in any login or password.
From within ASP.NET C# code I should be able to check something like this:
if (User.IsInRole("MyApplicationReaders"))
{
doSomething();
}
else if (User.IsInRole("MyApplicationAdmins"))
{
doSomethingElse();
}
MyApplicationReaders and MyApplicationAdmins are names of Active Directory groups.
Can you please point me to some easy step-by-step tutorial how to achieve this? I failed to find any :-(
Try to search harder.
You have to add to configuration file authentication method:
<authentication mode="Windows" />
And also add authorization rules:
<authorization>
<allow users="DomainName\Bob, DomainName\Mary" />
<allow roles="BUILTIN\Administrators, DomainName\Manager" />
<deny users="*" />
</authorization>
This this page for help.
PS: After you'll add windows authentication to your app you will be able to check User.IsInRole for authenticated users. But in some browsers your users will be promted to enter their's windows credentials.
You can set IIS to authenticate users automatically, but typically you implement your own authorization scheme. In the past, I have used a database to map my AD accounts to application roles/permissions.
In order to use the IsInRole(), you have to populate the User Principal object. The easiest place to do that is in the Global.asax event BeginRequest. Also take a look at creating a Custom Role Provider.
Related
I am using asp.net webforms. I use a web.config to define what roles can access pages and folders. like this
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
how can I do this dynamically? so without deploying I could add a role, like 'Developer'
Is there a way I could read these from a database?
thanks
Not sure what exactly are you asking here...
The authorization sighted by you is known as URL Authorization and provided by in-build ASP.NET module. This implementation uses the context associated IPrincipal (HttpContext.User) to see the authenticated user is member of configured role. So if you want to have your own arbitrary roles (instead of windows roles), you can provide your own IPrincipal implementation that would retrieve the assigned roles for the current user from the data-base (or any other source that you want to use). However, the authorization information will still remain in the configuration file.
In case, you want to move the authorization information (who can access what) then you can implement your own authorization module. The module can read this information from the database and enforce the access security the way you wanted.
I'm making a project on ASP.NET and I want that if the user is not registered with my site or not Login then he/she will not able to download. If I'm using session ID then I've to pass it on every link and page so is there a simple way to accomplish it?
If you're using the ASP.NET stock authentication system, you can just add a tag like this to your <system.web> element in web.config:
<authorization>
<deny users="?" />
</authorization>
StriplingWarriors answer will work for all unauthenticated users but if you are attempting to restrict specific users from doing/viewing specific things on the site (and assuming you are using the ASP.NET membership API to manage users) you can just check User.Identity.IsAuthenticated
I'm developing a public web site in vs2010,
can I keep the authentication as windows authentication and just enable anon access
or should I leave it with the default forms authentication.
The site will NOT require any type of logging in mechanism...so really I dont see a point in forms authentication, but most users will not have windows authentication either.
So I am confused, in my asp.net web.config file what authentication do I use for a public website?
I also asked this question which is kind of related: developing site in vs2010 but changed to local IIS and prompts
But I am not having any luck with this :(. The site when using local IIS keeps prompting for a user name and password (See the stackoverflow question I posted above), ive checked the app pools, the security, and the permissions and it still prompts me for a user name and password. It prompts me about 10 times and if I keep cancelling out of it the page comes up but the images are not displayed nor is the CSS rendered. So it looks like it prompts for each image on the site, but all folders inherit from the parent and I've added Network, Network service, ASPNET user, the default app pool user...I dont know what else to do.
So two issues:
1) What do I specify in my web config for a public site
2) How do I get rid of this prompting!
Thanks
You don't need to specify specify any authentication. Just deploy it as is, with the Web.Config out of the box.
<authentication mode="None" />
Go here for more reading.
Because it is prompting you with a login dialog, try using an authorization element in your web.config file with any authentication you like. Use "*" to allow access to all users by default. Refer to this article for more detail.
<authorization>
<allow users="*" />
</authorization>
Your web.config file has two sections that control requests for login. These are
<authentication> ... </authentication>
and
<authorisation> --- </authorization>
Authorization controls who can access what, and Authentication determines how the credentials of a particular user are established to see if they have the correct authorization to access your site.
An example of their usage might be
<authorization>
<allow users="*" />
</authorization>
<authentication mode="Forms">
<forms loginUrl="login.aspx" timeout="40320" cookieless="UseCookies" slidingExpiration="true" />
</authentication>
which allows access to all users to the root of my applications and their credentials are determined using forms authentication.
Other parts of your site are allowed to have alternate authorization requirements through the use of a location tag in your web.config
However, neither section is required if no part of your site requires this functionality. However, you should be aware that there other places that this might be determined. There is a file called machine.config that determines the settings for the machine. Your web.config has priority over the machine.config, but if the authorization and authentication settings are made in the machine.config and not in you web.config then the machine.config wins.
Hope that helps. If you can post your web.config that might help us to point you in the right direction.
I am using custom user membership in asp.NET so user is an object that contains members. One of the user's members is "IsCompanyAdmin".
I have a few aspx pages for company administrators only.
Is there any way to prevent those pages from non-administrator users using the web.config?
In ASP.Net the standard fair for restricting access to pages in the config is via the Location element.
The following example will restrict anyone except users who are in the Admin role. However, this assumes that you have a RoleProvider configured.
<location path="RestrictedPage.aspx">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
There are several examples of how to implement your own custom role provider, but if you can get away with it, then I would use the built in SqlRoleProvider.
If I am understanding your problem correctly, you don't have to have a role in database.
What can do is in your CustomRoleProvider GetRolesForUser method return a string[] that will contain roles depending on your user. The authorization module will be using these roles. So say your property IsCompanyAdmin="true" then you add "Admin" to the string[].
Then the location suggestion provided by Josh should work as if you have a "Admin" role in database.
Where should I type the authentication code in order to validate the users trying to login to the website.
I have used login control in my website. Also I would appreciate few examples of codes which are generally used in authentication code.
.net has templates for login pages, password recovery, etc.
simply google for it or go here:
http://msdn.microsoft.com/en-us/library/ms178329.aspx
http://www.c-sharpcorner.com/UploadFile/sushmita_kumari/Logincontrol101312006002845AM/Logincontrol1.aspx?ArticleID=c33d0072-8f7c-4958-a7dc-ca1809737193
Not 100% what you mean. If you're using a Login control they can already authenticate with that.
Do you mean authorization? You need to check users are authorized to access your site if it is restricted to logged in users only. Say you have a part of your site called "importantstuff" that only logged in users can access. i.e. www.yoursite.com/importantstuff/. You would put this in your web.config outside of the <system.web></system.web> tags:
<location path="importantstuff">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
This would prevent unauthenticated users from accessing anything in the "importantstuff" directory.