In my ASP.NET 3.5 application, on the ASPX pages I have to implement role based data update policy.
If a user have lest privilege, he can still update some filed but not all. Where user with maximum privilege can update all filed on page.
I was trying to implement this using a generic approach, but not sure if .NET have some thing inbuilt to implement this.
What is the right approach here?
Yes, you will want to utilize ASP.NET Membership. Once you have that in place, you can check roles on a user, like so:
if (Roles.IsUserInRole("User1", "Role1"))
// allow whatever you need to
If you are using the asp.net membership provider, you can limit the content on the page based on the roles the user is in
Related
This might be a stupid question to ask but I am kind of a confuse here I am working on an ASP.NET web forms application and I need to implement roles base access to users.
This application is working with Active Directory so there is no login forms and form base authentication and I can't use User.Identity to check the roles. I am getting roles from a stored procedure like 1 for admin 2 for user and I want to know if there is a way to implement it generically like set some attributes to add in the controls to show and hide them instead of go and implement if conditions in every form.
I am not sure if I presented my point clearly here or not but please let me know if you get the idea of what I am trying to say. Thank you.
I need to secure my website without using the ASP.NET built in login controls or the Forms Authentication.
Its need to support "normal" users and admin users.
Any suggestion? Thanks
Well, it's impossible to build anything in ASP.NET without a tag = )
I can't tell exactly what you are asking, so I will try to go over the whole groundwork.
ASP.NET Provides Different Authentication Models
You can use ASP.NET's built in authentication with Membership and Roles
You can write your own ASP.NET membership model
You can use another ASP.NET authentication model, such as Shibboleth, Windows/IIS, and others, see JD's post.
You can skip all of these and use your own "authentication", perhaps it is stored as a simple Session variable
ASP.NET Provides Different Controls
There is a handly Login control that integrated with ASP.NET's built in membership making things very easy.
If you don't want to use that, you can simply use ASP TextBoxes, Buttons, etc, and basically create your own login form.
In adition to JD's and rlb.usa's posts you can also use opemid or windowslive id authentication perhaps. both of these have membership providers for asp.net. Checkout Codeplex for those; however if you want a truly customazieable solution perhaps its best for you as rlb.usa pointed out a simple session variable solution.
Perhaps you want to use Windows Authentication (rather than Forms Authentication) with ASP.NET? You should choose Windows authentication if your user accounts are maintained by a domain controller or within Active Directory and there are no firewall issues. I think this is what you are after. Here's a decent write up.
Umm, a quick response is for you to checkout Authentication features provided by IIS. These include Kerbros, NTLM, Basic Auth, just to name a few.
Suppose I have 3 kinds of users and their accessible pages in my ASP.net application are as follows:
(1) User Type-A {Default.aspx, a.aspx, b.aspx and c.aspx},
(2) User Type-B {Default.aspx, d.aspx, e.aspx and f.aspx},
(4) Admin {Default.aspx and g.aspx}.
Here Default.aspx is my Login-page.
I am using Membership Provider and Forms authentication technique.
Now I need to block access of one type of user to the pages assigned for other type users.
How should I configure my Web.config file?
and What kind of c# code should be used?
Role management in asp.net may help you in this case. Please check this article.
You may have to customize this as per your specific requirement. Hope this helps.
Role Manager in ASP.NET
Each of User-Type will be associated with Roles.
We have a similar requirement, and make use of the Patterns and Practices Web Client Software Factory. Basically it assists you in creating modules, and allowing you to specify per-page access levels in config based on Role / User details.
You might have a try to use roleship provider and web.sitemap.
I have Membership, Profile and Role providers setup for my .NET MVC website. I would like to say: this Role has access to that Page.
How do I 'inject' this code to the RoleProvider? Or do I have to override it somehow? Any leads?
(Roles are stored in the default ASP.NET SqlRoleProvider, Pages are stored in a seperate SQL database).
Why would you inject this into the role provider? Why not just decorate the ActionResult [Authorise(Roles="myrole")]?
I understand that your pages are in the database but the action result still needs to call the view right?
I guess you could write you're own custom attribute which can check and either grant access or deny it.
I don't think the role provider is the right place for determining whether a page can be displayed or not.
Take a look at using sitemaps under asp.net. It is VERY easy to manage and to extend.
I have even used them as the datasource for a menu system.
Once in your page, you can do something like:
User.IsInRole("RoleName")
I want to add login for registered users in my website. How shall I proceed with it? Is it through the use of sessions? What will happen to the Session variable once the logout happens??
Your question is extremely broad and there are many different ways that you can implement what is, in effect, a "membership" system for an ASP.NET website.
I would suggest that you start by reading the "Introduction to Membership" article from MSDN. This article will give you an overview of how ASP.NET membership works in the most "standard" way.
It also mentions using the various ASP.NET membership "controls" (Login, LoginView, LoginStatus & PasswordRecovery for example).
Using these controls along with the built-in ASP.NET membership providers (for example, ASP.NET provides a SQL membership provider to work against SQL Server as the data store for your user accounts and credentials) will allow you to implement a complete membership and authentication system with virtually no code at all (i.e. all the functionality is provided by the built-in "membership" controls and declarative mark-up).
Finally, a really good series of articles on this subject is:
Examining ASP.NET 2.0's Membership, Roles, and Profile
from the 4guysfromrolla site. It's starts at the very beginning of the membership topic and goes right the way through to touching on the implementation of a custom membership provider and administrative interface for managing user credentials to round out the whole subject.
I'd take a look a related questions, such as
Login Membership .NET
This topic is already covered quite a lot on SO.
Session state and log in are somewhat orthogonal. You have a session regardless of whether or not you are logged in.
You should use the provided Login control and Membership system.
About Session vars, nothing special will happen. ASP.NET forms authentication does not use SessionState by default.
I would recommend using forms authentication with perhaps a custom backend using IIdentity and IPrincipal. There’s lots of information available how to do this but I think this link forms a good starting point http://msdn.microsoft.com/en-us/library/aa480476.aspx