dynamically allow roles to a page or folder - asp.net

I am using asp.net webforms. I use a web.config to define what roles can access pages and folders. like this
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
how can I do this dynamically? so without deploying I could add a role, like 'Developer'
Is there a way I could read these from a database?
thanks

Not sure what exactly are you asking here...
The authorization sighted by you is known as URL Authorization and provided by in-build ASP.NET module. This implementation uses the context associated IPrincipal (HttpContext.User) to see the authenticated user is member of configured role. So if you want to have your own arbitrary roles (instead of windows roles), you can provide your own IPrincipal implementation that would retrieve the assigned roles for the current user from the data-base (or any other source that you want to use). However, the authorization information will still remain in the configuration file.
In case, you want to move the authorization information (who can access what) then you can implement your own authorization module. The module can read this information from the database and enforce the access security the way you wanted.

Related

IIS 7.5 and making anonymous authentication/forms authentication play nicely together

I've got an ASP.NET MVC 4 application that I run under the site level of an IIS web site.
So the dir structure looks like this:
\IIS
\Site
\bin
\Content
\Views
The MVC 4 app uses Forms Authentication via Username and Password, but I have a requirement to lock down the full site and turn off anonymous authentication at the IIS level.
The goal of this requirement is to allow users only to land on a home page and logon page. The problem is if I turn off anonymous authentication then users can't even get to home or login.
Another thing we want to prevent a user from being able to go to /Content/Scripts/MyScript.js in their browser.
I'm using bundling so those file are there and don't get used by me besides when I bundle things up.
Is this even possible since IIS and MVC 4 auth are at completely different level? If it is possible what options do I have?
Chris Pratts answer is correct. You can successfully turn of anonymous authentication and let MVC4 handle all of that for you.
Make sure in your web.config you have the following
<modules runAllManagedModulesForAllRequests="true"></modules>
In your system.webserver section.
Another thing you can do is make use of the locations tags in IIS to prevent user access to different parts of the site.
For example, you could put this in your web.config
<location>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
This ensures that only authenticated users can access the site. You can then further refine this.
<location path="External">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
Basically, now any request to /External will be allowed for all users (regardless of authentication). You will probably want to put all your scripts in here that you need unauthenticated users to access.
If there was a specific directory you didn't want anyone to access, you could do something like
<location path="/Content/Scripts">
<system.web>
<authorization>
<deny users="*" />
</authorization>
</system.web>
</location>
Now any access to that location will be prevented by default in IIS. Give that a try, it should satisfy your requirement to have the scripts available for bundling, but not accessible if someone browses directly to it.
I only halfway got what I wanted, but here is what I ended up doing. I have anonymous authentication enabled at the site level and used Forms authentication for specific controllers. This was how I originally had it so nothing changed here.
Since I am using bundles the users never really need to look at the .js so I used Request Filtering by file extension so block any .js and even .css I don't want exposed.
This works because the bundling doesn't make http requests to those files and the bundles themselves don't have the normal JavaScript and CSS file extensions.
You don't handle this at the IIS-level. You simply allow Anonymous Auth and then add [Authorize] to every controller. Then only on your home and login actions add the attribute [AllowAnonymous].
As to the second part of your question, you can't really stop this. MVC bundles on the fly, so it needs the actual files to be there. If they're never referenced, though, they're black holes: the user would have no way of knowing what file to request, so it's kind of security by obscurity.

ASP.NET active directory authentication User.IsInRole

I developed an ASP.NET Intranet application. Now I was asked to add authentication for the application - it should be based on Active Directory. The user should not fill in any login or password.
From within ASP.NET C# code I should be able to check something like this:
if (User.IsInRole("MyApplicationReaders"))
{
doSomething();
}
else if (User.IsInRole("MyApplicationAdmins"))
{
doSomethingElse();
}
MyApplicationReaders and MyApplicationAdmins are names of Active Directory groups.
Can you please point me to some easy step-by-step tutorial how to achieve this? I failed to find any :-(
Try to search harder.
You have to add to configuration file authentication method:
<authentication mode="Windows" />
And also add authorization rules:
<authorization>
<allow users="DomainName\Bob, DomainName\Mary" />
<allow roles="BUILTIN\Administrators, DomainName\Manager" />
<deny users="*" />
</authorization>
This this page for help.
PS: After you'll add windows authentication to your app you will be able to check User.IsInRole for authenticated users. But in some browsers your users will be promted to enter their's windows credentials.
You can set IIS to authenticate users automatically, but typically you implement your own authorization scheme. In the past, I have used a database to map my AD accounts to application roles/permissions.
In order to use the IsInRole(), you have to populate the User Principal object. The easiest place to do that is in the Global.asax event BeginRequest. Also take a look at creating a Custom Role Provider.

How to prevent the user from download anything on my website if he is not registered?

I'm making a project on ASP.NET and I want that if the user is not registered with my site or not Login then he/she will not able to download. If I'm using session ID then I've to pass it on every link and page so is there a simple way to accomplish it?
If you're using the ASP.NET stock authentication system, you can just add a tag like this to your <system.web> element in web.config:
<authorization>
<deny users="?" />
</authorization>
StriplingWarriors answer will work for all unauthenticated users but if you are attempting to restrict specific users from doing/viewing specific things on the site (and assuming you are using the ASP.NET membership API to manage users) you can just check User.Identity.IsAuthenticated

prevent pages in web.config according to user member

I am using custom user membership in asp.NET so user is an object that contains members. One of the user's members is "IsCompanyAdmin".
I have a few aspx pages for company administrators only.
Is there any way to prevent those pages from non-administrator users using the web.config?
In ASP.Net the standard fair for restricting access to pages in the config is via the Location element.
The following example will restrict anyone except users who are in the Admin role. However, this assumes that you have a RoleProvider configured.
<location path="RestrictedPage.aspx">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
There are several examples of how to implement your own custom role provider, but if you can get away with it, then I would use the built in SqlRoleProvider.
If I am understanding your problem correctly, you don't have to have a role in database.
What can do is in your CustomRoleProvider GetRolesForUser method return a string[] that will contain roles depending on your user. The authorization module will be using these roles. So say your property IsCompanyAdmin="true" then you add "Admin" to the string[].
Then the location suggestion provided by Josh should work as if you have a "Admin" role in database.

ASP.Net Roles: Page-Level Security Question

We're currently in the process of re-creating a brand new security model that dwarfs our existing process. Right now, we plan on grabbing a user's roles during the login process and then using a Base Page class to check if the user has the role of the corresponding page the user is navigating to.
We can limit the menu's options by the user's roles as well, but we have had problems with users navigating to pages in our system by typing them in or having old bookmarks. Obviously, we need some sort of page level access.
A simple function in our Base Page class that checks the role in the Arraylist against the page's assigned role would work, but I was wondering if there was any built-in functionality to support this or a cleaner solution possibly.
Have you looked at ASP.Net Membership for this yet? It takes care of all of the scenarios you listed above (trimming menus, page security,) and in a very easy to use manner.
See here for more information about membership - http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx.
Are you using built-in membership?
If so, you can use the location section of your web.config file to restrict access to individual pages or entire directories. From MSDN:
The following example allows an
anonymous user to access the
Logon.aspx page:
<configuration>
<location path="Logon.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>

Resources