I am using custom user membership in asp.NET so user is an object that contains members. One of the user's members is "IsCompanyAdmin".
I have a few aspx pages for company administrators only.
Is there any way to prevent those pages from non-administrator users using the web.config?
In ASP.Net the standard fair for restricting access to pages in the config is via the Location element.
The following example will restrict anyone except users who are in the Admin role. However, this assumes that you have a RoleProvider configured.
<location path="RestrictedPage.aspx">
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
</location>
There are several examples of how to implement your own custom role provider, but if you can get away with it, then I would use the built in SqlRoleProvider.
If I am understanding your problem correctly, you don't have to have a role in database.
What can do is in your CustomRoleProvider GetRolesForUser method return a string[] that will contain roles depending on your user. The authorization module will be using these roles. So say your property IsCompanyAdmin="true" then you add "Admin" to the string[].
Then the location suggestion provided by Josh should work as if you have a "Admin" role in database.
Related
I developed an ASP.NET Intranet application. Now I was asked to add authentication for the application - it should be based on Active Directory. The user should not fill in any login or password.
From within ASP.NET C# code I should be able to check something like this:
if (User.IsInRole("MyApplicationReaders"))
{
doSomething();
}
else if (User.IsInRole("MyApplicationAdmins"))
{
doSomethingElse();
}
MyApplicationReaders and MyApplicationAdmins are names of Active Directory groups.
Can you please point me to some easy step-by-step tutorial how to achieve this? I failed to find any :-(
Try to search harder.
You have to add to configuration file authentication method:
<authentication mode="Windows" />
And also add authorization rules:
<authorization>
<allow users="DomainName\Bob, DomainName\Mary" />
<allow roles="BUILTIN\Administrators, DomainName\Manager" />
<deny users="*" />
</authorization>
This this page for help.
PS: After you'll add windows authentication to your app you will be able to check User.IsInRole for authenticated users. But in some browsers your users will be promted to enter their's windows credentials.
You can set IIS to authenticate users automatically, but typically you implement your own authorization scheme. In the past, I have used a database to map my AD accounts to application roles/permissions.
In order to use the IsInRole(), you have to populate the User Principal object. The easiest place to do that is in the Global.asax event BeginRequest. Also take a look at creating a Custom Role Provider.
I am using asp.net webforms. I use a web.config to define what roles can access pages and folders. like this
<system.web>
<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>
</system.web>
how can I do this dynamically? so without deploying I could add a role, like 'Developer'
Is there a way I could read these from a database?
thanks
Not sure what exactly are you asking here...
The authorization sighted by you is known as URL Authorization and provided by in-build ASP.NET module. This implementation uses the context associated IPrincipal (HttpContext.User) to see the authenticated user is member of configured role. So if you want to have your own arbitrary roles (instead of windows roles), you can provide your own IPrincipal implementation that would retrieve the assigned roles for the current user from the data-base (or any other source that you want to use). However, the authorization information will still remain in the configuration file.
In case, you want to move the authorization information (who can access what) then you can implement your own authorization module. The module can read this information from the database and enforce the access security the way you wanted.
I'm working on an internal ASP.NET application that uses an Active Directory distribution list for managing who has access to the web site.
However, due to the fact that this distribution list could contain both users and groups, I had to develop a solution for checking to see if the current user is able to access this site (e.g. They could be in a group that is a part of this distribution list). The default Windows authentication mode does not support this type of hierarchical structure.
My question is how can I ensure that every resource in this web site can only be accessed by those who are in this distribution list? I am currently using a custom attribute applied to every page that checks the user's credentials and redirects to a 'No Access' page if they are not a member of the DL. However, I'm thinking that there must be a better way to do this that doesn't require me to use the attribute on every page which is created for this site?
Any help is appreciated!
The simplest fix to avoid duplication without changing the underlying authentication scheme - Instead of using it on every page, you could do hook into the Session_Start event and store the authentication value there, and check this value on an appropriate event of your master page if you have one. (again this is least effort and an answer directed at your direct question)
Update (Response to Comment)
To manage permissions for a group use the following xml block. Note that this will do what you mentioned in your comment on the other answer: this will block image files, etc... too.
<authorization>
<allow roles="domain\group"/>
<deny users="*"/>
</authorization>
Original
The best way is to stick to the native options: Why not use the Membership Provider? The ASP.Net membership provider can handle all of this for you. You can specify which groups can access which pages/directories using web.config files no sweat.
Check out these links for further guidance on implementing the Active Directory membership provider:
http://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx
http://blogs.msdn.com/b/gduthie/archive/2005/08/17/452905.aspx
This XML shows how you can configure your web.config, once you are using the membership provider, so that it allows/denies permission to files and folders (I got this from http://support.microsoft.com/kb/316871):
<configuration>
<system.web>
<authentication mode="Forms" >
<forms loginUrl="login.aspx" name=".ASPNETAUTH" protection="None" path="/" timeout="20" >
</forms>
</authentication>
<!-- This section denies access to all files in this application except for those that you have not explicitly specified by using another setting. -->
<authorization>
<deny users="?" />
</authorization>
</system.web>
<!-- This section gives the unauthenticated user access to the Default1.aspx page only. It is located in the same folder as this configuration file. -->
<location path="default1.aspx">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
<!-- This section gives the unauthenticated user access to all of the files that are stored in the Subdir1 folder. -->
<location path="subdir1">
<system.web>
<authorization>
<allow users ="*" />
</authorization>
</system.web>
</location>
</configuration>
I ended up rolling my own security class for checking to see if the currently logged in Active Directory user has access.
I used the GroupPrincipal.GetMembers function in the System.DirectoryServices.AccountManagement namespace. This overloadedd method which takes a boolean value can be used to search for users recursively (satisfying my groups-within-groups issue).
The security class is a Singleton, and the list allowed active directory users is stored inside the Singleton to keep this access check fast. I chose a Singleton to ensure that there was only 1 copy of this list on the server. I stored the list of allowed users as a SortedDictionary, which increased look-up speed greatly.
When a user who does not exist tries to access the site, the original user lookup will come back negative. At this point, the security class refreshes the users list, saving the timestamp of this refresh to the list of allowed users. The method endures that this refresh is done at most once every 10 minutes to prevent users from hammering the site (and keeping the site responsive for other users).
We're currently in the process of re-creating a brand new security model that dwarfs our existing process. Right now, we plan on grabbing a user's roles during the login process and then using a Base Page class to check if the user has the role of the corresponding page the user is navigating to.
We can limit the menu's options by the user's roles as well, but we have had problems with users navigating to pages in our system by typing them in or having old bookmarks. Obviously, we need some sort of page level access.
A simple function in our Base Page class that checks the role in the Arraylist against the page's assigned role would work, but I was wondering if there was any built-in functionality to support this or a cleaner solution possibly.
Have you looked at ASP.Net Membership for this yet? It takes care of all of the scenarios you listed above (trimming menus, page security,) and in a very easy to use manner.
See here for more information about membership - http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx.
Are you using built-in membership?
If so, you can use the location section of your web.config file to restrict access to individual pages or entire directories. From MSDN:
The following example allows an
anonymous user to access the
Logon.aspx page:
<configuration>
<location path="Logon.aspx">
<system.web>
<authorization>
<allow users="?"/>
</authorization>
</system.web>
</location>
</configuration>
Where should I type the authentication code in order to validate the users trying to login to the website.
I have used login control in my website. Also I would appreciate few examples of codes which are generally used in authentication code.
.net has templates for login pages, password recovery, etc.
simply google for it or go here:
http://msdn.microsoft.com/en-us/library/ms178329.aspx
http://www.c-sharpcorner.com/UploadFile/sushmita_kumari/Logincontrol101312006002845AM/Logincontrol1.aspx?ArticleID=c33d0072-8f7c-4958-a7dc-ca1809737193
Not 100% what you mean. If you're using a Login control they can already authenticate with that.
Do you mean authorization? You need to check users are authorized to access your site if it is restricted to logged in users only. Say you have a part of your site called "importantstuff" that only logged in users can access. i.e. www.yoursite.com/importantstuff/. You would put this in your web.config outside of the <system.web></system.web> tags:
<location path="importantstuff">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
This would prevent unauthenticated users from accessing anything in the "importantstuff" directory.