.NETGURU
  Search:  
NamespacesDiscussions.NET v1.1Dot Net Guru's BlogIT Certification
Form Authentication and Roles
Messages   Related Types
This message was discovered on ASPFriends.com 'aspngsec' list.


Wolfgang Baeck
Hi,

I have users with three different levels of authorization, each level will
give them access to a specific sub folder of the web. Ideally, higher levels
of authorization will include authorization to all lower level folders.

I can not use Windows Authentication.

What are my options to simulate roles with form authentication?

- different cookies for different roles
- role stored in session
- etc.

I'm particularly interested in solutions that do not require me to check the
authorization level on every page.

Thanks

Wolfgang
Reply to this message...
 
    
Daniel Kent
You can add roles support to forms authentication very easily. The forms
authentication API allows us to add information to the encrypted
authentication ticket that is stored as a cookie between requests. We just
then need to extract the roles with each request and populate Context.User
with a GenericPrincipal object that contains the roles.

Here is some code for this part, taken from part of an example the
forthcoming Professional ASP.NET Security (Out in August from Wrox):

protected void Application_AuthenticateRequest
(Object sender, EventArgs e)
{
//check that the request has been authenticated
if(Request.IsAuthenticated)
{
//get the roles
string[] roles =
((FormsIdentity)Context.User.Identity).Ticket.UserData.Split(';');

//create a new principal
GenericPrincipal newPrincipal =
new GenericPrincipal(Context.User.Identity, roles);

//add the principal to the context
Context.User = newPrincipal;
}
}

I hope this helps,

Dan.
(Currently working on Professional ASP.NET Security for Wrox)

-----Original Message-----
From: Wolfgang Baeck [mailto:Click here to reveal e-mail address]
Sent: 17 June 2002 14:16
To: aspngsec
Subject: [aspngsec] Form Authentication and Roles

Hi,

I have users with three different levels of authorization, each level will
give them access to a specific sub folder of the web. Ideally, higher levels
of authorization will include authorization to all lower level folders.

I can not use Windows Authentication.

What are my options to simulate roles with form authentication?

- different cookies for different roles
- role stored in session
- etc.

I'm particularly interested in solutions that do not require me to check the
authorization level on every page.

Thanks

Wolfgang

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives
Reply to this message...
 
    
Wolfgang Baeck
Daniel,

Thanks, got me in the right direction.

Wolfgang

-----Original Message-----
From: Daniel Kent [mailto:Click here to reveal e-mail address]
Sent: Monday, June 17, 2002 7:37 AM
To: aspngsec
Subject: [aspngsec] RE: Form Authentication and Roles

You can add roles support to forms authentication very easily. The forms
authentication API allows us to add information to the encrypted
authentication ticket that is stored as a cookie between requests. We just
then need to extract the roles with each request and populate Context.User
with a GenericPrincipal object that contains the roles.

Here is some code for this part, taken from part of an example the
forthcoming Professional ASP.NET Security (Out in August from Wrox):

protected void Application_AuthenticateRequest
(Object sender, EventArgs e)
{
//check that the request has been authenticated
if(Request.IsAuthenticated)
{
//get the roles
string[] roles =
((FormsIdentity)Context.User.Identity).Ticket.UserData.Split(';');

//create a new principal
GenericPrincipal newPrincipal =
new GenericPrincipal(Context.User.Identity, roles);

//add the principal to the context
Context.User = newPrincipal;
}
}

I hope this helps,

Dan.
(Currently working on Professional ASP.NET Security for Wrox)

-----Original Message-----
From: Wolfgang Baeck [mailto:Click here to reveal e-mail address]
Sent: 17 June 2002 14:16
To: aspngsec
Subject: [aspngsec] Form Authentication and Roles

Hi,

I have users with three different levels of authorization, each level will
give them access to a specific sub folder of the web. Ideally, higher levels
of authorization will include authorization to all lower level folders.

I can not use Windows Authentication.

What are my options to simulate roles with form authentication?

- different cookies for different roles
- role stored in session
- etc.

I'm particularly interested in solutions that do not require me to check the
authorization level on every page.

Thanks

Wolfgang

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives

| [aspngsec] member Click here to reveal e-mail address = YOUR ID
| http://www.asplists.com/asplists/aspngsec.asp = JOIN/QUIT
| http://www.asplists.com/search = SEARCH Archives
Reply to this message...
 
    
Martin O'Keefe
You can force non windows based role based (Forms based) security at the directory level using by placing a web.config file in the sub directory. This will negate the need for role membershipo checking in the page_load event on each page.

Using the same mechanisms as used in the ibuyspy portal global.asax ('Portal' www.ibuyspy.com) to maintain roles per user in a cookie and then applying a generic security principal.

Repeating machine wide settings in your web.config raise an exception. ie <authentication>.

A sample web.config is provided below.

If required you will need to include logic that advises authenticated users that they do not have sufficient permissions to access a given resource. Probably a mix of url checking for authenticated users and paramater based override on the redirect to the config defined LoginUrl - have to do this myself later. If this is not included the user will be redirected to the LoginUrl without any clear reason, and continued input of a correct username and password will still see the loginUrl displayed.

Hope this provides the answer you sought,

Martin.

Sample
---------------------------------
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<appSettings>
<add key="LicenseKey" value="fjigldjmf-feekfeef-fmiifgfii-heedkge" />
</appSettings>

<system.web>

<!-- DYNAMIC DEBUG COMPILATION
Set compilation debug="true" to insert debugging symbols (.pdb information)
into the compiled page. Because this creates a larger file that executes
more slowly, you should set this value to true only when debugging and to
false at all other times. For more information, refer to the documentation about
debugging ASP.NET files.
-->
<compilation defaultLanguage="vb" debug="false" />

<!-- CUSTOM ERROR MESSAGES
Set customErrors mode="On" or "RemoteOnly" to enable custom error messages, "Off" to disable.
Add <error> tags for each of the errors you want to handle.
-->
<customErrors mode="RemoteOnly" />

<!-- AUTHENTICATION
This section sets the authentication policies of the application. Possible modes are "Windows",
"Forms", "Passport" and "None"
-->

    <!-- <identity impersonate="true" /> -->
<!-- AUTHORIZATION
This section sets the authorization policies of the application. You can allow or deny access
to application resources by user or role. Wildcards: "*" mean everyone, "?" means anonymous
(unauthenticated) users.
-->
<authorization>
<allow roles="admin"/>
<deny users="?"/>
<deny users="*"/>
<!-- Allow all users -->
        <!-- <allow users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"/>
-->
</authorization>

..........

</system.web>

</configuration>

--------------------------------
From: Martin O'Keefe
Reply to this message...
 
    
Martin O'Keefe
Sorry, had to retype my last post and forgot to retype:

You will need to replace the current security principle using the glabal.asax as per the ibuyspy 'Portal' -> http://www.ibuyspuy.com

Rgds,

--------------------------------
From: Martin O'Keefe
Reply to this message...
 
 
System.EventArgs
System.Runtime.Remoting.Contexts.Context
System.Security.Principal.GenericPrincipal
System.Web.Security.FormsIdentity




ExamGuru IT Solutions - .Net Guru is owned and operated by ExamGuru, Inc., the man behind .Net Guru. If you're in the market for bespoke software or software consultancy, why not get him and his highly trained team to help? - www.examguru.net/ITCertification
Ad


Need Dot Net Interview Questions?
Ask ExamGuru, Inc. for advice and help on Passing .Net Interviews
.Net Projects
Best-of-breed application framework for .NET projects, developed by ExamGuru, Inc. and ExamGuru IT
Free .net Help
Commission ExamGuru, Inc. and his team for your next bespoke software project
FogBUGZ
The only bug tracking system carefully crafted with one goal in mind: helping teams create great software.
Awesome Tools
If you don't know about these, you're missing out... IT Certification Questions
IT Interview Questions
Free Oracle 10g Training
MCSE Boortcamp
Cisco Study Guides
Cheap Study Guides
Exact Questions
Dot Net Interview Questions
Oracle OCP
Cheap Travel
Designer Perfumes - Wholesale Prices
Free Programming Tutorials
 
ExamGuru IT Solutions - .Net Guru is owned and operated by ExamGuru, Inc., the man behind .Net Guru. If you're in the market for bespoke software or software consultancy, why not get him and his highly trained team to help? - www.examguru.net/ITCertification
 Copyright © ExamGuru, Inc. 2001-2006
Contact Us - Terms of Use - Privacy Policy - www.dot-net-guru.com - www.examguru.net - www.oraclesource.net - www.itinterviews.net - www.examguru.net/ITCertification