Re: authorization not working correctly...

From: Max Favilli - Dammela.it (max@dammela.it)
Date: 12/25/02 

From: "Max Favilli - Dammela.it" <max@dammela.it>
Date: Wed, 25 Dec 2002 02:20:03 -0800

Hi Lorne, a question,
you suggest to store the role data in the server cache as the best solution
to reduce bandwidth and security risks, but doesn't load the server?
Is the additional load less relevant than crypted cookies one? Since I
recently made my forms authentication crypted and I noticed how performance
have been affected...

Thanks,
Max

"Lorne Brinkman" <Lorne@TheRemoveObjectRemoveGuy.com> wrote in message
news:8BKN9.12281$P36.241930@twister.rdc-kc.rr.com...
> Actually, I need to correct myself... the AcquireRequestState does happen
> too late to set the roles for a user. I use that event in order to set up
a
> dependency by which I can detect the end of a Session -- for cleaning up
> cached roles.
>
> In any case, check out the stuff I've made available online:
> www.TheObjectGuy.com/rolebasedsecurity
>
> - Lorne
>
>
> "Lorne Brinkman" <Lorne@TheRemoveObjectRemoveGuy.com> wrote in message
> news:_qKN9.12279$P36.243530@twister.rdc-kc.rr.com...
> > The AcquireRequestState event does not happen too late in the process.
> > I think your problem is simply one of ordering... first use allow, then
> > deny, as in:
> >
> > <allow roles="Administrators" />
> > <deny users="*" />
> >
> > Also, take a look at the HttpModule implemetation for handling
role-based
> > security that I've made available at
> www.TheObjectGuy.com/rolebasedsecurity
> >
> > - Lorne
> >
> >
> > "Howard Dierking" <h.dierking@geac.com> wrote in message
> > news:eQDnMQqqCHA.1080@TK2MSFTNGP10...
> > > I have an admin subfolder of my web application. In my config file, I
> > have
> > > the following block...
> > >
> > > <location path="admin">
> > > <system.web>
> > > <authorization>
> > > <deny users="*"/>
> > > <allow roles = "Administrators"/>
> > > </authorization>
> > > </system.web>
> > > </location>
> > >
> > > I have an HttpModule that hooks into the AcquireRequestState event in
> the
> > > processing pipe and restores the roles for a user from the session
> cache.
> > >
> > > As you can guess, this current configuration is not working. When the
> > deny
> > > element is in the config file, no users can access the admin
subfolder,
> > and
> > > when it is not there, all users can access the subfolder.
> > >
> > > My guess is either 1) I am missing something in the config files or 2)
> the
> > > AcquireRequestState event happens too late in the processing pipe and
> the
> > > flag for the FormsAuthenticationModule indicating success or failure
has
> > > already been set. The only problem if my issue is #2 is that I would
> like
> > > to cache this data, so if this is the problem, further suggestions as
to
> a
> > > caching strategy would also be helpful.
> > >
> > > TIA,
> > >
> > > _howard
> > >
> > >
> >
> >
>
>