Re: Role-based security in webforms

From: brian (brian_at_nospamforbrianmoylan.info)
Date: 05/21/03

• Next message: JC Hyequer: "Using FormsAuthentication"
• Previous message: Allan Thraen: "File access on a UNC-path using impersonation in ASP.NET"
• In reply to: jackie: "Role-based security in webforms"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 20 May 2003 23:33:13 +0100

Hi Jackie

Put the roles as a comma or other separated string in your AuthCookie
"UserInfo" space when you issue it (its that part in creating your
authcookie that is usually left as ""!). You can then grab it out in
AuthenticateRequest in global.asax, split your string, and add each role as
an IPrincipal. Then just check "IsInRole" for the user when attempting to
run the secure code. You may want to make clients check for updated roles
every couple of requests, or where you know they have updated roles.

Brian

"jackie" <jackie_ol@hotmail.com> wrote in message
news:06fa01c31df8$1fe879d0$a301280a@phx.gbl...
> Hi all!
> I use role-based security in my web app. System works
> like this:
> User comes to login page of the app and provides his/her
> username and password. The roles user belongs to are
> retrieved from the database and stored in a generic
> principal object I create for the current thread. I use
> declarative security checks using
> PrincipalPermissionAttribute class, applying this
> attribute to all methods that must be secure.
> My problem is:
> Although I associate the generic principal with current
> thread, when I use Response.Redirect method, the
> principal associated with the current thread seems to
> disappear, and so users receive security exception. So I
> use Server.Transfer whenever I want to redirect users,
> but this doesn't seem to be a solution at all. There must
> be some other way, I think. Any ideas?
>
> Thanks in advance.
>

• Next message: JC Hyequer: "Using FormsAuthentication"
• Previous message: Allan Thraen: "File access on a UNC-path using impersonation in ASP.NET"
• In reply to: jackie: "Role-based security in webforms"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Request for principal permission failed ... PrincipalPermissionAttribute to a number of pages ... fails with a SecurityException [which is then caught and a call to a ... call-stack] fails with the doubled security exception again. ... Additionally, if the declarative security were to fail at any point, I ... (microsoft.public.dotnet.framework.aspnet) Re: Check if user is authenticated ... PrincipalPermissionAttribute cannot be applied at the ... The security information declared by a security attribute is stored in the ... Important Prior to a demand for principal permission it is necessary to ... I am using Asp.Net 2.0 and forms authentication. ... (microsoft.public.dotnet.framework.aspnet) Re: Session ... PrincipalPermissionAttribute can be used to declaratively demand that users ... The scope of the declaration that is allowed depends on the SecurityAction ... The security information declared by a security attribute is stored in the ... (microsoft.public.dotnet.framework.aspnet) Role-based security in webforms ... I use role-based security in my web app. ... username and password. ... PrincipalPermissionAttribute class, applying this ... (microsoft.public.dotnet.framework.aspnet.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint