RE: Authentication in ASP.NET: best practice?
From: Nick Hertl (nickhertlONLINE_at_google.microsoft.com)
Date: 11/19/03
- Next message: will eichert: "archives anywhere for this newsgroup?"
- Previous message: Cy Huckaba: "Re: Application_AuthenticateRequest"
- In reply to: Nick Hertl: "RE: Authentication in ASP.NET: best practice?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 Nov 2003 22:19:41 GMT
Shoot... it looks like I've deleted those files. But just try creating new
web.config files in the subdirectories with the settings that you want to
override. It will tell you about it and throw an error if it doesn't like
your configuration. And if it doesn't complain, try logging in and see
what all you can access. I remember I figured this one out by brail with
some help from my trusty ASP.NET unleashed book by Walther.
This posting is provided "AS IS" with no warranties, and
confers no rights.
Please do not send e-mail directly to this alias. This
alias is for newsgroup purposes only.
Thanks
Nick
--------------------
>I don't believe that your web.config must be global to the project. Try
>creating a subdirectory for your project and put a second web.config in
>there. Some settings cannot be overridden and it doesn't make sense to
put
>them in both locations, but the authentication and authorization stuff is
>ok I think.
>
>You will want the root to allow anonymous access, but then for any of the
>pages that are restricted and in your second folder, the web.config will
>notice that you marked that one as needing authentication and redicect to
>the login.aspx page you specified unless they are already logged in.
>
>I've done this before but don't have the project in front of me anymore to
>send you my config files, but give that a try.
>
>-----------
>
>This posting is provided "AS IS" with no warranties, and
>confers no rights.
>
>Please do not send e-mail directly to this alias. This
>alias is for newsgroup purposes only.
>
>Thanks
>Nick
>
>>I'd like to poll for some best practices about ASP.NET application
>>security.
>>
>>Here's what it's about:
>>I wanna develop an ASP.NET web application with VS.NET 2003. This
>>application consists of some pages which are available for anonymous
>>users and some that are NOT available for anonymous users (i.e. need
>>authentication).
>>
>>To achieve this I set the web.config <authentication>-tag to <forms
>>...> and <deny users="?"> in the <authorization>-tag. This will
>>redirect every unkown user to my login-form. To allow anonymous users
>>browse to the other pages (which don't need authentication) I made a
>>second project. Here the <authorization>-tag in the web.config stated
>><allow users="*">
>>
>>But, since my application is not really big I thought this is too much
>>work (i.e. creating two projects); since I only need authentication
>>for half of my ASP.NET pages. Maybee there is another way. I was
>>thinking of making a new login-form where I set an attribute in the
>>session state. Then in every page which needs authentication, I check
>>if this attribute is set in the page_load. If not so, redirect the
>>user to the login-form. To logout the user can either close the
>>browser of I redirect them to a form where the can sign-out (which
>>will delete the session attribute).
>>
>>Please share your thoughts about this. Maybe their are even (!) better
>>idea's.
>>
>>Kind regards,
>>
>>Jules Hoppenbrouwers
>>
>>< Don't reply by email. Use this forum instead.>
>>
>
>
- Next message: will eichert: "archives anywhere for this newsgroup?"
- Previous message: Cy Huckaba: "Re: Application_AuthenticateRequest"
- In reply to: Nick Hertl: "RE: Authentication in ASP.NET: best practice?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
