Re: Best approach for database/windows authentication integration?
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 01/15/04
- Previous message: Hernan de Lahitte: "Re: asp.net user account intalled without permission"
- In reply to: Steve: "Best approach for database/windows authentication integration?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 15 Jan 2004 09:35:25 -0600
Since you are currently using Windows authentication, you might consider
putting your users into different domain groups and using
Context.User.IsInRole to determine whether a user is in a certain group or
not.
>From there, you can decide whether to render the page or show an error. You
can also use the allow and deny tags in the authorization section of your
web.config to restrict access to specific pages.
If you want to switch to Forms authentication, you can do this and still
take advantage of the same mechanism. The disadvantage is that your code is
then responsible for building the IPrincipal object that goes in the
Context.User property and populating the user's role information. With
Windows authentication, this is all done for you.
However, you may have a compelling reason to switch to Forms auth (like if
you can't create the domain groups you need or cannot maintain them the way
you would like to).
There are lots of good sample documents on this topic in MSDN.
Joe K.
"Steve" <stephenmcnabb@yahoo.co.uk> wrote in message
news:9b1a4bb8.0401150407.43bd75b5@posting.google.com...
> We have an ASP.NET application that consists of about 10 forms and we
> want to be able to control which user has access to which pages. So
> User A should be able to access pages 3, 4 and 10, and User B should
> be able to access pages 1, 2 and 9 etc. We also want to be able to
> mantain these rules using a set of maintenance tables e.g. add pages,
> groups, users and setup which groups have access to which pages.
>
> At the moment we are going down the path of creating a set of classes
> to integrate the security in to the front-end, with each page having a
> call at the top of the page that passes in the page name and the
> user's login name and the object will return either True or False as
> to whether they can access the page or not.
>
> The application is currently setup with Anonymous Access off and Basic
> Authentication & Integrated Windows Authentication turned on, so that
> we can get the users login name for database auditing purposes.
>
> However, I've read bits and pieces on the builtin form authentication
> in ASP.NET and I would like to take advantage of it if it will handle
> the scenario I have described.
>
> We don't require a user to login, aside from the standard IE
> authentication login, and we want to display a custom message if they
> don't have access to the particular page they are trying to access.
> The most important thing is that the security must be driven by our
> maintainable database tables.
>
> Is there a feature of ASP.NET that allows us to handle this with
> minimal custom code? Or maybe there's a better ASP.NET way of handling
> this?
>
> Thanks for any assistance you can give me.
>
> Steve
- Previous message: Hernan de Lahitte: "Re: asp.net user account intalled without permission"
- In reply to: Steve: "Best approach for database/windows authentication integration?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
