Re: Authentication from Active Directory and Database based user d

No, that's not necessary. If you use the forms authentication provider, you
get to specify the user's role(s), so the roles used in the authorization
elements can be the roles from your db rather than AD groups.


"Jono Jones" <jonojones78@xxxxxxxxxxxxxxxxx> wrote in message
news:E30E04C1-31C1-45B7-B6F5-FFA77DB482CE@xxxxxxxxxxxxxxxx
Hi Nicole,

Thanks for this. I'll give it a go.

My only worry is that I can't set roles in active diretory, I only have
roles in my database. So I guess I need to test for permission on a page
and
redirect using transfer if I you have no permission?

Jono


"Nicole Calinoiu" wrote:

"Jono Jones" <jonojones78@xxxxxxxxxxxxxxxxx> wrote in message
news:8B5090E8-60FA-40C0-AFD0-59D29B86D2CC@xxxxxxxxxxxxxxxx
Hi again,

Not sure if the system.web\location options would give me what I need.
When
coding jsp struts I'm sure there was a tag you placed around a control
that
checked for access permision before displaying it (e.g. an admin
button).
Note sure how to use system.web\location to check for users in the
database
(e.g. user can view this page if logged and AND has right to view
page).

If you configure IIS to only use Windows integrated authentication for
your
application, you don't need to worry if the user is "logged in" since it
won't be possible for users to anonymously access the site. Therefore,
you'll only need to worry about authorization based on assigned roles.
The
location elements can take care of this at the page level. e.g. (only
authorization elements shown):

<configuration>
<system.web>
<authorization>
<allow roles="Admins" />
<deny users="*" />
</authorization>
</system.web>
<location path="SomeFile.aspx">
<system.web>
<authorization>
<allow roles="Admins, RoleA, RoleB" />
<deny users="* "/>
</authorization>
</system.web>
</location>
</configuration>

If you're using fx 2.0, you can use the LoginView control for controlling
if
or how data is displayed based on user roles. There is no built-in
mechanism for handling within-page section suppression based on roles in
fx
1.x. You could write code to hide elements that shouldn't be shown on a
one-off basis, but that could get tedious pretty quickly if you have a
lot
of these. A somewhat more elegant approach would be to create a
container
control that would do this for you based on a list of allowed users or
roles.


Any help much appreciated. If anyone has any other options that have
worked
well for them?

Jono

"Nicole Calinoiu" wrote:

What sort of details do you need?


"Jono Jones" <jonojones78@xxxxxxxxxxxxxxxxx> wrote in message
news:5748E48E-8B57-4945-8D44-3E4F9EB0E25B@xxxxxxxxxxxxxxxx
Hi there,

Thanks for your reply. Could you fill in some more details about
your
proposed solution?

Any answers are very much appreciated,

Cheers,

Jono

"Nicole Calinoiu" wrote:

Have you considered using forms authentication in your application
coupled
with Windows integrated authentication at the IIS level? Rather
than
having
a login page that prompts users for their credentials, you could
then
simply
read their AD account name from the LOGON_USER server variable.
The
role
set would be populated from the db as in any typical forms
authentication
scenario.

For setting up page-specific authorization, you don't need separate
web.config files. Instead, you can use the system.web\location
element
to
set up different access rules for any pages or sub-directories that
required
separate configuration.



"Jono Jones" <jonojones78@xxxxxxxxxxxxxxxxx> wrote in message
news:BB405DC9-D403-44B0-A322-89415077BFF6@xxxxxxxxxxxxxxxx
Hi there,

We have 500 users on our network. I'm writing a web system
(asp.net)
where
you can create a user and give them access to various sections of
the
site.

To create a user you select and existing Active Directory user
and
just
attach their permissions (to see different web pages/options on
web
pages)
then save it to a database.

The purpose is to have the system hanging off the intranet and it
will
seamlessly let registered users use the system without logging
one
(i.e.
the
fact they they are logged into windows is enough).

In the default page I can pick up up the user logged into the
machine
and
test against my DB like so:

If
temp.isUserRegistered(HttpContext.Current.User.Identity.Name().Split("\",
2)(1)) Then

FormsAuthentication.RedirectFromLoginPage(HttpContext.Current.User.Identity.Name().Split("\",
2)(1), False)
Response.Redirect("menu.aspx")
end if

What do I need to have set in iis and web.config to prevent users
from
just
typing in the url for the menu to get into the system. I've had
this
working
before with forms but not sure with this check with AD users.

Further to this, how would I prevent certain content on a page
being
displayed to a user that doesn't have access to see that
particularlink
for
example (and example might be a button to take you to the admin
section, I
don't want the button to be visible a normal user and I don't
want a
normal
user to able to just browse to the admin.aspx page).

One stipulation is that I can't have a seperate fodler for each
type
of
access and thus have separate web.config files.

Just to make it clear, the permissions are set in my web system
and
stored
on my DB. I'm only using AD to check that the user currently
logged
in
to
windows is a user within this system (i.e. their username has
been
stored
in
DB with some permissions).

Many thanks for any help on this one.

Jono











.