ASP.NET 2.0 Authorization based on Combination of Allow/Deny Users/Roles.

Hi,

The problem with Authorization is it stops at the first match and doesn't
permit Grouping.

On the Web Site, I am trying to Secure Page Access and SiteNaviagation by
implementing the following ASP.NET 2.0 features:

- Membership
- Site Maps
- SiteMap Security Trimming

A User has a least 2 roles, let's say:

- Customer or Vendor

and

- User and/or Manger and/or Accounting

User U1 has the roles:

- Customer
- Accounting
- User

User U2 has the roles:

- Customer
- User

How do I keep U2 out using roles?

Right now, it stop when it sawn they were in the Customer Role

I don't want to deny the User Role because U1 would be stopped.

I would like something like this

<authorization>
<deny users="?" />
<deny users="U3" />
<allow roles="Customer, Accounting" />
<allow roles="Vendor, Manager, Accounting" />
</authorization>

or possibly

<authorization>
<deny users="?" />
<deny users="U3" />
<allow roles="(Customer, Accounting), (Vendor, Manager, Accounting)" />
</authorization>


For Above:

The allow roles list would be evaluated with a boolean AND

The allow elements would be evaluated between each other with a boolean OR

The allow and deny elements would be evaluated with a boolean AND

..i.e.

(
(
(
users <> "?"
)
AND
(
users <> "U3"
)
AND
(
(
roles = "Customer"
AND roles = "Accounting"
)
OR
(
roles = "Vendor"
AND roles = "Manager"
AND roles = "Accounting"
)
)
)



I am currently looking at the possibility of implementing an HttpModule for
AuthenticateRequest. I found a an example that checks the
SiteMap.CurrentNode.Roles but the siteMapNode only permits allows, not
denys.

I could create my own custom nodes

<siteMapNode
url="~/Default.aspx"
title="Home"
description="Home"
AllowUsers=""
DenyUsers="?, U3"
AllowRoles="(Customer, Accounting), (Vendor, Manager, Accounting)"
DenyRoles=""
/>

I am not sure if this covers Page Access though.


Or, I can figure out how to get the prevailing web.config denys and allows.


I would check online, but the MSDN servers reply with "Server is too busy"
this morning.



Any other ideas?


Thanks,

Doug



.

Relevant Pages

  • ASP.NET 2.0 Authorization based on Combination of Allow/Deny Users/Roles.
    ... The problem with Authorization is it stops at the first match and doesn't ... On the Web Site, I am trying to Secure Page Access and SiteNaviagation by ... it stop when it sawn they were in the Customer Role ... I don't want to deny the User Role because U1 would be stopped. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: HTTP Protocol Bug ???
    ... Open" and "deny for Describe", I think it may be better to ... >and my plugin responds 200 OK to DESCRIBE and 401 to OPEN ... >> Can you modify your authorization plug-in so that it ... >>>If I disable my custom plugin and enable WMS ...
    (microsoft.public.windowsmedia.server)
  • Re: strange security role issue
    ... As for the authorization, here is the setting (from web.config in the ... Microsoft MSDN Online Support Lead ... For the security trimming, based on my experience, such navigation/access ... Engineer by contacting Microsoft Customer Support Services at ...
    (microsoft.public.vsnet.general)
  • Re: Membership Services and Client Logins?
    ... The Membership bits are primarily authentication, not authorization. ... With what you are stating, you might be better extending the Membership bits with a custom provider, to segregate customer data so it can work with multiple user accounts. ... mbrown belongs to customer id 1 ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Instant Messenger
    ... I am getting bombarded with authorization request to be ... Even as I deny authorization, in some cases they were still ... an unsolicited chat sessions with me. ... are no security features implemented whatsoever at least I cannot ...
    (Fedora)