Re: How to SELECT records based upon ASP.NET Roles

Hi,

No one has answered your question yet, so I thought I'd give it a whack.

For this type of application, what I would tend to do is create some sort of
abstraction layer between the roles that the application supports from a
business perspective and the actual NT groups of the authenticated user.
I'd rather store application-specific stuff in SQL than store the names of
security principals directly. There is a nice framework called AzMan that
helps with this type of thing and is very flexible. However, you might also
be able to use SQL row-level security as well (which is something I've never
done and know nothing about except that I've heard such as thing exists
:) ).

A couple of things worth knowing:
When the user is authenticated by ASP.NET, the authenticated user's security
context is represented in the HttpContext.User property. When using Windows
authentication in IIS, this will be a WindowsPrincipal object, but it would
be something else if you were using forms authentication or membership or
something.

Whether or not the code is actually executing as this user depends on
whether you have impersonation enabled (and whether you are using Windows
auth in IIS again). It is OFF by default in ASP.NET. This is opposite of
how classic ASP works, which always impersonates and doesn't give you an
option to turn it off.

Thus, when your code calls into SQL, the Windows security context will be
the process account, not the authenticated user's account.

If you want to do the Windows security integration at the database level,
you would want to impersonate the authenticated Windows user, either by
enabling impersonation in web.config (<identity impersonate="true"/> inside
the <system.web> element). You can also impersonate programmatically just
when you are running your SQL queries.

Other things to know are that you can cast the IPrincipal to a
WindowsPrincipal and the IIdentity in the Identity property to a
WindowsIdentity class in order to access the Groups property. This allows
you to get the user's list of groups. You can also simply check to see if a
user is in a group with the IPrincipal.IsInRole method.

I hope this gives you some ideas.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Bob" <_NO_SPAM_PLEASE_@xxxxxxxxx> wrote in message
news:9vadneZPbP-06kLZnZ2dnUVZ_sGdnZ2d@xxxxxxxxxxxxxx
I am new to ASP.NET and need to develop an application that archives /
retrieves documents. When the document is stored, the user specifies the
document permissions ( public or limited to a specific role/class of users
.) This means that when a person in Customer Service does a search, they
aren't able to retrieve company payroll reports archived by the Finance
department.

The solution will be implemented in a site setup with NT Authentication
via a local domain that the IIS 6.0 server is a member of. The data store
will be SQL Server Express 2005 initially.

I understand that ASP.NET supports Role based security. Presently however,
it appears that ASP.NET runs under a single NT Service account.

If I attempt to use the SYSTEM_USER() or similar SQL function, will it
return the current ASP.NET authenticated browser user or the security info
for the .NET service account?

Assuming I store a role / group id with each record, is there a way to
construct a WHERE clause in a SELECT statement that identifies the Roles
of the current ASP.NET authenticated user without having to dynamically
build the SQL statement?

Thanks,
Bob





.

Relevant Pages

  • Re: Login failed for ServerGuest
    ... I think it is not a limitation in Windows 2000. ... access SQL server on Win2000 server by using Windows authenctication if I ... | I have noticed that when I try to log in using Windows Authentication ...
    (microsoft.public.sqlserver.connect)
  • RE: Integrated Authentication (Kerberos) Problem
    ... Verify the SPN for the SQL service account is registered such as the ... >Thread-Topic: Integrated Authentication Problem ... A Windows XP SP1 with IE6 client machine ...
    (microsoft.public.inetserver.iis.security)
  • Re: User authentication
    ... What I want to do is configure scheduled backup. ... However, if possible, I would like to use Windows authentication as opposed ... the backup job in SQL server. ...
    (microsoft.public.sqlserver.clients)
  • Re: How to SELECT records based upon ASP.NET Roles
    ... security principals directly. ... also be able to use SQL row-level security as well (which is something ... using Windows authentication in IIS, ...
    (microsoft.public.dotnet.security)
  • RE: Combine Forms Authentication with Windows
    ... | Subject: RE: Combine Forms Authentication with Windows ... since those internal users need to call ... | | So you need integraded security, this means that the users need ...
    (microsoft.public.dotnet.general)