Re: How to SELECT records based upon ASP.NET Roles

Joe:

Great reply! Thanks for your response. I appreciate the directions to
follow.

Thanks,
Bob

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:ugzxiMtwGHA.560@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

No one has answered your question yet, so I thought I'd give it a whack.

For this type of application, what I would tend to do is create some sort
of abstraction layer between the roles that the application supports from
a business perspective and the actual NT groups of the authenticated user.
I'd rather store application-specific stuff in SQL than store the names of
security principals directly. There is a nice framework called AzMan that
helps with this type of thing and is very flexible. However, you might
also be able to use SQL row-level security as well (which is something
I've never done and know nothing about except that I've heard such as
thing exists :) ).

A couple of things worth knowing:
When the user is authenticated by ASP.NET, the authenticated user's
security context is represented in the HttpContext.User property. When
using Windows authentication in IIS, this will be a WindowsPrincipal
object, but it would be something else if you were using forms
authentication or membership or something.

Whether or not the code is actually executing as this user depends on
whether you have impersonation enabled (and whether you are using Windows
auth in IIS again). It is OFF by default in ASP.NET. This is opposite of
how classic ASP works, which always impersonates and doesn't give you an
option to turn it off.

Thus, when your code calls into SQL, the Windows security context will be
the process account, not the authenticated user's account.

If you want to do the Windows security integration at the database level,
you would want to impersonate the authenticated Windows user, either by
enabling impersonation in web.config (<identity impersonate="true"/>
inside the <system.web> element). You can also impersonate
programmatically just when you are running your SQL queries.

Other things to know are that you can cast the IPrincipal to a
WindowsPrincipal and the IIdentity in the Identity property to a
WindowsIdentity class in order to access the Groups property. This allows
you to get the user's list of groups. You can also simply check to see if
a user is in a group with the IPrincipal.IsInRole method.

I hope this gives you some ideas.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Bob" <_NO_SPAM_PLEASE_@xxxxxxxxx> wrote in message
news:9vadneZPbP-06kLZnZ2dnUVZ_sGdnZ2d@xxxxxxxxxxxxxx
I am new to ASP.NET and need to develop an application that archives /
retrieves documents. When the document is stored, the user specifies the
document permissions ( public or limited to a specific role/class of users
.) This means that when a person in Customer Service does a search, they
aren't able to retrieve company payroll reports archived by the Finance
department.

The solution will be implemented in a site setup with NT Authentication
via a local domain that the IIS 6.0 server is a member of. The data store
will be SQL Server Express 2005 initially.

I understand that ASP.NET supports Role based security. Presently
however, it appears that ASP.NET runs under a single NT Service account.

If I attempt to use the SYSTEM_USER() or similar SQL function, will it
return the current ASP.NET authenticated browser user or the security
info for the .NET service account?

Assuming I store a role / group id with each record, is there a way to
construct a WHERE clause in a SELECT statement that identifies the Roles
of the current ASP.NET authenticated user without having to dynamically
build the SQL statement?

Thanks,
Bob







.

Relevant Pages

  • Re: Login failed for ServerGuest
    ... I think it is not a limitation in Windows 2000. ... access SQL server on Win2000 server by using Windows authenctication if I ... | I have noticed that when I try to log in using Windows Authentication ...
    (microsoft.public.sqlserver.connect)
  • RE: Integrated Authentication (Kerberos) Problem
    ... Verify the SPN for the SQL service account is registered such as the ... >Thread-Topic: Integrated Authentication Problem ... A Windows XP SP1 with IE6 client machine ...
    (microsoft.public.inetserver.iis.security)
  • Re: User authentication
    ... What I want to do is configure scheduled backup. ... However, if possible, I would like to use Windows authentication as opposed ... the backup job in SQL server. ...
    (microsoft.public.sqlserver.clients)
  • Re: How to SELECT records based upon ASP.NET Roles
    ... security principals directly. ... be able to use SQL row-level security as well (which is something I've never ... When using Windows ... authentication in IIS, this will be a WindowsPrincipal object, but it would ...
    (microsoft.public.dotnet.security)
  • RE: Combine Forms Authentication with Windows
    ... | Subject: RE: Combine Forms Authentication with Windows ... since those internal users need to call ... | | So you need integraded security, this means that the users need ...
    (microsoft.public.dotnet.general)