Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net Security (http://www.velocityreviews.com/forums/f62-asp-net-security.html)
-   -   Windows authentication with custom user store (http://www.velocityreviews.com/forums/t769475-windows-authentication-with-custom-user-store.html)

Danny Vucinec 05-23-2007 11:32 AM

Windows authentication with custom user store
 
I'm building a solution that uses Windows authentication. However, the
Windows users that are allowed to login and use the application are defined
in a custom user store. If a user is successfully authenticated by Windows,
access should be denied to if the user isn't in the custom user store.

Using roles to authorize the users would be a good solution, but the fact
is, that the web application uses both asp.net and classical asp. What other
options could be used? I'm thinking of a custom SessionStateUtility that only
issues a new session after the authenticated user is located in the user
store.

Danny Vucinec 05-23-2007 11:36 AM

RE: Windows authentication with custom user store
 
Another option could be the use of a custom "authentication cookie" that is
issued after the user is located in the user store. This cookie should then
be checked in every request. What would be a good technique for this solution?

Dominick Baier 05-23-2007 11:44 AM

RE: Windows authentication with custom user store
 
You can write an HttpModule that handles AuthorizeRequest (or in global.asax
for a start)

in this event you can check your userstore and see if the user is in the
allowed list.

This event gets called on every request - once you have this working, you
can think about optimizations, like a cookie or a flag in the cache...


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

> Another option could be the use of a custom "authentication cookie"
> that is issued after the user is located in the user store. This
> cookie should then be checked in every request. What would be a good
> technique for this solution?
>





All times are GMT. The time now is 02:23 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.