Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Add extra parameter to Login/Membership - ASP 2.0

Reply
Thread Tools

Add extra parameter to Login/Membership - ASP 2.0

 
 
David Sack
Guest
Posts: n/a
 
      10-24-2005
I hope can explain this properly. I have a time keeping site that host
multiple companies data in a single database. I would like the logins to be
unique for each company but not across the entire site (i.e. I could have
two jsmith logins as long as they are with seperate companies).

I would like to add a drop down box to the login that allow the user to
select the company that they are with. By adding a "site" column to the
users table I would be able to partition the users so that they would be
authenticated only against the id that has a "site" that matches theirs.

Does this require creating a custom membership provider? I have written
my own authentication routines in the past and can do so for this projects
but I would really like to leverage the existing membership/role capablility
of ASP2. I'm not sure that I have the skills needed to write a custom
membership provider. I just want to make sure that I wasn't missing
anything.

Thanks
Dave


 
Reply With Quote
 
 
 
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      10-25-2005
Hello David,

can you "misuse" the ApplicationName for that??

otherwise i guess you need a custom provider.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> I hope can explain this properly. I have a time keeping site that
> host multiple companies data in a single database. I would like the
> logins to be unique for each company but not across the entire site
> (i.e. I could have two jsmith logins as long as they are with seperate
> companies).
>
> I would like to add a drop down box to the login that allow the user
> to select the company that they are with. By adding a "site" column
> to the users table I would be able to partition the users so that they
> would be authenticated only against the id that has a "site" that
> matches theirs.
>
> Does this require creating a custom membership provider? I have
> written my own authentication routines in the past and can do so for
> this projects but I would really like to leverage the existing
> membership/role capablility of ASP2. I'm not sure that I have the
> skills needed to write a custom membership provider. I just want to
> make sure that I wasn't missing anything.
>
> Thanks
> Dave



 
Reply With Quote
 
 
 
 
David Sack
Guest
Posts: n/a
 
      10-25-2005
Thanks for the response. I think the Application name is set
automatically by settings in the web config? I would like to pass the value
from my login.aspx form to be used as part of the authentication process.
Kinda like saying to the server please check user "jsmith" with password
"xxxx" from Site (from drop down) "1".

Thanks again,

Dave


"Dominick Baier [DevelopMentor]" <(E-Mail Removed)>
wrote in message news:(E-Mail Removed). com...
> Hello David,
>
> can you "misuse" the ApplicationName for that??
>
> otherwise i guess you need a custom provider.
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> I hope can explain this properly. I have a time keeping site that
>> host multiple companies data in a single database. I would like the
>> logins to be unique for each company but not across the entire site
>> (i.e. I could have two jsmith logins as long as they are with seperate
>> companies).
>>
>> I would like to add a drop down box to the login that allow the user
>> to select the company that they are with. By adding a "site" column
>> to the users table I would be able to partition the users so that they
>> would be authenticated only against the id that has a "site" that
>> matches theirs.
>>
>> Does this require creating a custom membership provider? I have
>> written my own authentication routines in the past and can do so for
>> this projects but I would really like to leverage the existing
>> membership/role capablility of ASP2. I'm not sure that I have the
>> skills needed to write a custom membership provider. I just want to
>> make sure that I wasn't missing anything.
>>
>> Thanks
>> Dave

>
>



 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      10-25-2005
Hello David,

smells like custom provider...

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Thanks for the response. I think the Application name is set
> automatically by settings in the web config? I would like to pass the
> value from my login.aspx form to be used as part of the authentication
> process. Kinda like saying to the server please check user "jsmith"
> with password "xxxx" from Site (from drop down) "1".
>
> Thanks again,
>
> Dave
>
> "Dominick Baier [DevelopMentor]"
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed). com...
>
>> Hello David,
>>
>> can you "misuse" the ApplicationName for that??
>>
>> otherwise i guess you need a custom provider.
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> I hope can explain this properly. I have a time keeping site that
>>> host multiple companies data in a single database. I would like the
>>> logins to be unique for each company but not across the entire site
>>> (i.e. I could have two jsmith logins as long as they are with
>>> seperate companies).
>>>
>>> I would like to add a drop down box to the login that allow the user
>>> to select the company that they are with. By adding a "site" column
>>> to the users table I would be able to partition the users so that
>>> they would be authenticated only against the id that has a "site"
>>> that matches theirs.
>>>
>>> Does this require creating a custom membership provider? I have
>>> written my own authentication routines in the past and can do so for
>>> this projects but I would really like to leverage the existing
>>> membership/role capablility of ASP2. I'm not sure that I have the
>>> skills needed to write a custom membership provider. I just want to
>>> make sure that I wasn't missing anything.
>>>
>>> Thanks
>>> Dave



 
Reply With Quote
 
David Sack
Guest
Posts: n/a
 
      10-25-2005
Thats what I was afraid of. Do you know of any good "How to's" or
tutorials on the subject? Thanks again for the response. It is greatly
appreciated.

Thanks
Dave

"Dominick Baier [DevelopMentor]" <(E-Mail Removed)>
wrote in message news:(E-Mail Removed). com...
> Hello David,
>
> smells like custom provider...
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> Thanks for the response. I think the Application name is set
>> automatically by settings in the web config? I would like to pass the
>> value from my login.aspx form to be used as part of the authentication
>> process. Kinda like saying to the server please check user "jsmith"
>> with password "xxxx" from Site (from drop down) "1".
>>
>> Thanks again,
>>
>> Dave
>>
>> "Dominick Baier [DevelopMentor]"
>> <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed). com...
>>
>>> Hello David,
>>>
>>> can you "misuse" the ApplicationName for that??
>>>
>>> otherwise i guess you need a custom provider.
>>> ---------------------------------------
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.com
>>>> I hope can explain this properly. I have a time keeping site that
>>>> host multiple companies data in a single database. I would like the
>>>> logins to be unique for each company but not across the entire site
>>>> (i.e. I could have two jsmith logins as long as they are with
>>>> seperate companies).
>>>>
>>>> I would like to add a drop down box to the login that allow the user
>>>> to select the company that they are with. By adding a "site" column
>>>> to the users table I would be able to partition the users so that
>>>> they would be authenticated only against the id that has a "site"
>>>> that matches theirs.
>>>>
>>>> Does this require creating a custom membership provider? I have
>>>> written my own authentication routines in the past and can do so for
>>>> this projects but I would really like to leverage the existing
>>>> membership/role capablility of ASP2. I'm not sure that I have the
>>>> skills needed to write a custom membership provider. I just want to
>>>> make sure that I wasn't missing anything.
>>>>
>>>> Thanks
>>>> Dave

>
>



 
Reply With Quote
 
David Sack
Guest
Posts: n/a
 
      10-25-2005
Something kind of clicked when I thought about this after the fact. As
far as I can tell the ApplicationID is set from the Web.Config file. If I
were to create application directories under my home directory that had a
different ApplicationID specified then create a login form on that directory
that would redirect on a successful login the the main menu page in the
parent web directory it would used the sub applications authentication to
allow access based upon the ApplicationID.

I have tested it quickly and it seems to work. I don't know how it will
affect overall security or the use of roles? I would also have the create a
sub-application login directory for each unique site that would be accessing
the site. That could turn into a pain.

Let me know what you think?

Thanks again,
Dave
"Dominick Baier [DevelopMentor]" <(E-Mail Removed)>
wrote in message news:(E-Mail Removed). com...
> Hello David,
>
> can you "misuse" the ApplicationName for that??
>
> otherwise i guess you need a custom provider.
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> I hope can explain this properly. I have a time keeping site that
>> host multiple companies data in a single database. I would like the
>> logins to be unique for each company but not across the entire site
>> (i.e. I could have two jsmith logins as long as they are with seperate
>> companies).
>>
>> I would like to add a drop down box to the login that allow the user
>> to select the company that they are with. By adding a "site" column
>> to the users table I would be able to partition the users so that they
>> would be authenticated only against the id that has a "site" that
>> matches theirs.
>>
>> Does this require creating a custom membership provider? I have
>> written my own authentication routines in the past and can do so for
>> this projects but I would really like to leverage the existing
>> membership/role capablility of ASP2. I'm not sure that I have the
>> skills needed to write a custom membership provider. I just want to
>> make sure that I wasn't missing anything.
>>
>> Thanks
>> Dave

>
>



 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      10-25-2005
Hello David,

http://msdn.microsoft.com/library/de...vMod_Intro.asp
this is a good starting point
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Thats what I was afraid of. Do you know of any good "How to's" or
> tutorials on the subject? Thanks again for the response. It is
> greatly appreciated.
>
> Thanks
> Dave
> "Dominick Baier [DevelopMentor]"
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed). com...
>
>> Hello David,
>>
>> smells like custom provider...
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Thanks for the response. I think the Application name is set
>>> automatically by settings in the web config? I would like to pass
>>> the value from my login.aspx form to be used as part of the
>>> authentication process. Kinda like saying to the server please check
>>> user "jsmith" with password "xxxx" from Site (from drop down) "1".
>>>
>>> Thanks again,
>>>
>>> Dave
>>>
>>> "Dominick Baier [DevelopMentor]"
>>> <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed). com...
>>>
>>>> Hello David,
>>>>
>>>> can you "misuse" the ApplicationName for that??
>>>>
>>>> otherwise i guess you need a custom provider.
>>>> ---------------------------------------
>>>> Dominick Baier - DevelopMentor
>>>> http://www.leastprivilege.com
>>>>> I hope can explain this properly. I have a time keeping site that
>>>>> host multiple companies data in a single database. I would like
>>>>> the logins to be unique for each company but not across the entire
>>>>> site (i.e. I could have two jsmith logins as long as they are with
>>>>> seperate companies).
>>>>>
>>>>> I would like to add a drop down box to the login that allow the
>>>>> user to select the company that they are with. By adding a "site"
>>>>> column to the users table I would be able to partition the users
>>>>> so that they would be authenticated only against the id that has a
>>>>> "site" that matches theirs.
>>>>>
>>>>> Does this require creating a custom membership provider? I have
>>>>> written my own authentication routines in the past and can do so
>>>>> for this projects but I would really like to leverage the existing
>>>>> membership/role capablility of ASP2. I'm not sure that I have the
>>>>> skills needed to write a custom membership provider. I just want
>>>>> to make sure that I wasn't missing anything.
>>>>>
>>>>> Thanks
>>>>> Dav



 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      10-25-2005
Hello David,

this is fine for Membership - but the role provider, or more specifically
the RoleManagerModule is called on every request in your local application.
It subscribes to PostAuthenticateRequest in the HTTP pipeline to get the
roles for the user and sets Context.User. This will pick up the ApplicationID
of your local application.

so i think this will not work...

To be honest, i think a provider will not work at all for you ...

Let's say you have written your own provider witch a new ValidateUser method
that takes an additional application name as parameter - how do you want
to teach the login control the trick (without templating and basically rebuilding
it) ??

Well - you could subclass the SqlMembershipProvider and add a ApplicationName
property that you set on Application_Start e.g. - not a perfect solution
- but again this means you have to override ValidateUser and quite a number
of other methods.

On the other hand - if you don't use the new security controls - why would
you go through the hassle of building a provider - most probably you'll only
need 60% of the functionality.

So why not simply go for your own compact authentication library that does
exactly what you want - deploy it in the GAC and use it from all your apps??

providers are no panacea (unfortunately).

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Something kind of clicked when I thought about this after the fact.
> As far as I can tell the ApplicationID is set from the Web.Config
> file. If I were to create application directories under my home
> directory that had a different ApplicationID specified then create a
> login form on that directory that would redirect on a successful login
> the the main menu page in the parent web directory it would used the
> sub applications authentication to allow access based upon the
> ApplicationID.
>
> I have tested it quickly and it seems to work. I don't know how it
> will affect overall security or the use of roles? I would also have
> the create a sub-application login directory for each unique site that
> would be accessing the site. That could turn into a pain.
>
> Let me know what you think?
>
> Thanks again,
> Dave
> "Dominick Baier [DevelopMentor]"
> <(E-Mail Removed)>
> wrote in message
> news:(E-Mail Removed). com...
>> Hello David,
>>
>> can you "misuse" the ApplicationName for that??
>>
>> otherwise i guess you need a custom provider.
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> I hope can explain this properly. I have a time keeping site that
>>> host multiple companies data in a single database. I would like the
>>> logins to be unique for each company but not across the entire site
>>> (i.e. I could have two jsmith logins as long as they are with
>>> seperate companies).
>>>
>>> I would like to add a drop down box to the login that allow the user
>>> to select the company that they are with. By adding a "site" column
>>> to the users table I would be able to partition the users so that
>>> they would be authenticated only against the id that has a "site"
>>> that matches theirs.
>>>
>>> Does this require creating a custom membership provider? I have
>>> written my own authentication routines in the past and can do so for
>>> this projects but I would really like to leverage the existing
>>> membership/role capablility of ASP2. I'm not sure that I have the
>>> skills needed to write a custom membership provider. I just want to
>>> make sure that I wasn't missing anything.
>>>
>>> Thanks
>>> Dave



 
Reply With Quote
 
David Sack
Guest
Posts: n/a
 
      10-25-2005
Hadn't thought about the re-writing of the controls beyond the Login
control. I think that you are correct, It will be more work adjusting the
existing membership provider and others then just creating what I need
specifically for this application. Thanks so much for the input it was of
great value. BTW. I had a chance to take a look at your web site, great
stuff.

Thanks
Dave

"Dominick Baier [DevelopMentor]" <(E-Mail Removed)>
wrote in message news:(E-Mail Removed). com...
> Hello David,
>
> this is fine for Membership - but the role provider, or more specifically
> the RoleManagerModule is called on every request in your local
> application. It subscribes to PostAuthenticateRequest in the HTTP pipeline
> to get the roles for the user and sets Context.User. This will pick up the
> ApplicationID of your local application.
>
> so i think this will not work...
>
> To be honest, i think a provider will not work at all for you ...
>
> Let's say you have written your own provider witch a new ValidateUser
> method that takes an additional application name as parameter - how do you
> want to teach the login control the trick (without templating and
> basically rebuilding it) ??
>
> Well - you could subclass the SqlMembershipProvider and add a
> ApplicationName property that you set on Application_Start e.g. - not a
> perfect solution - but again this means you have to override ValidateUser
> and quite a number of other methods.
>
> On the other hand - if you don't use the new security controls - why would
> you go through the hassle of building a provider - most probably you'll
> only need 60% of the functionality.
>
> So why not simply go for your own compact authentication library that does
> exactly what you want - deploy it in the GAC and use it from all your
> apps??
>
> providers are no panacea (unfortunately).
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
>> Something kind of clicked when I thought about this after the fact.
>> As far as I can tell the ApplicationID is set from the Web.Config
>> file. If I were to create application directories under my home
>> directory that had a different ApplicationID specified then create a
>> login form on that directory that would redirect on a successful login
>> the the main menu page in the parent web directory it would used the
>> sub applications authentication to allow access based upon the
>> ApplicationID.
>>
>> I have tested it quickly and it seems to work. I don't know how it
>> will affect overall security or the use of roles? I would also have
>> the create a sub-application login directory for each unique site that
>> would be accessing the site. That could turn into a pain.
>>
>> Let me know what you think?
>>
>> Thanks again,
>> Dave
>> "Dominick Baier [DevelopMentor]"
>> <(E-Mail Removed)>
>> wrote in message
>> news:(E-Mail Removed). com...
>>> Hello David,
>>>
>>> can you "misuse" the ApplicationName for that??
>>>
>>> otherwise i guess you need a custom provider.
>>> ---------------------------------------
>>> Dominick Baier - DevelopMentor
>>> http://www.leastprivilege.com
>>>> I hope can explain this properly. I have a time keeping site that
>>>> host multiple companies data in a single database. I would like the
>>>> logins to be unique for each company but not across the entire site
>>>> (i.e. I could have two jsmith logins as long as they are with
>>>> seperate companies).
>>>>
>>>> I would like to add a drop down box to the login that allow the user
>>>> to select the company that they are with. By adding a "site" column
>>>> to the users table I would be able to partition the users so that
>>>> they would be authenticated only against the id that has a "site"
>>>> that matches theirs.
>>>>
>>>> Does this require creating a custom membership provider? I have
>>>> written my own authentication routines in the past and can do so for
>>>> this projects but I would really like to leverage the existing
>>>> membership/role capablility of ASP2. I'm not sure that I have the
>>>> skills needed to write a custom membership provider. I just want to
>>>> make sure that I wasn't missing anything.
>>>>
>>>> Thanks
>>>> Dave

>
>



 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      10-28-2005
Hello David,

in fact, it is easier than i thought -

you can subclass the providers and just override the ApplicationName property
- in the getter you can dynamically fetch the ApplicationName as all of the
provider methods use the property only.

you could e.g. set Context.Items["appname"] to your app/client name before
calling the ValidateUser method (via the login control) - and read it in
the getter again

there may be some testing involved to get that right for the RoleManager..but
i think this will work.

Again - if it makes more sense to tweak the providers vs. building your own
stuff - you decide.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hadn't thought about the re-writing of the controls beyond the Login
> control. I think that you are correct, It will be more work
> adjusting the existing membership provider and others then just
> creating what I need specifically for this application. Thanks so
> much for the input it was of great value. BTW. I had a chance to
> take a look at your web site, great stuff.
>
> Thanks
> Dave
> "Dominick Baier [DevelopMentor]"
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed). com...
>
>> Hello David,
>>
>> this is fine for Membership - but the role provider, or more
>> specifically the RoleManagerModule is called on every request in your
>> local application. It subscribes to PostAuthenticateRequest in the
>> HTTP pipeline to get the roles for the user and sets Context.User.
>> This will pick up the ApplicationID of your local application.
>>
>> so i think this will not work...
>>
>> To be honest, i think a provider will not work at all for you ...
>>
>> Let's say you have written your own provider witch a new ValidateUser
>> method that takes an additional application name as parameter - how
>> do you want to teach the login control the trick (without templating
>> and basically rebuilding it) ??
>>
>> Well - you could subclass the SqlMembershipProvider and add a
>> ApplicationName property that you set on Application_Start e.g. - not
>> a perfect solution - but again this means you have to override
>> ValidateUser and quite a number of other methods.
>>
>> On the other hand - if you don't use the new security controls - why
>> would you go through the hassle of building a provider - most
>> probably you'll only need 60% of the functionality.
>>
>> So why not simply go for your own compact authentication library that
>> does exactly what you want - deploy it in the GAC and use it from all
>> your apps??
>>
>> providers are no panacea (unfortunately).
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Something kind of clicked when I thought about this after the fact.
>>> As far as I can tell the ApplicationID is set from the Web.Config
>>> file. If I were to create application directories under my home
>>> directory that had a different ApplicationID specified then create a
>>> login form on that directory that would redirect on a successful
>>> login
>>> the the main menu page in the parent web directory it would used the
>>> sub applications authentication to allow access based upon the
>>> ApplicationID.
>>> I have tested it quickly and it seems to work. I don't know how it
>>> will affect overall security or the use of roles? I would also have
>>> the create a sub-application login directory for each unique site
>>> that would be accessing the site. That could turn into a pain.
>>>
>>> Let me know what you think?
>>>
>>> Thanks again,
>>> Dave
>>> "Dominick Baier [DevelopMentor]"
>>> <(E-Mail Removed)>
>>> wrote in message
>>> news:(E-Mail Removed). com...
>>>> Hello David,
>>>>
>>>> can you "misuse" the ApplicationName for that??
>>>>
>>>> otherwise i guess you need a custom provider.
>>>> ---------------------------------------
>>>> Dominick Baier - DevelopMentor
>>>> http://www.leastprivilege.com
>>>>> I hope can explain this properly. I have a time keeping site that
>>>>> host multiple companies data in a single database. I would like
>>>>> the logins to be unique for each company but not across the entire
>>>>> site (i.e. I could have two jsmith logins as long as they are with
>>>>> seperate companies).
>>>>>
>>>>> I would like to add a drop down box to the login that allow the
>>>>> user to select the company that they are with. By adding a "site"
>>>>> column to the users table I would be able to partition the users
>>>>> so that they would be authenticated only against the id that has a
>>>>> "site" that matches theirs.
>>>>>
>>>>> Does this require creating a custom membership provider? I have
>>>>> written my own authentication routines in the past and can do so
>>>>> for this projects but I would really like to leverage the existing
>>>>> membership/role capablility of ASP2. I'm not sure that I have the
>>>>> skills needed to write a custom membership provider. I just want
>>>>> to make sure that I wasn't missing anything.
>>>>>
>>>>> Thanks
>>>>> Dave



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Does return-by-value mean extra copies and extra overhead? mathieu C++ 3 09-04-2009 04:25 PM
anyway to give extra parameter to an existing function? Dave C++ 5 04-24-2007 02:17 AM
Map with an extra parameter ml1n Python 8 09-09-2006 09:45 AM
Add extra IPs to outside interface in 506E The Techie Cisco 4 04-20-2006 01:05 AM
Re: How do I add an extra item to dropdown menu. Marina ASP .Net 1 06-22-2004 11:25 PM



Advertisments