Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Programmatic Forms Authentication

Reply
Thread Tools

Programmatic Forms Authentication

 
 
Tyler Carver
Guest
Posts: n/a
 
      02-21-2006
I'm looking for a provider or some type of programmatic access to beable to
map which URL's in my website need authentication. Using the web.config does
not give me a real time way to say which URL's are authorized. Many of the
URL's in our website are dynamic and allow dynamic authorization schemes.

It seems like there should be an easier way to manage this with 2.0. The
SiteMap provider seems to be a very logical place for me to add roles and
security. I noticed that there is some role use but I believe this is only
for the controls that consume the SiteMap and not for Forms Authentication.

Thanks for any help,
Tyler


--
------------------
Tyler Carver
tylercarver.com
 
Reply With Quote
 
 
 
 
Yuan Ren[MSFT]
Guest
Posts: n/a
 
      02-22-2006
Hi Tyler,

Thanks for posting!

For the current issue, my understanding is that you want to management the
authentication of the site. If I have misunderstood anything, please feel
free to let me know.

As far as I know, the "location" element in the web.config file can be used
for the directory or sub directories. I suggest you put the pages which
allow the authorized client to access into the same directory. And then,
you just need mark the path of the directory in the web.config file. The
following link is detail explanation about the "location" element. I hope
this will be helpful.

If you have any issues or concerns, please let me know. It's my pleasure to
be of assistance.

Regards,

Yuan Ren [MSFT]
Microsoft Online Support
================================================== ====
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006. Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
================================================== ====
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
================================================== ====
This posting is provided "AS IS" with no warranties, and confers no rights.
================================================== ====

 
Reply With Quote
 
 
 
 
Yuan Ren[MSFT]
Guest
Posts: n/a
 
      02-22-2006
Hi Tyler,

Sorry for carelessness!

The link as below:
http://msdn.microsoft.com/library/de...us/cpgenref/ht
ml/gngrflocationelement.asp

Regards,

Yuan Ren [MSFT]
Microsoft Online Support
================================================== ====
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006. Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
================================================== ====
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
================================================== ====
This posting is provided "AS IS" with no warranties, and confers no rights.
================================================== ====

 
Reply With Quote
 
Dominick Baier [DevelopMentor]
Guest
Posts: n/a
 
      02-22-2006
Hi,

you can use Context.User.IsInRole() to check for the role of the user. If
that fails you can call FormsAuthentication.RedirectToLoginPage

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> ""Yuan Ren[MSFT]"" wrote:
>
>> For the current issue, my understanding is that you want to
>> management the authentication of the site. If I have misunderstood
>> anything, please feel free to let me know.
>>

> I think you misunderstood my question. I'm not asking how do I apply
> forms authentication to a certain directory or file from the
> web.config, I'm asking how do I appliy authentication and
> authorization to a URL programmatically. For instance let's say I
> have the following 2 URLs that I want to apply roles to:
>
> http://myweb.com/doc.aspx?id=1
>
> I want the following roll:
> ServiceA
> http://myweb.com/doc.aspx?id=2
>
> I want the following roll:
> ServiceB
> I want the fact that these two URL's have these rolls to be managed in
> a database and then when a request comes in for these URL's I want to
> let forms authentication know what authorization and roles to apply to
> that URL.
>
>> As far as I know, the "location" element in the web.config file can
>> be used for the directory or sub directories. I suggest you put the
>> pages which allow the authorized client to access into the same
>> directory. And then, you just need mark the path of the directory in
>> the web.config file. The following link is detail explanation about
>> the "location" element. I hope this will be helpful.
>>
>> If you have any issues or concerns, please let me know. It's my
>> pleasure to be of assistance.
>>

> I appreciate your input here but it has no relevance to my question.
> I know how to control authentication and authorization from the
> web.config.
>
> Thanks,
> Tyler



 
Reply With Quote
 
Tyler Carver
Guest
Posts: n/a
 
      02-22-2006
""Yuan Ren[MSFT]"" wrote:
> For the current issue, my understanding is that you want to management the
> authentication of the site. If I have misunderstood anything, please feel
> free to let me know.


I think you misunderstood my question. I'm not asking how do I apply forms
authentication to a certain directory or file from the web.config, I'm asking
how do I appliy authentication and authorization to a URL programmatically.
For instance let's say I have the following 2 URLs that I want to apply roles
to:

http://myweb.com/doc.aspx?id=1

I want the following roll:
ServiceA

http://myweb.com/doc.aspx?id=2

I want the following roll:
ServiceB

I want the fact that these two URL's have these rolls to be managed in a
database and then when a request comes in for these URL's I want to let forms
authentication know what authorization and roles to apply to that URL.

> As far as I know, the "location" element in the web.config file can be used
> for the directory or sub directories. I suggest you put the pages which
> allow the authorized client to access into the same directory. And then,
> you just need mark the path of the directory in the web.config file. The
> following link is detail explanation about the "location" element. I hope
> this will be helpful.
>
> If you have any issues or concerns, please let me know. It's my pleasure to
> be of assistance.


I appreciate your input here but it has no relevance to my question. I know
how to control authentication and authorization from the web.config.

Thanks,
Tyler
 
Reply With Quote
 
Tyler Carver
Guest
Posts: n/a
 
      02-22-2006

"Dominick Baier [DevelopMentor]" wrote:
> you can use Context.User.IsInRole() to check for the role of the user. If
> that fails you can call FormsAuthentication.RedirectToLoginPage


Ya I've thought about writing a Http Module that would check the URL and the
assigned rolls and then do this very thing. Of course you can't control
authentication that way but I could control authorization. I just wish MS
would have added a provider for this, I don't know why it has to be hard
coded in the web.config.

I'm considering this as a work around because the right way to do it is to
have Forms do it's normal job and for me to control what authentication is
assigned to what URL. So I am still interested in a programmatic way to
control the <authorization> element of the <system.web> configuration. This
way I can corretly apply full authentication and authorization. (Also, I
don't mean to imply that I want to programmatically change the Web.Config.)
 
Reply With Quote
 
MikeS
Guest
Posts: n/a
 
      02-23-2006
Not sure if this is what you are after but...

The location tag path can't be made unique based on the querystring but
the sitemap url can.

Sitemap:

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
<siteMapNode url="~/" title="Home" roles="*">
<siteMapNode title="ServiceA" roles="ServiceA">
<siteMapNode url="~/doc.aspx?id=1" title="Doc" />
</siteMapNode>
<siteMapNode title="ServiceB" roles="ServiceB">
<siteMapNode url="~/doc.aspx?id=2" title="Doc" />
</siteMapNode>
</siteMapNode>
</siteMap>

web.confg:
<siteMap defaultProvider="default">
<providers>
<add name="default" type="System.Web.XmlSiteMapProvider"
siteMapFile="Web.sitemap" securityTrimmingEnabled="true"/>
</providers>
</siteMap>

<location path="doc.aspx">
<system.web>
<authorization>
<allow roles="ServiceA,ServiceB"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

Or if you want my own cheesy hack then you can spin up your own user
for the specific request...

Protected Sub Application_PostAuthenticateRequest(ByVal sender As
Object, ByVal e As System.EventArgs)
Dim a As HttpApplication = sender
If a.Context.User Is Nothing = False _
AndAlso a.Context.User.Identity.IsAuthenticated _
AndAlso a.Request.AppRelativeCurrentExecutionFilePath =
"~/doc.aspx" _
Then
Dim id As Integer = CInt(Request.QueryString("id"))
Dim gi As GenericIdentity = New
GenericIdentity(a.Context.User.Identity.Name)
Dim r() As String = New String() {"Service" & Chr(64 + id)}
' now supporting A-Z and beyond, TODO: replace with db code.
Dim gp As GenericPrincipal = New GenericPrincipal(gi, r)
a.Context.User = gp
End If
End Sub

This at least breaks the windows rolemanager (Roles.*) for this request
but User.IsInRole, location tag locks and securityTrimming still work.

 
Reply With Quote
 
Tyler Carver
Guest
Posts: n/a
 
      02-23-2006
Hi Mike,

The sitemap stuff looks very interesting.

"MikeS" wrote:
> Sitemap:
> ...
>
> web.confg:
> ...


So are you saying that if I add all the roles to the global location, add
only the roles I REALLY want in the site map for the specific location, and
then turn on security trimming, Windows Forms will only use what I have added
as roles in the site map to my specific URL?

If this is true then I can easily write a custom sitemap provider and take
care of all this in the db. Of course I will have to make sure that there
are no security holes in my website given the fact that I have added all
roles to the root. Also, if this is true then I may be peeing in my pants.

Time to get testing. Thanks!

Tyler
 
Reply With Quote
 
Yuan Ren[MSFT]
Guest
Posts: n/a
 
      02-24-2006
Hi Tyler,

Sorry for misunderstood! I think the issue is related to ASP.NET v1.1.

If you want to use the SiteMap to approach your issue, as Michael
mentioned, the security is still be controlled from location. So, your idea
is appropriate, you can write your own provider for current issue. Thanks
for your understanding!

Regards,

Yuan Ren [MSFT]
Microsoft Online Support
================================================== ====
PLEASE NOTE the newsgroup SECURE CODE and PASSWORD were
updated on February 14, 2006. Please complete a re-registration process
by entering the secure code mmpng06 when prompted. Once you have
entered the secure code mmpng06, you will be able to update your profile
and access the partner newsgroups.
================================================== ====
When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from this issue.
================================================== ====
This posting is provided "AS IS" with no warranties, and confers no rights.
================================================== ====

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best practices for using forms authentication and security in a hosted env (was: Re: Using a Forms authentication in a shared hosting environment) JEFF ASP .Net 1 11-12-2007 07:00 PM
forms authentication -- expired forms cookie vs. not provided forms cookie Eric ASP .Net Security 2 01-27-2006 10:09 PM
Forms authentication - Multiple login forms based on directory acc Keltex ASP .Net Security 1 01-24-2006 03:06 PM
J2EE authentication FORM and Programmatic Kevin Java 0 06-07-2004 10:55 PM
Forms Authentication question: How to have some pages open and some requiring forms authentication Eric ASP .Net 2 02-13-2004 02:14 PM



Advertisments