Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Permission check for secured subfolders?

Reply
Thread Tools

Permission check for secured subfolders?

 
 
TK
Guest
Posts: n/a
 
      07-13-2004
Excuse me for multiple posting because I've posted this message to
aspnet.security NG but have not got any response yet.

I'm building an ASP.NET application works in Forms Authentication mode with
custom user account database. And it shows clients a list of hyperlinks to
content pages located in some separated subfolders. This application and
content pages are entirely secured, so everyone must logon to the
application. The application pages and most of content pages are accessible
for every authenticated clients but some of content pages in some specific
subfolders are served for specific users and groups only. I'm using URL
authorization to achieve this. Everything works fine now.

Now what I'm attempting to do is, hide/remove hyperlinks to unacceptable
contents from the contents list page. To do this, I want to test client's
access right for every subfolders at server side Page_Load() function, so
that avoid client user's useless operation. I don't want to show clients the
access forbidden message any more.

How can I do it?
Help me please.

best regards,
TK

 
Reply With Quote
 
 
 
 
Jim Cheshire [MSFT]
Guest
Posts: n/a
 
      07-13-2004
Hi TK,

I think you may be going about this the wrong way. What you really want to
do is design your application so that people have access to certain areas
based upon their role. You can then use User.IsInRole(<role>) to determine
if a user should see a particular page element. You can also use
<location> elements within your web.config to limit a user's access to
certain parts of the application.

Here's a URL you may find helpful:

http://msdn.microsoft.com/library/de...us/secmod/html
/secmod18.asp

Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
Microsoft Developer Support
http://www.velocityreviews.com/forums/(E-Mail Removed)

This post is provided "AS-IS" with no warranties and confers no rights.

--------------------
>From: "TK" <(E-Mail Removed)>
>Subject: Permission check for secured subfolders?
>Date: Tue, 13 Jul 2004 17:13:41 +0900
>Lines: 24
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="iso-2022-jp"
>Content-Transfer-Encoding: 7bit
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
>Message-ID: <(E-Mail Removed)>
>Newsgroups: microsoft.public.dotnet.framework.aspnet
>NNTP-Posting-Host: q255060.ap.plala.or.jp 220.99.255.60
>Path:

cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFT NGP08.phx.gbl!TK2MSFTNGP09
.phx.gbl
>Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:246546
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>
>Excuse me for multiple posting because I've posted this message to
>aspnet.security NG but have not got any response yet.
>
>I'm building an ASP.NET application works in Forms Authentication mode with
>custom user account database. And it shows clients a list of hyperlinks to
>content pages located in some separated subfolders. This application and
>content pages are entirely secured, so everyone must logon to the
>application. The application pages and most of content pages are accessible
>for every authenticated clients but some of content pages in some specific
>subfolders are served for specific users and groups only. I'm using URL
>authorization to achieve this. Everything works fine now.
>
>Now what I'm attempting to do is, hide/remove hyperlinks to unacceptable
>contents from the contents list page. To do this, I want to test client's
>access right for every subfolders at server side Page_Load() function, so
>that avoid client user's useless operation. I don't want to show clients

the
>access forbidden message any more.
>
>How can I do it?
>Help me please.
>
>best regards,
>TK
>
>


 
Reply With Quote
 
 
 
 
TK
Guest
Posts: n/a
 
      07-14-2004
Thank you for your help Jim!

You made my problem be clear. Yes, I agree with you I should use
User.IsInRole(<role>) method to check user's access permission. But where I
can get the <role> definitions? Do I have to manipulate the Web.config by
myself to get the <allow><deny> configurations for every subfolders?

In my application, these secured subfolders are not only located at flat
level but also be configured as an nested tree. And the contents manager
should be able to configure neccesary security settings to every subfolders
in everywhere.

So, if a content page is located at an URL such as
http://myserver/myapp/folder1/folder...3/content.aspx, then I think I
have to manipulate Web.config files located in folder3, folder2, folder1,
myapp and machine.config all by myself.

Is thing like as above an only way for me?
Are there any classes/methods for me to make things easier?

best regards,
TK



"Jim Cheshire [MSFT]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi TK,
>
> I think you may be going about this the wrong way. What you really want

to
> do is design your application so that people have access to certain areas
> based upon their role. You can then use User.IsInRole(<role>) to

determine
> if a user should see a particular page element. You can also use
> <location> elements within your web.config to limit a user's access to
> certain parts of the application.
>
> Here's a URL you may find helpful:
>
>

http://msdn.microsoft.com/library/de...us/secmod/html
> /secmod18.asp
>
> Jim Cheshire [MSFT]
> MCP+I, MCSE, MCSD, MCDBA
> Microsoft Developer Support
> (E-Mail Removed)
>
> This post is provided "AS-IS" with no warranties and confers no rights.
>
> --------------------
> >From: "TK" <(E-Mail Removed)>
> >Subject: Permission check for secured subfolders?
> >Date: Tue, 13 Jul 2004 17:13:41 +0900
> >Lines: 24
> >MIME-Version: 1.0
> >Content-Type: text/plain;
> > charset="iso-2022-jp"
> >Content-Transfer-Encoding: 7bit
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> >Message-ID: <(E-Mail Removed)>
> >Newsgroups: microsoft.public.dotnet.framework.aspnet
> >NNTP-Posting-Host: q255060.ap.plala.or.jp 220.99.255.60
> >Path:

>

cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFT NGP08.phx.gbl!TK2MSFTNGP09
> phx.gbl
> >Xref: cpmsftngxa06.phx.gbl

microsoft.public.dotnet.framework.aspnet:246546
> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
> >
> >Excuse me for multiple posting because I've posted this message to
> >aspnet.security NG but have not got any response yet.
> >
> >I'm building an ASP.NET application works in Forms Authentication mode

with
> >custom user account database. And it shows clients a list of hyperlinks

to
> >content pages located in some separated subfolders. This application and
> >content pages are entirely secured, so everyone must logon to the
> >application. The application pages and most of content pages are

accessible
> >for every authenticated clients but some of content pages in some

specific
> >subfolders are served for specific users and groups only. I'm using URL
> >authorization to achieve this. Everything works fine now.
> >
> >Now what I'm attempting to do is, hide/remove hyperlinks to unacceptable
> >contents from the contents list page. To do this, I want to test client's
> >access right for every subfolders at server side Page_Load() function, so
> >that avoid client user's useless operation. I don't want to show clients

> the
> >access forbidden message any more.
> >
> >How can I do it?
> >Help me please.
> >
> >best regards,
> >TK
> >
> >

>


 
Reply With Quote
 
Jim Cheshire [MSFT]
Guest
Posts: n/a
 
      07-14-2004
TK,

You assign the roles in the user's database record or simply use the AD
roles. Doesn't matter.

As far as assigning which role has access to which resources, <location>
tags are going to be the best method.

Jim Cheshire [MSFT]
MCP+I, MCSE, MCSD, MCDBA
Microsoft Developer Support
(E-Mail Removed)

This post is provided "AS-IS" with no warranties and confers no rights.

--------------------
>From: "TK" <(E-Mail Removed)>
>References: <(E-Mail Removed)>

<(E-Mail Removed)>
>Subject: Re: Permission check for secured subfolders?
>Date: Wed, 14 Jul 2004 10:33:40 +0900
>Lines: 107
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Windows-1252"
>Content-Transfer-Encoding: 7bit
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
>Message-ID: <(E-Mail Removed)>
>Newsgroups: microsoft.public.dotnet.framework.aspnet
>NNTP-Posting-Host: q255060.ap.plala.or.jp 220.99.255.60
>Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTN GP10.phx.gbl
>Xref: cpmsftngxa06.phx.gbl microsoft.public.dotnet.framework.aspnet:246821
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>
>Thank you for your help Jim!
>
>You made my problem be clear. Yes, I agree with you I should use
>User.IsInRole(<role>) method to check user's access permission. But where I
>can get the <role> definitions? Do I have to manipulate the Web.config by
>myself to get the <allow><deny> configurations for every subfolders?
>
>In my application, these secured subfolders are not only located at flat
>level but also be configured as an nested tree. And the contents manager
>should be able to configure neccesary security settings to every subfolders
>in everywhere.
>
>So, if a content page is located at an URL such as
>http://myserver/myapp/folder1/folder...3/content.aspx, then I think I
>have to manipulate Web.config files located in folder3, folder2, folder1,
>myapp and machine.config all by myself.
>
>Is thing like as above an only way for me?
>Are there any classes/methods for me to make things easier?
>
>best regards,
>TK
>
>
>
>"Jim Cheshire [MSFT]" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> Hi TK,
>>
>> I think you may be going about this the wrong way. What you really want

>to
>> do is design your application so that people have access to certain areas
>> based upon their role. You can then use User.IsInRole(<role>) to

>determine
>> if a user should see a particular page element. You can also use
>> <location> elements within your web.config to limit a user's access to
>> certain parts of the application.
>>
>> Here's a URL you may find helpful:
>>
>>

>http://msdn.microsoft.com/library/de...-us/secmod/htm

l
>> /secmod18.asp
>>
>> Jim Cheshire [MSFT]
>> MCP+I, MCSE, MCSD, MCDBA
>> Microsoft Developer Support
>> (E-Mail Removed)
>>
>> This post is provided "AS-IS" with no warranties and confers no rights.
>>
>> --------------------
>> >From: "TK" <(E-Mail Removed)>
>> >Subject: Permission check for secured subfolders?
>> >Date: Tue, 13 Jul 2004 17:13:41 +0900
>> >Lines: 24
>> >MIME-Version: 1.0
>> >Content-Type: text/plain;
>> > charset="iso-2022-jp"
>> >Content-Transfer-Encoding: 7bit
>> >X-Priority: 3
>> >X-MSMail-Priority: Normal
>> >X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
>> >Message-ID: <(E-Mail Removed)>
>> >Newsgroups: microsoft.public.dotnet.framework.aspnet
>> >NNTP-Posting-Host: q255060.ap.plala.or.jp 220.99.255.60
>> >Path:

>>

>cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSF TNGP08.phx.gbl!TK2MSFTNGP0

9
>> phx.gbl
>> >Xref: cpmsftngxa06.phx.gbl

>microsoft.public.dotnet.framework.aspnet:246546
>> >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
>> >
>> >Excuse me for multiple posting because I've posted this message to
>> >aspnet.security NG but have not got any response yet.
>> >
>> >I'm building an ASP.NET application works in Forms Authentication mode

>with
>> >custom user account database. And it shows clients a list of hyperlinks

>to
>> >content pages located in some separated subfolders. This application and
>> >content pages are entirely secured, so everyone must logon to the
>> >application. The application pages and most of content pages are

>accessible
>> >for every authenticated clients but some of content pages in some

>specific
>> >subfolders are served for specific users and groups only. I'm using URL
>> >authorization to achieve this. Everything works fine now.
>> >
>> >Now what I'm attempting to do is, hide/remove hyperlinks to unacceptable
>> >contents from the contents list page. To do this, I want to test

client's
>> >access right for every subfolders at server side Page_Load() function,

so
>> >that avoid client user's useless operation. I don't want to show clients

>> the
>> >access forbidden message any more.
>> >
>> >How can I do it?
>> >Help me please.
>> >
>> >best regards,
>> >TK
>> >
>> >

>>

>
>


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Fixed: The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {555F3418-D99E-4E51-800A-6E89CFD8B1D7} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). Skybuck Flying Windows 64bit 1 06-29-2009 06:17 PM
HTTPS : Secured and non secured item with absolute path trihanhcie@gmail.com ASP .Net 1 05-15-2006 01:24 PM
Mixing secured (HTTPS) and non-secured (HTTP) content in the samepage Daniel Frechette Javascript 2 04-10-2006 01:00 AM
Permission check for secured subfolders? TK ASP .Net Security 5 07-23-2004 03:00 PM
Check permission on files and directories Jonas Nilsson ASP .Net 2 08-13-2003 01:57 PM



Advertisments