0

I have an application that uses Active Directory to authenticate users to login to my website.

I also have a table in my database with user Types.

Based on the User Type, my users can see different VIEWS.

Ex: NormalUser can see 3 views (About - Contact - View Data) ManagerUser can see 5 views (About - Contact - View Data - Delele Data - update Data).

How ever , the view Works fine but I have a problem when for example normalUser change the URL manualy to UpdateData.aspx then he will see the page of a managerUser. How can I prevent users from accessing other pages ?

Please note that I have my StateView code in Site.Master

Improve this question

2 Answers 2

Reset to default
1

We use this same authentication/authorization setup in several of our web apps, using Windows Authentication, and a custom SQL table for authorization.

You have a few options: I would recommend option 1 or 2.

  1. Since you have a custom table that stores your user roles/types, you could write a custom RoleProvider (http://msdn.microsoft.com/en-us/library/8fw7xh74.aspx ), and add web.config authorization rules to restrict access to pages based on the user Roles. This is what we have done in our application.

  2. Use Windows Active Directory groups in place of your userType table, and then you can add web.config authorization rules to allow the AD groups you want. You will need to use the Windows Role Provider (which I believe is the default for Windows authentication, so may not have to change anything there).

  3. Add code in the Page_Load method of your pages to lookup that the user has access based on your UserType table and throw an UnauthorizedAccessException is the user does not have access. If you only have a few pages in your app and don't have a lot of concurrent users, then this is the "quick" solution, but isn't the cleanest option.

To add the web.config authorizaiton rules, use this syntax, and add <location> sections under the root of the <configuration> element, where path can be a folder name or page name. ASP.NET will auto-magically enforce these rules for you. 

<location path="AdminFolder"> 
<system.web>
<authorization>
<allow roles="Admin"/> //Allows users in Admin role
<deny users="*,?"/> // deny everyone else
</authorization>
</system.web>
</location>

Use a given RoleProvider, you can also use User.IsInRole("YourRoleName") from anywhere in code if you need to check is a user belongs to a given role.

Here is the shell for the class layout including the methods that need implemented for the custom RoleProvider in option 1. NOTE: if you have your own UI for managing role memberships, then you don't have to fully implement the CreateRole and DeleteRole methods. I just have Throw New NotImplementedException() for both as the implementation and it works fine. You do need to implement the other methods.

Public Class MyCustomRoleProvider
    Inherits RoleProvider


    Public Overrides Sub AddUsersToRoles(usernames() As String, roleNames() As String)

    End Sub

    Public Overrides Property ApplicationName As String
        Get

        End Get
        Set(value As String)

        End Set
    End Property

    Public Overrides Sub CreateRole(roleName As String)

    End Sub

    Public Overrides Function DeleteRole(roleName As String, throwOnPopulatedRole As Boolean) As Boolean

    End Function

    Public Overrides Function FindUsersInRole(roleName As String, usernameToMatch As String) As String()

    End Function

    Public Overrides Function GetAllRoles() As String()

    End Function

    Public Overrides Function GetRolesForUser(username As String) As String()

    End Function

    Public Overrides Function GetUsersInRole(roleName As String) As String()

    End Function

    Public Overrides Function IsUserInRole(username As String, roleName As String) As Boolean

    End Function

    Public Overrides Sub RemoveUsersFromRoles(usernames() As String, roleNames() As String)

    End Sub

    Public Overrides Function RoleExists(roleName As String) As Boolean

    End Function
End Class
Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

Option 2 is not availalble for me. Our AD roles not up to date.
Option 3 seems to be the best sol for me as this is an Intranet web app. But I would love to work on Option 1. I still dont understand how to create a custom provider. Is this only done in web.config ?
For option 1, you would create a new class, called something like MyCompanyRoleProvider, that inherits the .NET RoleProvider base class. Then there are several methods that you would need to implement in that class (FindUsersInRole, IsUserInRole, GetRolesForUser, etc.) that would return role information. Then you update the web.config RoleManager section to add your custom RoleProvider, and add any web.config authorization rules. I was a little intimidated when first looking into it, but it is not as tough as it sounds once you understand how the RoleProviders work and are setup in .NET.
I will work on that this afternoon and get back to you :) . btw do you have a layout of that class ? I will implement the methods myself. That should be easy.
I updated the answer to include a shell of a custom RoleProvider class
|
0

You have done Authentication but for what you are asking requires to implement Authorization.

http://www.codeproject.com/Articles/98950/ASP-NET-authentication-and-authorization

In case of windows Authenticaiton http://www.codeproject.com/Articles/175028/ASP-NET-Windows-Authentication-Authorization-by-Gr

Improve this answer

1 Comment

I have read that but in my case , i dont get the role from AD , I get it from a database table :(

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.