I have a ASP.NET 4.0 web application that uses Windows Authentication against AD and a SQL Server for Role management.
Basically, I want all users who have an AD account to be able to access the application, but I want to further secure the app using roles in Sql Server. I do not want users to have to enter in their passwords for authentication.
Is it viable for me to check authentication in the Global Application_Start method, or should I be executing this code elsewhere?
Application_Start is only fired once when the Application itself is initialized. HttpContext.Current.User will contain details of the user making the HTTP request that caused IIS to initialize the application.
Instead use Application_BeginRequest which is raised for every incoming request, however ideally you should check authorization (not authentication) when the web-application intends to perform an action, not preemptively on every request.
After further research I found "Application_AuthenticateRequest" which I think will serve my purposes of using Windows Authentication and Sql Server role configuration.
protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
if (Request.IsAuthenticated)
{
// just grab the username without domain info
string[] arrTmp = HttpContext.Current.User.Identity.Name.Split('\\');
string username = arrTmp[arrTmp.Length - 1];
// Create an array of role names
List<String> arrlstRoles = new List<String>();
// work-around
if (username == "fakename")
arrlstRoles.Add("Admin");
// Add the roles to the User Principal
HttpContext.Current.User = new System.Security.Principal.GenericPrincipal(User.Identity, arrlstRoles.ToArray<String>());
}
}
ArrayList. Use List<string>. ArrayList is obsolete.