I recently starting trying to use the ASP.NET 4 Membership and Role providers in my web applications. But I'm having problems implementing a good security methodology.
I understand that using web.config files we can grany or deny access to certain aspx files, but is there any good built in way to deny access to a specified Role on certain circumstances?
For example;
We have a page called "EditUser.aspx".
We have two user types; administrators and a standard users. This page is used to edit both types. However, only administrators should be able to edit other administrators.
What is the best approach to stop an authenticated user without the 'admin' role from being able to edit an administrator via EditUser.aspx?
I'm hoping for something a bit more elegant than the below:
if(editUser.IsInRole("admin") && !User.IsInRole("admin"))
{
Respone.Redirect("SomeAccessDeniedPage.aspx");
}
Thanks,
Phil
One thing to consider is to use the LoginView server control with the RoleGroups element. Maybe bind the admin users in a separate gridview and wrap that in a LoginView set to only display to users in the admin role.
Related
My ASP.NET application allows users to login and access certain information from the website. These users are basically belonging to multiple roles e.g: I have roles like "Administrators", "Power Users" and "Guests". The users are allowed to modify or view data on the .aspx page as per their roles. I read through about Role Management in ASP.NET on MSN. What I could figure out is that the pages related to each role are sorted into a separate folder, i.e I need to have sub folders like "Administrators", "Power Users" and "Guests". So when a user logs in he is redirected to the pages in the role he belongs to. Am I right?
Here the drawback is that if I need to make some changes to the Administrator folder, I will as well need to make the same changes to other folders.
This would make it very cumbersome and difficult to track sometimes. Is there some other way we can do this?
Thanks & Regards,
Sarin Gopalan
Well you can manage it by separating user specific functionality into specific controller i.e. AdminController, UserController.
You can extract out functions that are not user specific into a common controller and access directly from there.
Additionally Authorize attribute can be applied on controller or even on method. It will allow you to have a fine grained control over who can access a method in a controller.
[Authorize(Roles = "ADMIN, Sales Admin")]
I have an ASP.NET application where most of the pages are accessible to all authenticated users via a single sign on module that sets the username into the Session array variable. Now I have one folder A containing one page B.aspx and a list of usernames who are allowed to access this page B.aspx.
My question: how do I elegantly authorize only these users for this one page, or better, for this one folder. Can it be done with the location tag in a Web.config file inside folder A ? If so, how do I connect that config with custom code to check whether the username stored in the session variable is one of the authorized for that folder or page ? Can I use a custom membershipprovider ?
Thanks in advance !
First, you scrap the kludged security methodology, as user name in a session cookie is not a good way to handle this. Okay, maybe a bit too overboard, as low security may be fine for you. If so, you can write a custom handler for the page that examines user name and compares to an updateable list.
NEW: With Session object, you are a bit more security, as the session token is sent over and the name is kept in session, but the Membership bits (below) handle translation of a particular session to a user without rewriting with your custom "this user is using this session" methodology. Yeah, ultimately you can argue Microsoft does something very similar to your software, but you leave the maintenance to them.
Going back to my original direction, there is the concept of roles and membership built into ASP.NET. If you use these bits, you can security trim the page (or even better folder so you can additional pages) to certain users (not as good) or roles (better) by setting up a new web.config with the security constraints.
The cool thing about the built in stuff is you can declaratively set up security and have the pipeline determine whether a user is valid or not without any heavy lifting on your part.
There is plenty of information on Membership and Roles on the various ASP.NET oriented sites.
that can be achieved specifying the user's name that can access the directory separate by commas.
As your username is not defined in web.config rather defined in some session variable you have to create a Form Authentication Ticket for this e.g.
FormsAuthenticationSupport formsAuthenticationSupport = new FormsAuthenticationSupport();
formsAuthenticationSupport.SignIn(UsernameInSession, RoleName, true);
Now you can set authentication rules and location tag in web.config for UsernameInSession.
This is a weird way to state the question, but this is what I'm trying to achieve.
This is what I'm doing
Connect to a MySQL Db(complete)
authenticate(complete)
select all the roles that I have specified in mySQL (complete)
store those roles somehow so I can display controls and links based on their role membership.
I just got this figured out to handle the mySQL part in web.config
system.web
membership defaultProvider="MySQLMembershipProvider" /
roleManager enabled="true" defaultProvider="MySQLRoleProvider" /
/system.web
I'm using this as code
MySqlDataReader dr2 = cmd2.ExecuteReader();
while (dr2.Read())
{
string roleName = dr2["role"].ToString();
//error here -> Roles.AddUserToRole(userID, roleName);
}
Access denied for user ''#'localhost' (using password: NO)
Is Roles.AddUserToRole really what i'm looking for to satisfy my needs. I think I need to store the user roles in the sessio don't I? I
Is Roles.AddUserToRole really what i'm looking for to satisfy my needs. I think I need to store the user roles in the sessio don't I?
NO! Adding user to roles means the provider will link the user to the role. As you already have the user linked, this is a worthless direction.
store those roles somehow so I can display controls and links based on their role membership
Why do you need to do this? At the page level, you can set up ASP.NET security with trimmings so you can automagically exclude pages from the user's view if they are not in the correct role(s). As far as sections/controls/etc, you can check to see if a user IS in a role and then determine whether or not to display it. If you use sections, a lot of this can be done declaratively rather than programmatically.
The one caveat is what your membership provider supports. The "out of the box" providers (Access and SQL Server) support security trimmings and declarative syntax for exclusions of sections of a page, etc. If the MySQL provider full implements all of the methods, you should be fine using it, as well. If you create a custom provider, there are certain parts YOU have to implement to get things to work.
The short story is once you grab a membershipUser (authenticate the person), you will have access to whether the person is in role or not. This is all part of the standard implementation of a membership provider in .NET. As long as the provider you are using for MySQL covers all of the same methods, you can do a quick google search and find tons of sites showing how to show/hide bits based on roles.
I have a set of unauthorized pages that anyone can access (mainly the register page). Once a user is registered with personal info and group info, I want them to be admin, they then can access the authorized pages. On the authorized pages, I have a add member page, which creates a new user and that user inherits the admins group info. These people will be regular users and I don't want them to access the add member page and other select pages.
So whats the best way to set this up? I have an extra table that saves some extra user info for everyone, would I include some type of true/false admin column? ASP.NET configuration? What else?
I have my auth and un-auth pages set up with asp.net config with each set of pages in a different directory.
I'm using membership services, MS SQL, ASP.NET, etc
Sounds like Role Management should be a good solution for this.
The best way to implement this would be to create a role via Membership Services for site Administrators.
You could then easily decorate your Admin only Controller Actions with:
[Authorize(Roles = "Admin")]
Assign the users a role[user] while creating account...
use this this code to restrict non administrative users.
If User.IsInRole("Administrator") Then
Else
End If
I'm building an web application that I want users to have specific permissions to perform a specific action. I don't want to use the default permission and role providers in ASP.NET.
I was thinking of having each User associated with a Role. Each Role is mapped to a set of Permissions (CreatePost, ReadPost, UpdatePost, DeletePost and so on).
I have a couple of questions regarding this. Would it be best to have a boolean property for each Permission on the role or some sort of bitfield? I like the idea of having methods for this but properly need to map these to the permissions stored for the role in the database.
Also, how would I implement this for each action/request? I'm thinking something along the lines of what was posted here but I'm not really sure.
Thanks!
Make your own role provider and register it in the web.config. Look at the MSDN for a sample. Once it is registered it will associate the roles you provide with the principal.
I've just done that for one of my project and it works fine.
To check whether the user has permission to execute a task you'll have to see whether the user is in the required role. In "normal" ASP.NET you will have to do this in code. In MVC you can do that with attributes on each class/method in the controller.