473,320 Members | 2,054 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

web.config, roles and multiple directories

Hi,

here is what I'm trying to do: I have a virtual directory called
"WebApp". Under this one I've got 2 physical directories called
"Customers" and "Admins".

I implemented Forms-based authentication. If the logon credentials are
ok, I transfer the user to either the "Customers" or the "Admins"
subdirectory. Those two directories should have a web.config file, which
allows the roles "Admins" and "Customers" access the resources in the
directories.

But I can't figure out how to set the Role when I create the Ticket for
the guy logging on during authentification.

Can anybody help me out?

Thanks in advance...

Matthias
Nov 19 '05 #1
7 1961
Matthias, is there a reason you are using three different web.config
files? You could do it all in one. You can deny access to each of the
Customers or Admins directories and redirect them based on their acces
role.

Jason Bentley
http://geekswithblogs.net/jbentley

Nov 19 '05 #2
You don't set roles at authentication time... I know, it's a bit strange.
Instead you typically set the roles in global.asax in the Application_AuthenticateRequest
event as such:

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
if (Request.IsAuthenticated)
{
if (User.Identity.Name == "brock")
{
string[] roles = new string[2];
roles[0] = "Admin";
roles[1] = "Doctor";

Context.User =
new System.Security.Principal.GenericPrincipal(User.Id entity,
roles);
}
}
}

This is hard coded for a specific name, so you'd normally go look this up
in the DB based upon User.Identity.Name. One note: this is called for every
request into your application, so going to the DB every time is going to
be expensive. I'd suggest caching the roles (probabaly in the ASP.NET Cache
object).

-Brock
DevelopMentor
http://staff.develop.com/ballen
Hi,

here is what I'm trying to do: I have a virtual directory called
"WebApp". Under this one I've got 2 physical directories called
"Customers" and "Admins".

I implemented Forms-based authentication. If the logon credentials are
ok, I transfer the user to either the "Customers" or the "Admins"
subdirectory. Those two directories should have a web.config file,
which allows the roles "Admins" and "Customers" access the resources
in the directories.

But I can't figure out how to set the Role when I create the Ticket
for the guy logging on during authentification.

Can anybody help me out?

Thanks in advance...

Matthias


Nov 19 '05 #3
Hi Jason,

I'll go and read about it. Thanks for the hint!

Matthias

Jason Bentley wrote:
Matthias, is there a reason you are using three different web.config
files? You could do it all in one. You can deny access to each of the
Customers or Admins directories and redirect them based on their acces
role.

Jason Bentley
http://geekswithblogs.net/jbentley

Nov 19 '05 #4
Hi Brock,

thanks for your reply. In the meantime I've been looking for a different
solution and found something, but I'm not sure whether this is secure:

I only have a couple of pages in those subdirectories. So I would go for
setting my role-identifier as the UserData in the
FormsAuthenticationTicket when I authenticate the user. Later I'd go and
check (on each and every page) whether the user belongs to the role that
can actually access the specified page.

If I encrypt the ticket, would it be safe to store the role in the UserData?

Again, thanks for your help.

Matthias

Brock Allen wrote:
You don't set roles at authentication time... I know, it's a bit
strange. Instead you typically set the roles in global.asax in the
Application_AuthenticateRequest event as such:

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{
if (Request.IsAuthenticated)
{
if (User.Identity.Name == "brock")
{
string[] roles = new string[2];
roles[0] = "Admin";
roles[1] = "Doctor";

Context.User =
new
System.Security.Principal.GenericPrincipal(User.Id entity, roles);
}
}
}

This is hard coded for a specific name, so you'd normally go look this
up in the DB based upon User.Identity.Name. One note: this is called for
every request into your application, so going to the DB every time is
going to be expensive. I'd suggest caching the roles (probabaly in the
ASP.NET Cache object).

-Brock
DevelopMentor
http://staff.develop.com/ballen
Hi,

here is what I'm trying to do: I have a virtual directory called
"WebApp". Under this one I've got 2 physical directories called
"Customers" and "Admins".

I implemented Forms-based authentication. If the logon credentials are
ok, I transfer the user to either the "Customers" or the "Admins"
subdirectory. Those two directories should have a web.config file,
which allows the roles "Admins" and "Customers" access the resources
in the directories.

But I can't figure out how to set the Role when I create the Ticket
for the guy logging on during authentification.

Can anybody help me out?

Thanks in advance...

Matthias


Nov 19 '05 #5
Yes of course you could take this approach too. You'd still need to handle
Application_AuthenticateRequest to read the data from the cookie and then
construct the GenericPrincipal and assign it into the HttpContext.Current.User.

-Brock
DevelopMentor
http://staff.develop.com/ballen
Hi Brock,

thanks for your reply. In the meantime I've been looking for a
different solution and found something, but I'm not sure whether this
is secure:

I only have a couple of pages in those subdirectories. So I would go
for setting my role-identifier as the UserData in the
FormsAuthenticationTicket when I authenticate the user. Later I'd go
and check (on each and every page) whether the user belongs to the
role that can actually access the specified page.

If I encrypt the ticket, would it be safe to store the role in the
UserData?

Again, thanks for your help.

Matthias

Brock Allen wrote:
You don't set roles at authentication time... I know, it's a bit
strange. Instead you typically set the roles in global.asax in the
Application_AuthenticateRequest event as such:

protected void Application_AuthenticateRequest(Object sender,
EventArgs e)
{
if (Request.IsAuthenticated)
{
if (User.Identity.Name == "brock")
{
string[] roles = new string[2];
roles[0] = "Admin";
roles[1] = "Doctor";
Context.User =
new
System.Security.Principal.GenericPrincipal(User.Id entity, roles);
}
}
}
This is hard coded for a specific name, so you'd normally go look
this up in the DB based upon User.Identity.Name. One note: this is
called for every request into your application, so going to the DB
every time is going to be expensive. I'd suggest caching the roles
(probabaly in the ASP.NET Cache object).

-Brock
DevelopMentor
http://staff.develop.com/ballen
Hi,

here is what I'm trying to do: I have a virtual directory called
"WebApp". Under this one I've got 2 physical directories called
"Customers" and "Admins".

I implemented Forms-based authentication. If the logon credentials
are ok, I transfer the user to either the "Customers" or the
"Admins" subdirectory. Those two directories should have a
web.config file, which allows the roles "Admins" and "Customers"
access the resources in the directories.

But I can't figure out how to set the Role when I create the Ticket
for the guy logging on during authentification.

Can anybody help me out?

Thanks in advance...

Matthias


Nov 19 '05 #6
Hi Brock,

I don't understand, why I would need to handle the
Application_AuthenticateRequest. Is it not sufficient to just have code
like this in the Page_Load event of every page in the subdirectories:

I assume the RoleID is a numeric value and has been placed in the
Tickets UserData property.

+++
FormsIdentity identity = (FormsIdentity) Page.User.Identity;

if(identity.IsAuthenticated) {
int nRoleID = int.Parse(identity.Ticket.UserData);
if (nRoleID == 1) {
// the user is an admin
}
else {
// authenticated, but not an admin
}
}
else {
// not authenticated...
}
+++

I've played around with it and it seems to work. Sorry for buzzering but
I'd just like to get this straight for me.

Again, thanks for your help!

Matthias

Brock Allen wrote:
Yes of course you could take this approach too. You'd still need to
handle Application_AuthenticateRequest to read the data from the cookie
and then construct the GenericPrincipal and assign it into the
HttpContext.Current.User.

-Brock
DevelopMentor
http://staff.develop.com/ballen
Hi Brock,

thanks for your reply. In the meantime I've been looking for a
different solution and found something, but I'm not sure whether this
is secure:

I only have a couple of pages in those subdirectories. So I would go
for setting my role-identifier as the UserData in the
FormsAuthenticationTicket when I authenticate the user. Later I'd go
and check (on each and every page) whether the user belongs to the
role that can actually access the specified page.

If I encrypt the ticket, would it be safe to store the role in the
UserData?

Again, thanks for your help.

Matthias

Brock Allen wrote:
You don't set roles at authentication time... I know, it's a bit
strange. Instead you typically set the roles in global.asax in the
Application_AuthenticateRequest event as such:

protected void Application_AuthenticateRequest(Object sender,
EventArgs e)
{
if (Request.IsAuthenticated)
{
if (User.Identity.Name == "brock")
{
string[] roles = new string[2];
roles[0] = "Admin";
roles[1] = "Doctor";
Context.User =
new
System.Security.Principal.GenericPrincipal(User.Id entity, roles);
}
}
}
This is hard coded for a specific name, so you'd normally go look
this up in the DB based upon User.Identity.Name. One note: this is
called for every request into your application, so going to the DB
every time is going to be expensive. I'd suggest caching the roles
(probabaly in the ASP.NET Cache object).

-Brock
DevelopMentor
http://staff.develop.com/ballen

Hi,

here is what I'm trying to do: I have a virtual directory called
"WebApp". Under this one I've got 2 physical directories called
"Customers" and "Admins".

I implemented Forms-based authentication. If the logon credentials
are ok, I transfer the user to either the "Customers" or the
"Admins" subdirectory. Those two directories should have a
web.config file, which allows the roles "Admins" and "Customers"
access the resources in the directories.

But I can't figure out how to set the Role when I create the Ticket
for the guy logging on during authentification.

Can anybody help me out?

Thanks in advance...

Matthias


Nov 19 '05 #7
The main reason is that you're missing out on the declarative authorization
in web.config. In web.config you can put:

<authorization>
<allow roles="Admin" />
<deny users="*" />
</authorization>

The huge win here is that you *don't* have to check in each page. It's checked
for you based upon your declarative settings. This is what I was referring
to before when I said you don't have to do all of this work yourself. But,
to make the built-in check work for you, you need to build the role list
in a GenericPrincipal and assign it to the HttpContext.Current.User in Application_AuthenticateRequest.

-Brock
DevelopMentor
http://staff.develop.com/ballen
Hi Brock,

I don't understand, why I would need to handle the
Application_AuthenticateRequest. Is it not sufficient to just have
code like this in the Page_Load event of every page in the
subdirectories:

I assume the RoleID is a numeric value and has been placed in the
Tickets UserData property.

+++
FormsIdentity identity = (FormsIdentity) Page.User.Identity;
if(identity.IsAuthenticated) {
int nRoleID = int.Parse(identity.Ticket.UserData);
if (nRoleID == 1) {
// the user is an admin
}
else {
// authenticated, but not an admin
}
}
else {
// not authenticated...
}
+++

I've played around with it and it seems to work. Sorry for buzzering
but I'd just like to get this straight for me.

Again, thanks for your help!

Matthias

Brock Allen wrote:
Yes of course you could take this approach too. You'd still need to
handle Application_AuthenticateRequest to read the data from the
cookie and then construct the GenericPrincipal and assign it into the
HttpContext.Current.User.

-Brock
DevelopMentor
http://staff.develop.com/ballen
Hi Brock,

thanks for your reply. In the meantime I've been looking for a
different solution and found something, but I'm not sure whether
this is secure:

I only have a couple of pages in those subdirectories. So I would go
for setting my role-identifier as the UserData in the
FormsAuthenticationTicket when I authenticate the user. Later I'd go
and check (on each and every page) whether the user belongs to the
role that can actually access the specified page.

If I encrypt the ticket, would it be safe to store the role in the
UserData?

Again, thanks for your help.

Matthias

Brock Allen wrote:

You don't set roles at authentication time... I know, it's a bit
strange. Instead you typically set the roles in global.asax in the
Application_AuthenticateRequest event as such:

protected void Application_AuthenticateRequest(Object sender,
EventArgs e)
{
if (Request.IsAuthenticated)
{
if (User.Identity.Name == "brock")
{
string[] roles = new string[2];
roles[0] = "Admin";
roles[1] = "Doctor";
Context.User =
new
System.Security.Principal.GenericPrincipal(User.Id entity, roles);
}
}
}
This is hard coded for a specific name, so you'd normally go look
this up in the DB based upon User.Identity.Name. One note: this is
called for every request into your application, so going to the DB
every time is going to be expensive. I'd suggest caching the roles
(probabaly in the ASP.NET Cache object).
-Brock
DevelopMentor
http://staff.develop.com/ballen
> Hi,
>
> here is what I'm trying to do: I have a virtual directory called
> "WebApp". Under this one I've got 2 physical directories called
> "Customers" and "Admins".
>
> I implemented Forms-based authentication. If the logon credentials
> are ok, I transfer the user to either the "Customers" or the
> "Admins" subdirectory. Those two directories should have a
> web.config file, which allows the roles "Admins" and "Customers"
> access the resources in the directories.
>
> But I can't figure out how to set the Role when I create the
> Ticket for the guy logging on during authentification.
>
> Can anybody help me out?
>
> Thanks in advance...
>
> Matthias
>


Nov 19 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: win2kcowboy | last post by:
Using VS2003, ASP.NET 1.1 Is it possible to secure files normally placed as attachments (such as word docs etc.) and often placed in attachment directories within your web application, using...
5
by: localhost | last post by:
Is a web.config read in any subdirectory of a web site, or is web.config only read if it is itself in an application main directory (eg site root or virtual directory)? Thanks.
4
by: tommy | last post by:
hello everbody, i write a little asp-application with forms-authentication. i copy my aspx-files with web.config to my webspace and i get the error above... i tried to set the...
5
by: BPearson | last post by:
Hello I would like to have several sites share a single web.config file. To accomplish this, I would point the root of these sites to the same folder. Is there any reason why I might not want to...
4
by: Bennett Haselton | last post by:
If I add this to my web.config file: <authentication mode="Forms"> <forms name=".ASPXUSERDEMO" loginUrl="login.aspx" protection="All" timeout="60" /> </authentication> I can configure the...
3
by: Manso | last post by:
Hi, We have an application that is installed in default web site (root web site). The same application will be installed as virtual directories under the root site e.g. <default web site>/app1...
5
by: Andrew | last post by:
Hi, I have a default.aspx which allows the user to choose between module Admin and module B. When the user clicks either one, he will be redirected to a FormsAuthentication login page. The...
2
by: Vincent | last post by:
Hi, When the application doesn't use Roles, this configuration (web.config) works: <configuration> <connectionStrings> <clear/> <add name="myconn" connectionString="Data...
5
by: daokfella | last post by:
I have a custom web.config section similar to the following: <CustomAuthSettings attr1="" attr2=""> <Locations RedirectUrl="Invalid.aspx"> <add Path="test.aspx" Roles="1,2,3" Permissions="4,5,6"...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.