Hi,
The problem with Authorization is it stops at the first match and doesn't
permit Grouping.
On the Web Site, I am trying to Secure Page Access and SiteNaviagation by
implementing the following ASP.NET 2.0 features:
- Membership
- Site Maps
- SiteMap Security Trimming
A User has a least 2 roles, let's say:
- Customer or Vendor
and
- User and/or Manger and/or Accounting
User U1 has the roles:
- Customer
- Accounting
- User
User U2 has the roles:
- Customer
- User
How do I keep U2 out using roles?
Right now, it stop when it sawn they were in the Customer Role
I don't want to deny the User Role because U1 would be stopped.
I would like something like this
<authorization>
<deny users="?" />
<deny users="U3" />
<allow roles="Customer, Accounting" />
<allow roles="Vendor, Manager, Accounting" />
</authorization>
or possibly
<authorization>
<deny users="?" />
<deny users="U3" />
<allow roles="(Customer, Accounting), (Vendor, Manager, Accounting)" />
</authorization>
For Above:
The allow roles list would be evaluated with a boolean AND
The allow elements would be evaluated between each other with a boolean OR
The allow and deny elements would be evaluated with a boolean AND
..i.e.
(
(
(
users <"?"
)
AND
(
users <"U3"
)
AND
(
(
roles = "Customer"
AND roles = "Accounting"
)
OR
(
roles = "Vendor"
AND roles = "Manager"
AND roles = "Accounting"
)
)
)
I am currently looking at the possibility of implementing an HttpModule for
AuthenticateRequest. I found a an example that checks the
SiteMap.CurrentNode.Roles but the siteMapNode only permits allows, not
denys.
I could create my own custom nodes
<siteMapNode
url="~/Default.aspx"
title="Home"
description="Home"
AllowUsers=""
DenyUsers="?, U3"
AllowRoles="(Customer, Accounting), (Vendor, Manager, Accounting)"
DenyRoles=""
/>
I am not sure if this covers Page Access though.
Or, I can figure out how to get the prevailing web.config denys and allows.
I would check online, but the MSDN servers reply with "Server is too busy"
this morning.
Any other ideas?
Thanks,
Doug