By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
425,743 Members | 1,028 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 425,743 IT Pros & Developers. It's quick & easy.

ASP.NET 2.0 Authorization based on Combination of Allow/Deny Users/Roles.

P: n/a
Hi,

The problem with Authorization is it stops at the first match and doesn't
permit Grouping.

On the Web Site, I am trying to Secure Page Access and SiteNaviagation by
implementing the following ASP.NET 2.0 features:

- Membership
- Site Maps
- SiteMap Security Trimming

A User has a least 2 roles, let's say:

- Customer or Vendor

and

- User and/or Manger and/or Accounting

User U1 has the roles:

- Customer
- Accounting
- User

User U2 has the roles:

- Customer
- User

How do I keep U2 out using roles?

Right now, it stop when it sawn they were in the Customer Role

I don't want to deny the User Role because U1 would be stopped.

I would like something like this

<authorization>
<deny users="?" />
<deny users="U3" />
<allow roles="Customer, Accounting" />
<allow roles="Vendor, Manager, Accounting" />
</authorization>

or possibly

<authorization>
<deny users="?" />
<deny users="U3" />
<allow roles="(Customer, Accounting), (Vendor, Manager, Accounting)" />
</authorization>
For Above:

The allow roles list would be evaluated with a boolean AND

The allow elements would be evaluated between each other with a boolean OR

The allow and deny elements would be evaluated with a boolean AND

..i.e.

(
(
(
users <"?"
)
AND
(
users <"U3"
)
AND
(
(
roles = "Customer"
AND roles = "Accounting"
)
OR
(
roles = "Vendor"
AND roles = "Manager"
AND roles = "Accounting"
)
)
)

I am currently looking at the possibility of implementing an HttpModule for
AuthenticateRequest. I found a an example that checks the
SiteMap.CurrentNode.Roles but the siteMapNode only permits allows, not
denys.

I could create my own custom nodes

<siteMapNode
url="~/Default.aspx"
title="Home"
description="Home"
AllowUsers=""
DenyUsers="?, U3"
AllowRoles="(Customer, Accounting), (Vendor, Manager, Accounting)"
DenyRoles=""
/>

I am not sure if this covers Page Access though.
Or, I can figure out how to get the prevailing web.config denys and allows.
I would check online, but the MSDN servers reply with "Server is too busy"
this morning.

Any other ideas?
Thanks,

Doug
Feb 14 '07 #1
Share this question for a faster answer!
Share on Google+

This discussion thread is closed

Replies have been disabled for this discussion.