Ask a Question related to ASP.NET Security, Design and Development.
-
PK #1
Advice: Authentication
Hi folks,
I hope to get some of your advice on an authentication question that
came up during the planning of web app. I'm a bit new to asp.net, so if
you can offer some experience, I'd greatly appreciate it!
I like form-based authentication because the usernames and passwords can
be stored in a database rather than in Windows (which, for security
reasons, can only be maintained by a specific person or two). Also, I'd
like to give my users the ability to log out, which is not something
I've seen in Windows authentication.
One of the main purposes of this app is to provide a search to find and
download (via resulting links) sensitive files. Forms/database
authentication is great for this, because the stored procedure that does
the search can be altered to make sure the logged-in username has rights
to download the results.
However, we would like to apply Windows security on the files to be
downloaded *just in case* a user navigates to the path of a file they
would otherwise not have permissions to. How can I mix the two types to
get what I want out of each -- without prompting the user to log in
twice!
Has anyone encountered a similiar issue?
Thanks!
PK
*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!
PK Guest
-
Accessing htm files without authentication (forms authentication)
I have application with forms authentication. All works fine. When user opens .aspx file gets login form, login and then get the .aspx page. But... -
ASP.Net Forms authentication with basic authentication popup
Relatively new to ASP.Net but have a strange problem. My site uses forms authentication for a large administration section however after the user... -
Forms authentication then redirection to a secure web with NT authentication?
Hi, I want to allow access to particular secured intranet web sites. These intranet are stored in sharepoint (2003 version) Actually I've... -
Authentication ticket, cookieless, forms authentication?
Hi. I want to use Forms Authentication, cookieless. The issue is setting the Authentication Ticket without using cookies (!) That is, the... -
Advice sought on web services and authentication
I'd really appreciate some pointers on web services etc. I'm a VB6 developer with a growing knowledge of vb.net and asp.net but I'm in need of... -
Jim Cheshire [MSFT] #2 RE: Advice: Authentication
PK,
You first need to realize that you cannot set the authentication method
below the application root. If you want to control access to these files,
your best bet is to store them outside of the content area and then use
BinaryWrite to write a byte array to the HTTP stream. That way, you can
decide via code whether or not your BinaryWrite code should run and no one
will be able to browse directly to the files.
Jim Cheshire, MCSE, MCSD [MSFT]
ASP.NET
Developer Support
[email]jamesche@online.microsoft.com[/email]
This post is provided "AS-IS" with no warranties and confers no rights.
--------------------cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFT FEED01.phx.gbl!TK2MSFTNGP0>From: PK <philitsa.kontos@NO.na.SPAM.linedata.com>
>X-Newsreader: AspNNTP 1.50 (ActionJackson.com)
>Subject: Advice: Authentication
>Mime-Version: 1.0
>Content-Type: text/plain; charset="us-ascii"
>Content-Transfer-Encoding: 7bit
>Message-ID: <OLYwUe9IEHA.3988@tk2msftngp13.phx.gbl>
>Newsgroups: microsoft.public.dotnet.framework.aspnet.security
>Date: Fri, 16 Apr 2004 10:23:47 -0700
>NNTP-Posting-Host: actionjackson133.dsl.frii.net 216.17.147.133
>Lines: 1
>Path:
8.phx.gbl!tk2msftngp13.phx.gblmicrosoft.public.dotnet.framework.aspnet.security: 9662>Xref: cpmsftngxa06.phx.gbl>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.security
>
>Hi folks,
>
>I hope to get some of your advice on an authentication question that
>came up during the planning of web app. I'm a bit new to asp.net, so if
>you can offer some experience, I'd greatly appreciate it!
>
>I like form-based authentication because the usernames and passwords can
>be stored in a database rather than in Windows (which, for security
>reasons, can only be maintained by a specific person or two). Also, I'd
>like to give my users the ability to log out, which is not something
>I've seen in Windows authentication.
>
>One of the main purposes of this app is to provide a search to find and
>download (via resulting links) sensitive files. Forms/database
>authentication is great for this, because the stored procedure that does
>the search can be altered to make sure the logged-in username has rights
>to download the results.
>
>However, we would like to apply Windows security on the files to be
>downloaded *just in case* a user navigates to the path of a file they
>would otherwise not have permissions to. How can I mix the two types to
>get what I want out of each -- without prompting the user to log in
>twice!
>
>Has anyone encountered a similiar issue?
>
>Thanks!
>
>PK
>
>*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
>Don't just participate in USENET...get rewarded for it!
>Jim Cheshire [MSFT] Guest
-
PK #3 RE: Advice: Authentication
Actually, I found two great articles on this subject. The one I found
most useful was:
[url]http://www.dotnetbips.com/displayarticle.aspx?id=201[/url]
It's a great article about how you have the functionality of Windows
authentication with the behavior of Forms authentication using the Win32
API LogonUser().
Another is pretty good as well, but didn't cover exactly what I was
looking for is:
[url]http://msdn.microsoft.com/asp.net/using/understanding/security/default.a[/url]
spx?pull=/library/en-us/dnaspp/html/MixedSecurity.asp
*** Sent via Developersdex [url]http://www.developersdex.com[/url] ***
Don't just participate in USENET...get rewarded for it!
PK Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
