Best approach for database/windows authentication integration?

[Steve]

We have an ASP.NET application that consists of about 10 forms and we
want to be able to control which user has access to which pages. So
User A should be able to access pages 3, 4 and 10, and User B should
be able to access pages 1, 2 and 9 etc. We also want to be able to
mantain these rules using a set of maintenance tables e.g. add pages,
groups, users and setup which groups have access to which pages.

At the moment we are going down the path of creating a set of classes
to integrate the security in to the front-end, with each page having a
call at the top of the page that passes in the page name and the
user's login name and the object will return either True or False as
to whether they can access the page or not.

The application is currently setup with Anonymous Access off and Basic
Authentication & Integrated Windows Authentication turned on, so that
we can get the users login name for database auditing purposes.

However, I've read bits and pieces on the builtin form authentication
in ASP.NET and I would like to take advantage of it if it will handle
the scenario I have described.

We don't require a user to login, aside from the standard IE
authentication login, and we want to display a custom message if they
don't have access to the particular page they are trying to access.
The most important thing is that the security must be driven by our
maintainable database tables.

Is there a feature of ASP.NET that allows us to handle this with
minimal custom code? Or maybe there's a better ASP.NET way of handling
this?

Thanks for any assistance you can give me.

Steve

[Joe Kaplan \(MVP - ADSI\)]

Since you are currently using Windows authentication, you might consider
putting your users into different domain groups and using
Context.User.IsInRole to determine whether a user is in a certain group or
not.

From there, you can decide whether to render the page or show an error. You
can also use the allow and deny tags in the authorization section of your
web.config to restrict access to specific pages.

If you want to switch to Forms authentication, you can do this and still
take advantage of the same mechanism. The disadvantage is that your code is
then responsible for building the IPrincipal object that goes in the
Context.User property and populating the user's role information. With
Windows authentication, this is all done for you.

However, you may have a compelling reason to switch to Forms auth (like if
you can't create the domain groups you need or cannot maintain them the way
you would like to).

There are lots of good sample documents on this topic in MSDN.

Joe K.

"Steve" <stephenmcnabb@yahoo.co.uk> wrote in message
news:9b1a4bb8.0401150407.43bd75b5@posting.google.c om...

> We have an ASP.NET application that consists of about 10 forms and we
> want to be able to control which user has access to which pages. So
> User A should be able to access pages 3, 4 and 10, and User B should
> be able to access pages 1, 2 and 9 etc. We also want to be able to
> mantain these rules using a set of maintenance tables e.g. add pages,
> groups, users and setup which groups have access to which pages.
>
> At the moment we are going down the path of creating a set of classes
> to integrate the security in to the front-end, with each page having a
> call at the top of the page that passes in the page name and the
> user's login name and the object will return either True or False as
> to whether they can access the page or not.
>
> The application is currently setup with Anonymous Access off and Basic
> Authentication & Integrated Windows Authentication turned on, so that
> we can get the users login name for database auditing purposes.
>
> However, I've read bits and pieces on the builtin form authentication
> in ASP.NET and I would like to take advantage of it if it will handle
> the scenario I have described.
>
> We don't require a user to login, aside from the standard IE
> authentication login, and we want to display a custom message if they
> don't have access to the particular page they are trying to access.
> The most important thing is that the security must be driven by our
> maintainable database tables.
>
> Is there a feature of ASP.NET that allows us to handle this with
> minimal custom code? Or maybe there's a better ASP.NET way of handling
> this?
>
> Thanks for any assistance you can give me.
>
> Steve