URL Authorization

[Leonard Rutkowski]

Hi All,
I am trying to write several applications, for external users. They will
use forms authentication to login. My question concerns url authorization.
Each user will have access to various url's within the applications,
depending on the users group/role, that is stored in a sql server database.
The database also contains the url. I will build the user's menu, based on
the urls that user has access to. According to the various articles and
books that I have read, the url authorization is in the web.config file,
allow user="some user" roles="some roles". This won't work for me, because I
need the roles\groups to be dynamic, as well as the urls that the user can
access. In the database, there is a table for user, groups, and roles. The
user does not have to belong to a group or a role(but they may). There is a
table for url's, and a cross reference table between users and url's. If the
user has access, then I will put it on the menu. I will also check in the
application, to see if the user is authorized. If so, then the user can
access the web page. The same applies to groups and roles.

So what is the best way to implement something like this?

Thanks, Leonard

[MattC]

Len,

You've Almost entirely done it!

What I would do is create a base class that all secure pages derive from.
In the OnInit method perform a database call that passes in the users ID and
the page filename(using this.Request.Url.LocalPath or something) then do a
select where the user ID is the ID you passed AND the respective URL in the
row matches the filename you passed in.

Do an ExecuteScalar if you get DBNull.Value then the page access is a no-no
(redirect away), otherwise let 'em in.

Does that kinda solve your problem?

Lemme know if I have misunderstood at all?

MattC

"Leonard Rutkowski" <LeonardRutkowski@discussions.microsoft.com> wrote in
message news:B2440CE9-6573-4294-AA63-3E95420C4135@microsoft.com...

> Hi All,
> I am trying to write several applications, for external users. They will
> use forms authentication to login. My question concerns url
> authorization.
> Each user will have access to various url's within the applications,
> depending on the users group/role, that is stored in a sql server
> database.
> The database also contains the url. I will build the user's menu, based
> on
> the urls that user has access to. According to the various articles and
> books that I have read, the url authorization is in the web.config file,
> allow user="some user" roles="some roles". This won't work for me,
> because I
> need the roles\groups to be dynamic, as well as the urls that the user can
> access. In the database, there is a table for user, groups, and roles.
> The
> user does not have to belong to a group or a role(but they may). There is
> a
> table for url's, and a cross reference table between users and url's. If
> the
> user has access, then I will put it on the menu. I will also check in the
> application, to see if the user is authorized. If so, then the user can
> access the web page. The same applies to groups and roles.
>
> So what is the best way to implement something like this?
>
> Thanks, Leonard
>

[Leonard Rutkowski]

Hi Matt,
That was what I kind of had in mind. However, I wasn't sure if I should
use the forms identity, and load roles into it. Doing that has it's own set
of problems. I just wanted to see if there were any other ideas that I may
have not considered. I am going to create a stored proc, that will return a
true or false, to see if the user has access to a page, and like you said,
put it on the page. There are some additional user data, that I retrieve
from the database, that will be used in the various applications. Should I
create a generic principal, and use the User data area, or store it in
session variables? This data will go across applications. I am not that
familiar with any of this stuff, as I haven't been doing it long.

Thanks,
Leonard


"MattC" wrote:

> Len,
>
> You've Almost entirely done it!
>
> What I would do is create a base class that all secure pages derive from.
> In the OnInit method perform a database call that passes in the users ID and
> the page filename(using this.Request.Url.LocalPath or something) then do a
> select where the user ID is the ID you passed AND the respective URL in the
> row matches the filename you passed in.
>
> Do an ExecuteScalar if you get DBNull.Value then the page access is a no-no
> (redirect away), otherwise let 'em in.
>
> Does that kinda solve your problem?
>
> Lemme know if I have misunderstood at all?
>
> MattC
>
> "Leonard Rutkowski" <LeonardRutkowski@discussions.microsoft.com> wrote in
> message news:B2440CE9-6573-4294-AA63-3E95420C4135@microsoft.com...

> > Hi All,
> > I am trying to write several applications, for external users. They will
> > use forms authentication to login. My question concerns url
> > authorization.
> > Each user will have access to various url's within the applications,
> > depending on the users group/role, that is stored in a sql server
> > database.
> > The database also contains the url. I will build the user's menu, based
> > on
> > the urls that user has access to. According to the various articles and
> > books that I have read, the url authorization is in the web.config file,
> > allow user="some user" roles="some roles". This won't work for me,
> > because I
> > need the roles\groups to be dynamic, as well as the urls that the user can
> > access. In the database, there is a table for user, groups, and roles.
> > The
> > user does not have to belong to a group or a role(but they may). There is
> > a
> > table for url's, and a cross reference table between users and url's. If
> > the
> > user has access, then I will put it on the menu. I will also check in the
> > application, to see if the user is authorized. If so, then the user can
> > access the web page. The same applies to groups and roles.
> >
> > So what is the best way to implement something like this?
> >
> > Thanks, Leonard
> >

>
>
>

[MattC]

Well I store my user in the session becuase of other information I need.

However, across applications you say, do you mean different web apps, that
will be more difficult, can you elaborate?
"Leonard Rutkowski" <LeonardRutkowski@discussions.microsoft.com> wrote in
message news:9A0D58F8-DC40-42C7-848B-556B52F263AD@microsoft.com...

> Hi Matt,
> That was what I kind of had in mind. However, I wasn't sure if I should
> use the forms identity, and load roles into it. Doing that has it's own
> set
> of problems. I just wanted to see if there were any other ideas that I
> may
> have not considered. I am going to create a stored proc, that will return
> a
> true or false, to see if the user has access to a page, and like you said,
> put it on the page. There are some additional user data, that I retrieve
> from the database, that will be used in the various applications. Should
> I
> create a generic principal, and use the User data area, or store it in
> session variables? This data will go across applications. I am not that
> familiar with any of this stuff, as I haven't been doing it long.
>
> Thanks,
> Leonard
>
>
> "MattC" wrote:
>

>> Len,
>>
>> You've Almost entirely done it!
>>
>> What I would do is create a base class that all secure pages derive from.
>> In the OnInit method perform a database call that passes in the users ID
>> and
>> the page filename(using this.Request.Url.LocalPath or something) then do
>> a
>> select where the user ID is the ID you passed AND the respective URL in
>> the
>> row matches the filename you passed in.
>>
>> Do an ExecuteScalar if you get DBNull.Value then the page access is a
>> no-no
>> (redirect away), otherwise let 'em in.
>>
>> Does that kinda solve your problem?
>>
>> Lemme know if I have misunderstood at all?
>>
>> MattC
>>
>> "Leonard Rutkowski" <LeonardRutkowski@discussions.microsoft.com> wrote in
>> message news:B2440CE9-6573-4294-AA63-3E95420C4135@microsoft.com...

>> > Hi All,
>> > I am trying to write several applications, for external users. They
>> > will
>> > use forms authentication to login. My question concerns url
>> > authorization.
>> > Each user will have access to various url's within the applications,
>> > depending on the users group/role, that is stored in a sql server
>> > database.
>> > The database also contains the url. I will build the user's menu,
>> > based
>> > on
>> > the urls that user has access to. According to the various articles
>> > and
>> > books that I have read, the url authorization is in the web.config
>> > file,
>> > allow user="some user" roles="some roles". This won't work for me,
>> > because I
>> > need the roles\groups to be dynamic, as well as the urls that the user
>> > can
>> > access. In the database, there is a table for user, groups, and roles.
>> > The
>> > user does not have to belong to a group or a role(but they may). There
>> > is
>> > a
>> > table for url's, and a cross reference table between users and url's.
>> > If
>> > the
>> > user has access, then I will put it on the menu. I will also check in
>> > the
>> > application, to see if the user is authorized. If so, then the user
>> > can
>> > access the web page. The same applies to groups and roles.
>> >
>> > So what is the best way to implement something like this?
>> >
>> > Thanks, Leonard
>> >

>>
>>
>>

[Leonard Rutkowski]

Hi Matt,
My session variables don't carry over to my application. I login using
/login/login.aspx, for example. I set my session variable, then redirect to
/myapplication/default.aspx. When I check the session variable in
/myapplication/default.aspx, it is empty.

Sub btnLogin_Click(ByVal sender As Object, ByVal e As EventArgs) Handles
btnLogin.Click
Dim AppLogin As New AppSecurity
If AppLogin.Logon(txtClientNo.Text, _
txtUsername.Text, txtEmailAddr.Text, txtPassword.Text) Then
Dim authTicket As New FormsAuthenticationTicket(1, "name",
DateTime.Now, DateTime.Now.AddMinutes(60), False, "test")
Dim encryptedTicket As String =
FormsAuthentication.Encrypt(authTicket)
Dim authCookie As New
HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
Context.Response.Cookies.Set(authCookie)
Session("UserId") = "Test"
Response.Redirect("/CustomerService/default.aspx")

'Response.Redirect(FormsAuthentication.GetRedirect Url(authTicket.Name, False))
Else
lblErrorMsg.Text = "Login is invalid"
End If
End Sub


Thanks, Leonard

"MattC" wrote:

> Well I store my user in the session becuase of other information I need.
>
> However, across applications you say, do you mean different web apps, that
> will be more difficult, can you elaborate?
> "Leonard Rutkowski" <LeonardRutkowski@discussions.microsoft.com> wrote in
> message news:9A0D58F8-DC40-42C7-848B-556B52F263AD@microsoft.com...

> > Hi Matt,
> > That was what I kind of had in mind. However, I wasn't sure if I should
> > use the forms identity, and load roles into it. Doing that has it's own
> > set
> > of problems. I just wanted to see if there were any other ideas that I
> > may
> > have not considered. I am going to create a stored proc, that will return
> > a
> > true or false, to see if the user has access to a page, and like you said,
> > put it on the page. There are some additional user data, that I retrieve
> > from the database, that will be used in the various applications. Should
> > I
> > create a generic principal, and use the User data area, or store it in
> > session variables? This data will go across applications. I am not that
> > familiar with any of this stuff, as I haven't been doing it long.
> >
> > Thanks,
> > Leonard
> >
> >
> > "MattC" wrote:
> >

> >> Len,
> >>
> >> You've Almost entirely done it!
> >>
> >> What I would do is create a base class that all secure pages derive from.
> >> In the OnInit method perform a database call that passes in the users ID
> >> and
> >> the page filename(using this.Request.Url.LocalPath or something) then do
> >> a
> >> select where the user ID is the ID you passed AND the respective URL in
> >> the
> >> row matches the filename you passed in.
> >>
> >> Do an ExecuteScalar if you get DBNull.Value then the page access is a
> >> no-no
> >> (redirect away), otherwise let 'em in.
> >>
> >> Does that kinda solve your problem?
> >>
> >> Lemme know if I have misunderstood at all?
> >>
> >> MattC
> >>
> >> "Leonard Rutkowski" <LeonardRutkowski@discussions.microsoft.com> wrote in
> >> message news:B2440CE9-6573-4294-AA63-3E95420C4135@microsoft.com...
> >> > Hi All,
> >> > I am trying to write several applications, for external users. They
> >> > will
> >> > use forms authentication to login. My question concerns url
> >> > authorization.
> >> > Each user will have access to various url's within the applications,
> >> > depending on the users group/role, that is stored in a sql server
> >> > database.
> >> > The database also contains the url. I will build the user's menu,
> >> > based
> >> > on
> >> > the urls that user has access to. According to the various articles
> >> > and
> >> > books that I have read, the url authorization is in the web.config
> >> > file,
> >> > allow user="some user" roles="some roles". This won't work for me,
> >> > because I
> >> > need the roles\groups to be dynamic, as well as the urls that the user
> >> > can
> >> > access. In the database, there is a table for user, groups, and roles.
> >> > The
> >> > user does not have to belong to a group or a role(but they may). There
> >> > is
> >> > a
> >> > table for url's, and a cross reference table between users and url's.
> >> > If
> >> > the
> >> > user has access, then I will put it on the menu. I will also check in
> >> > the
> >> > application, to see if the user is authorized. If so, then the user
> >> > can
> >> > access the web page. The same applies to groups and roles.
> >> >
> >> > So what is the best way to implement something like this?
> >> >
> >> > Thanks, Leonard
> >> >
> >>
> >>
> >>

>
>
>

[MattC]

Is /login and /myapplication set as different web apps in IIS. If so, then
no you wont be able to carry across as the session object is fixed per
client session per app domain.

MattC
"Leonard Rutkowski" <LeonardRutkowski@discussions.microsoft.com> wrote in
message news:32449BEF-02BD-4F73-89F4-BFD562947552@microsoft.com...

> Hi Matt,
> My session variables don't carry over to my application. I login using
> /login/login.aspx, for example. I set my session variable, then redirect
> to
> /myapplication/default.aspx. When I check the session variable in
> /myapplication/default.aspx, it is empty.
>
> Sub btnLogin_Click(ByVal sender As Object, ByVal e As EventArgs)
> Handles
> btnLogin.Click
> Dim AppLogin As New AppSecurity
> If AppLogin.Logon(txtClientNo.Text, _
> txtUsername.Text, txtEmailAddr.Text, txtPassword.Text) Then
> Dim authTicket As New FormsAuthenticationTicket(1, "name",
> DateTime.Now, DateTime.Now.AddMinutes(60), False, "test")
> Dim encryptedTicket As String =
> FormsAuthentication.Encrypt(authTicket)
> Dim authCookie As New
> HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
> Context.Response.Cookies.Set(authCookie)
> Session("UserId") = "Test"
> Response.Redirect("/CustomerService/default.aspx")
>
> 'Response.Redirect(FormsAuthentication.GetRedirect Url(authTicket.Name,
> False))
> Else
> lblErrorMsg.Text = "Login is invalid"
> End If
> End Sub
>
>
> Thanks, Leonard
>
> "MattC" wrote:
>

>> Well I store my user in the session becuase of other information I need.
>>
>> However, across applications you say, do you mean different web apps,
>> that
>> will be more difficult, can you elaborate?
>> "Leonard Rutkowski" <LeonardRutkowski@discussions.microsoft.com> wrote in
>> message news:9A0D58F8-DC40-42C7-848B-556B52F263AD@microsoft.com...

>> > Hi Matt,
>> > That was what I kind of had in mind. However, I wasn't sure if I
>> > should
>> > use the forms identity, and load roles into it. Doing that has it's
>> > own
>> > set
>> > of problems. I just wanted to see if there were any other ideas that I
>> > may
>> > have not considered. I am going to create a stored proc, that will
>> > return
>> > a
>> > true or false, to see if the user has access to a page, and like you
>> > said,
>> > put it on the page. There are some additional user data, that I
>> > retrieve
>> > from the database, that will be used in the various applications.
>> > Should
>> > I
>> > create a generic principal, and use the User data area, or store it in
>> > session variables? This data will go across applications. I am not
>> > that
>> > familiar with any of this stuff, as I haven't been doing it long.
>> >
>> > Thanks,
>> > Leonard
>> >
>> >
>> > "MattC" wrote:
>> >
>> >> Len,
>> >>
>> >> You've Almost entirely done it!
>> >>
>> >> What I would do is create a base class that all secure pages derive
>> >> from.
>> >> In the OnInit method perform a database call that passes in the users
>> >> ID
>> >> and
>> >> the page filename(using this.Request.Url.LocalPath or something) then
>> >> do
>> >> a
>> >> select where the user ID is the ID you passed AND the respective URL
>> >> in
>> >> the
>> >> row matches the filename you passed in.
>> >>
>> >> Do an ExecuteScalar if you get DBNull.Value then the page access is a
>> >> no-no
>> >> (redirect away), otherwise let 'em in.
>> >>
>> >> Does that kinda solve your problem?
>> >>
>> >> Lemme know if I have misunderstood at all?
>> >>
>> >> MattC
>> >>
>> >> "Leonard Rutkowski" <LeonardRutkowski@discussions.microsoft.com> wrote
>> >> in
>> >> message news:B2440CE9-6573-4294-AA63-3E95420C4135@microsoft.com...
>> >> > Hi All,
>> >> > I am trying to write several applications, for external users.
>> >> > They
>> >> > will
>> >> > use forms authentication to login. My question concerns url
>> >> > authorization.
>> >> > Each user will have access to various url's within the applications,
>> >> > depending on the users group/role, that is stored in a sql server
>> >> > database.
>> >> > The database also contains the url. I will build the user's menu,
>> >> > based
>> >> > on
>> >> > the urls that user has access to. According to the various articles
>> >> > and
>> >> > books that I have read, the url authorization is in the web.config
>> >> > file,
>> >> > allow user="some user" roles="some roles". This won't work for me,
>> >> > because I
>> >> > need the roles\groups to be dynamic, as well as the urls that the
>> >> > user
>> >> > can
>> >> > access. In the database, there is a table for user, groups, and
>> >> > roles.
>> >> > The
>> >> > user does not have to belong to a group or a role(but they may).
>> >> > There
>> >> > is
>> >> > a
>> >> > table for url's, and a cross reference table between users and
>> >> > url's.
>> >> > If
>> >> > the
>> >> > user has access, then I will put it on the menu. I will also check
>> >> > in
>> >> > the
>> >> > application, to see if the user is authorized. If so, then the user
>> >> > can
>> >> > access the web page. The same applies to groups and roles.
>> >> >
>> >> > So what is the best way to implement something like this?
>> >> >
>> >> > Thanks, Leonard
>> >> >
>> >>
>> >>
>> >>

>>
>>
>>

[Alex I]

'Best solution':
from a stored procedure return XML with all URLs that the user can asscess.
In you ASP retrieve the result with ExecuteXML.
Write XSLT to transform URLs to menu items HTML.
Assign this menu HTML to a Text propery of an asp-label.
You can also store the retrieved XML in a session variable and check against
it, not to query the database.
Alex I

"Leonard Rutkowski" wrote:

> Hi All,
> I am trying to write several applications, for external users. They will
> use forms authentication to login. My question concerns url authorization.
> Each user will have access to various url's within the applications,
> depending on the users group/role, that is stored in a sql server database.
> The database also contains the url. I will build the user's menu, based on
> the urls that user has access to. According to the various articles and
> books that I have read, the url authorization is in the web.config file,
> allow user="some user" roles="some roles". This won't work for me, because I
> need the roles\groups to be dynamic, as well as the urls that the user can
> access. In the database, there is a table for user, groups, and roles. The
> user does not have to belong to a group or a role(but they may). There is a
> table for url's, and a cross reference table between users and url's. If the
> user has access, then I will put it on the menu. I will also check in the
> application, to see if the user is authorized. If so, then the user can
> access the web page. The same applies to groups and roles.
>
> So what is the best way to implement something like this?
>
> Thanks, Leonard
>