0

I have an application that uses Active Directory to authenticate users to login to my website.

I also have a table in my database with user Types.

Based on the User Type, my users can see different VIEWS.

Ex: NormalUser can see 3 views (About - Contact - View Data) ManagerUser can see 5 views (About - Contact - View Data - Delele Data - update Data).

How ever , the view Works fine but I have a problem when for example normalUser change the URL manualy to UpdateData.aspx then he will see the page of a managerUser. How can I prevent users from accessing other pages ?

Please note that I have my StateView code in Site.Master

landsteven
  • 814
  • 8
  • 22
fazlook1
  • 139
  • 2
  • 15

2 Answers2

1

We use this same authentication/authorization setup in several of our web apps, using Windows Authentication, and a custom SQL table for authorization.

You have a few options: I would recommend option 1 or 2.

  1. Since you have a custom table that stores your user roles/types, you could write a custom RoleProvider (http://msdn.microsoft.com/en-us/library/8fw7xh74.aspx ), and add web.config authorization rules to restrict access to pages based on the user Roles. This is what we have done in our application.

  2. Use Windows Active Directory groups in place of your userType table, and then you can add web.config authorization rules to allow the AD groups you want. You will need to use the Windows Role Provider (which I believe is the default for Windows authentication, so may not have to change anything there).

  3. Add code in the Page_Load method of your pages to lookup that the user has access based on your UserType table and throw an UnauthorizedAccessException is the user does not have access. If you only have a few pages in your app and don't have a lot of concurrent users, then this is the "quick" solution, but isn't the cleanest option.

To add the web.config authorizaiton rules, use this syntax, and add <location> sections under the root of the <configuration> element, where path can be a folder name or page name. ASP.NET will auto-magically enforce these rules for you. 

<location path="AdminFolder"> 
<system.web>
<authorization>
<allow roles="Admin"/> //Allows users in Admin role
<deny users="*,?"/> // deny everyone else
</authorization>
</system.web>
</location>

Use a given RoleProvider, you can also use User.IsInRole("YourRoleName") from anywhere in code if you need to check is a user belongs to a given role.

Here is the shell for the class layout including the methods that need implemented for the custom RoleProvider in option 1. NOTE: if you have your own UI for managing role memberships, then you don't have to fully implement the CreateRole and DeleteRole methods. I just have Throw New NotImplementedException() for both as the implementation and it works fine. You do need to implement the other methods.

Public Class MyCustomRoleProvider
    Inherits RoleProvider


    Public Overrides Sub AddUsersToRoles(usernames() As String, roleNames() As String)

    End Sub

    Public Overrides Property ApplicationName As String
        Get

        End Get
        Set(value As String)

        End Set
    End Property

    Public Overrides Sub CreateRole(roleName As String)

    End Sub

    Public Overrides Function DeleteRole(roleName As String, throwOnPopulatedRole As Boolean) As Boolean

    End Function

    Public Overrides Function FindUsersInRole(roleName As String, usernameToMatch As String) As String()

    End Function

    Public Overrides Function GetAllRoles() As String()

    End Function

    Public Overrides Function GetRolesForUser(username As String) As String()

    End Function

    Public Overrides Function GetUsersInRole(roleName As String) As String()

    End Function

    Public Overrides Function IsUserInRole(username As String, roleName As String) As Boolean

    End Function

    Public Overrides Sub RemoveUsersFromRoles(usernames() As String, roleNames() As String)

    End Sub

    Public Overrides Function RoleExists(roleName As String) As Boolean

    End Function
End Class
BateTech
  • 5,780
  • 3
  • 20
  • 31
  • Option 2 is not availalble for me. Our AD roles not up to date. – fazlook1 Jan 31 '14 at 18:15
  • Option 3 seems to be the best sol for me as this is an Intranet web app. But I would love to work on Option 1. I still dont understand how to create a custom provider. Is this only done in web.config ? – fazlook1 Jan 31 '14 at 18:16
  • For option 1, you would create a new class, called something like MyCompanyRoleProvider, that inherits the .NET RoleProvider base class. Then there are several methods that you would need to implement in that class (FindUsersInRole, IsUserInRole, GetRolesForUser, etc.) that would return role information. Then you update the web.config RoleManager section to add your custom RoleProvider, and add any web.config authorization rules. I was a little intimidated when first looking into it, but it is not as tough as it sounds once you understand how the RoleProviders work and are setup in .NET. – BateTech Jan 31 '14 at 18:27
  • I will work on that this afternoon and get back to you :) . btw do you have a layout of that class ? I will implement the methods myself. That should be easy. – fazlook1 Jan 31 '14 at 18:31
  • I updated the answer to include a shell of a custom RoleProvider class – BateTech Jan 31 '14 at 18:37
  • I think I just need: public override string[] GetRolesForUser(string username) { throw new NotImplementedException(); } – fazlook1 Jan 31 '14 at 18:47
  • Sorry for the format, forgot this was a C# tag and not a VB.Net. For the GetRolesForUser method, you will need to create a SQL query that queries your UserType table for the given username and returns a string array of the Role names / User Types for that user. – BateTech Jan 31 '14 at 18:49
  • My user table has only 2 columns , username , roleType. So my query will return only 1 type for the username. OK I will do that. easy to do but then I need to use any other methods ? or that s enough ? What's the Location Path ? what s that ? – fazlook1 Jan 31 '14 at 18:56
  • Not supposed to use the comments section to chat, so check out these links which include sample code and the web.config Location path info: http://msdn.microsoft.com/en-us/library/tksy7hd7.aspx , http://msdn.microsoft.com/en-us/library/317sza4k.aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-1 , http://weblogs.asp.net/gurusarkar/archive/2008/09/29/setting-authorization-rules-for-a-particular-page-or-folder-in-web-config.aspx – BateTech Jan 31 '14 at 19:10
  • Thank you Man, I appreciate your help. I am getting there slowly :) – fazlook1 Jan 31 '14 at 20:00
0

You have done Authentication but for what you are asking requires to implement Authorization.

http://www.codeproject.com/Articles/98950/ASP-NET-authentication-and-authorization

In case of windows Authenticaiton http://www.codeproject.com/Articles/175028/ASP-NET-Windows-Authentication-Authorization-by-Gr

donstack
  • 2,557
  • 3
  • 29
  • 44