c# - ASP.net Authorization issue -
i have application uses active directory authenticate users login website.
i have table in database user types.
based on user type, users can see different views.
ex: normaluser can see 3 views (about - contact - view data) manageruser can see 5 views (about - contact - view data - delele data - update data).
how ever , view works fine have problem when example normaluser change url manualy updatedata.aspx see page of manageruser. how can prevent users accessing other pages ?
please note have stateview code in site.master
we use same authentication/authorization setup in several of our web apps, using windows authentication, , custom sql table authorization.
you have few options: recommend option 1 or 2.
since have custom table stores user roles/types, write custom roleprovider (http://msdn.microsoft.com/en-us/library/8fw7xh74.aspx ), , add web.config authorization rules restrict access pages based on user roles. have done in our application.
use windows active directory groups in place of usertype table, , can add web.config authorization rules allow ad groups want. need use windows role provider (which believe default windows authentication, may not have change there).
add code in page_load method of pages lookup user has access based on usertype table , throw unauthorizedaccessexception user not have access. if have few pages in app , don't have lot of concurrent users, "quick" solution, isn't cleanest option.
to add web.config authorizaiton rules, use syntax, , add <location>
sections under root of <configuration>
element, path can folder name or page name. asp.net auto-magically enforce these rules you.
<location path="adminfolder"> <system.web> <authorization> <allow roles="admin"/> //allows users in admin role <deny users="*,?"/> // deny else </authorization> </system.web> </location>
use given roleprovider, can use user.isinrole("yourrolename") anywhere in code if need check user belongs given role.
here shell class layout including methods need implemented custom roleprovider in option 1. note: if have own ui managing role memberships, don't have implement createrole
, deleterole
methods. have throw new notimplementedexception()
both implementation , works fine. need implement other methods.
public class mycustomroleprovider inherits roleprovider public overrides sub adduserstoroles(usernames() string, rolenames() string) end sub public overrides property applicationname string end set(value string) end set end property public overrides sub createrole(rolename string) end sub public overrides function deleterole(rolename string, throwonpopulatedrole boolean) boolean end function public overrides function findusersinrole(rolename string, usernametomatch string) string() end function public overrides function getallroles() string() end function public overrides function getrolesforuser(username string) string() end function public overrides function getusersinrole(rolename string) string() end function public overrides function isuserinrole(username string, rolename string) boolean end function public overrides sub removeusersfromroles(usernames() string, rolenames() string) end sub public overrides function roleexists(rolename string) boolean end function end class
Comments
Post a Comment