Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Can a asp.net page use more than one codebehind page?

Posted on 2004-09-10
16
Medium Priority
?
372 Views
Last Modified: 2008-03-10
Heres the issue.

I'm about to build an intranet which uses the username variable as a lookup in an Oracle table.  It uses the username to see what access he/she has.  My existing intranet does this by inserting the following code at the top of every page that needs these access checks:

<% v_APPNAME = "BILLING"  %>
<!--#include virtual="/shared/CHECK_ACCESS.asp" -->

The CHECK_ACCESS.asp uses the v_APPNAME value and the username which is stored in a session variable to query the table.  If a record is returned, then the person has access... if not they are redirected to a friendly access denied.

Every page that needs to have the access checked has the v_APPNAME = "????" line and the CHECK_ACCESS.asp include line at the very top.

How would I emulate this in ASP.NET?  My old asp brain is telling me to build this asp.net codebehind and attach it as I already do.  But I can't find anything written that suggests it's an option to have multple codebehinds.

I really don't want to add code to each codebehind that belongs to other pages...  

What do you think?  Keith
0
Comment
Question by:westbergk
  • 5
  • 4
  • 3
  • +1
16 Comments
 
LVL 8

Expert Comment

by:boulder_bum
ID: 12031803
Visual Studio 2005 introduces "partial classes", which allow you to separate chunks of the code-behind into another file, but a page can only have one code-behind.

That said, you can still implement solution-wide role-based authentication. To implement the functionality yourself from scatch, you can create a  subclassed "Page" class which contains the identity check (based on a Session variable or something), which is tied to the page permission however you want (perhaps through a protected roles array that the base class checks or something).

You can also use an HttpModule.

What you REALLY want to look into, however is ASP.NET's built-in Forms Authentication. It handles all of this for you (redirects to login page, role-based security based on whatever you define i.e. you can use Oracle DB, etc.).
0
 
LVL 8

Expert Comment

by:boulder_bum
ID: 12031812
Here's a good overview of Forms Authentication:

http://www.15seconds.com/issue/020220.htm

Basically what you do is define the login page, and the roles for each directory based on entries in various web.config files in each directory. If you have specific questions about it, please let me know.
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 12031864
in short you can inherit another class, but only one codebehind is allowed in v1.1

Regards,

Aeros
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 10

Expert Comment

by:jnhorst
ID: 12032226
In ASP.NET, you can access the username like this:

string userid = User.Identity.Name;

Let's say you are using Windows authentication in a Windows network where users auth to a domain or Active Directory.  This will return the full DOMAIN\USERNAME value.  So if your user names in the database are just the user's logon account name, you'll have have parse it out:

string userid = User.Identity.Name;
idx = userid.IndexOf("\");
userid = userid.Substring(idx, userid.Length - idx);

Query the database with this and your "Billing" literal to see if they have access.

John

0
 
LVL 10

Expert Comment

by:jnhorst
ID: 12032230
Correction:

string userid = User.Identity.Name;
int idx = userid.IndexOf("\");
userid = userid.Substring(idx, userid.Length - idx);

John
0
 
LVL 1

Author Comment

by:westbergk
ID: 12033340
Thanks folks for the quick response...

boulder_bum:
I read the article you posted, and I think I understand the direction/purpose.  What I don't see is how I could impliment this in a (none physical) login page fashion.  My enviornment is completely Intranet were I should know everyone coming in.  They have already logged into the workstation on our intranet.  Keeping there names posted on a web.config is deffinatly not an option.

Most of the tools they will be using need to know if they have the access to to make changes... and some will need to know if they have access at all.  I don't see how I could accomplish this using the non physical login page method.  Again, I already know the username... I just need to run a query and check for there existance, and if yes... then check there level. ie: 1,2 or 3.

jnhorst:
I think you helped me earlier (Q_21103085.html) when i was looking to authenticate users coming in... thank you by the way.  So I understand the consept of getting the username.   But now that I have the username, how could I use it in a way that boulder_bum is suggesting?

Again, most applications will allow the user to open the application.  But when they attempt to make changes, I want to check there access and either send them away, or process there request.  At the same time, I would like to keep it modular like the way I had it, so that when I build another app, all I need to do is drop a variable or somthing into the new codebehind.. or somthing like that.

So I guess from what you both have said, I'm looking for:

1) A way to capture who you are = (jnhorst solution works)
2) A way to run this username against a db, to aquire there access. (Still open)
3) How to keep this somewhat modular like my existing asp method. (Still open)



0
 
LVL 8

Expert Comment

by:boulder_bum
ID: 12033613
"They have already logged into the workstation on our intranet.  Keeping there names posted on a web.config is deffinatly not an option."

Luckily, web.config is not for names alone, you can also store roles. Nevertheless, if you want to restrict SECTIONS of a page, you'll need a little extra code. If using Forms Authentication where you already know a user's info, you can have the "login page" automatically look at this info and authenticate the user with no interaction required. You can also store the user's role information in a "FormsAuthenticationTicket" for later reference (using Windows Principals and IsInRole() ). If you must use the database, this is definately the way to go.

This will give a broad overview of your options.
http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnnetsec/html/SecNetch03.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/authaspdotnet.asp

That said, you may also use role-based authentication using Windows Authentication. Instead of DB security, you'd do things according to network roles and Impersonation.

"How to keep this somewhat modular like my existing asp method. "

In ASP.NET, the focus has shifted from encapsulation in SSIs to encapsulation through class files and Server/User Controls. For instance, instead of relying on an SSI for a header file, you'd use a User Control which you can drag-and-drop onto the page. This control model is not only easy to use and design, but also allows for things like an event model to program against.

For authentication, this: <!--#include virtual="/shared/CHECK_ACCESS.asp" --> can be replaced by a common class file which all of the code-behinds check, but I suspect your needs will be met with the built-in authentication framework.
0
 
LVL 1

Author Comment

by:westbergk
ID: 12044522
boulder_bum...

Could you possibly provide an example view of a user control that takes network username and queries for there access.  Then once the control has the values, either redirects or allows access.  I don't expect you to write the application, but give a vague overview of how the logic works.  My enviornment/needs look like this

1. I can build "local groups" on the server, but there will be many many applications that will need there own access control, and with each app there probably should be at least 3 levels... read, write & admin full.  I'm not sure if I want 60 local groups to manage.

2. User control looks to be a good direction.  I can spit one out in short order, but what I am not very versed in is building classes.  An example of how a class would look for this instance would be a real help.

Keith...
0
 
LVL 1

Author Comment

by:westbergk
ID: 12048089
This .Net stuff is really kicking my butt...

In asp I could pass a username and any other variable to an include in my sleep.  But how in the world do I pass the request.servervariable(REMOTE_USER) and a string variable ("TEST_STRING") to a user_control.

I feel like an idiot with these simple tasks, but I don't believe .Net makes it any easier.

If I need to make this another question... please let me know.
0
 
LVL 17

Expert Comment

by:AerosSaga
ID: 12244290
I suggest a split on this question between all.

Aeros
0
 
LVL 8

Accepted Solution

by:
boulder_bum earned 1500 total points
ID: 12245177
Oops. I didn't get a chance to follow up on this one. Did you figure everything out westbergk? The user control should be able to reference session variables via Session["var"] or Context.Session["var"] and you can set the "permissions" for the control based on the session variable in the OnLoad event handler of the control.

For FormsAuthenticationTicket and IsInRole info, see here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/f_and_m/html/vxconRoleBasedSecurity.asp

From the doc:

//make ticket
FormsAuthenticationTicket ticket = new    FormsAuthenticationTicket(
         1,                                    // version
         UserId,                              // user name
         DateTime.Now,                        // issue time
         DateTime.Now.AddMinutes(30),         // expires
         false,                              // persistent
         userRoles.ToString()                  // user data
   );
// Get the encrypted representation suitable for placing in a HTTP cookie.
formsCookieStr = FormsAuthentication.Encrypt(ticket);
HttpCookie FormsCookie = new HttpCookie(FormsAuthentication.FormsCookieName, formsCookieStr);
currentContext.Response.Cookies.Add(FormsCookie);



You assign the ticket when the user gets authenticated, and you can check roles to determine privilages by calling IsInRole() to see if they are, for example, in the AccountingManager role or something.
0
 
LVL 8

Expert Comment

by:boulder_bum
ID: 12245180
PS- I'm with Aeros.
0
 
LVL 10

Expert Comment

by:jnhorst
ID: 12245224
Wahhhhhh, I want the points....

Oh, I'm supposed to be a grown up... rats.

I'm with Aeros too.

John
0
 
LVL 1

Author Comment

by:westbergk
ID: 12271464
I apologize for not responding sooner.

I thank all of you for adding your thoughts.  Of all contributers, boulder_bum got me close to a solution that my enviornment could use.  The current method is using a combination of checks.

UserControl = Access.vb.ascx: (public [ApplicationID])

A page makes a call to this control and passes it an application ID that is listed in an application table in oracle.  The (APPLICATIONS) schema looks like: (ID, APP_ID, APP_NAME, APP_OWNER).  There is another table called (APPLICATION_ACCESS) which contains (ID, USER_ID, APP_ID, ACCESS_CD).  The control checks to see if the current users id is listed, and if so what level.  If at any time the user does not meet a required check, he/she gets redirected.  The control sets a session variable explaining the purpose of the redirect, and the error page is populated with the session variable.

For pages that require higher access... admin type, I'm using the IsInRole method and placing these folks in a local group.

Thank you again for all your help.  Keith
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently went through the process of creating a Calendar Control of events with the basis of using a database to keep track of the dates that are selectable, one requirement was to have the selected date pop-up in a simple lightbox.  At first this…
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Loops Section Overview
Suggested Courses

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question